SPE 7 is about detecting security-related activity, recording it reliably, analysing it
quickly, responding to incidents and closing out vulnerabilities.
EVENT 1 – Event and incident management
Reference: ISA/IEC 62443-2-1, Clause 12.2
EVENT 1.1: Event detection
Clause: 12.2.1
Summary
Detected IACS security events shall be reported, logged, analysed and acted on — either at
once or later — in support of security management.
EVENT 1.2: Event reporting
Clause: 12.2.2
Summary
Security-related IACS events shall be reported promptly to the right people.
EVENT 1.3: Event reporting interfaces
Clause: 12.2.3
Summary
Event reporting shall use interfaces commonly accepted in industrial and security practice.
EVENT 1.4: Logging
Clause: 12.2.4
Summary
Security events shall be written to one or more protected audit/event logs and kept for a
useful retention period.
EVENT 1.5: Log entries
Clause: 12.2.5
Summary
Log content shall support non-repudiation and time-aligned investigation of events.
EVENT 1.6: Log access
Clause: 12.2.6
Summary
Access to security logs shall use interfaces commonly accepted in industrial and security
practice.
EVENT 1.7: Event analysis
Clause: 12.2.7
Summary
Security events shall be analysed quickly enough to recognise attacks, compromises and
incidents.
EVENT 1.8: Incident handling and response
Clause: 12.2.8
Summary
A maintained process shall evaluate and respond to IACS security incidents.
EVENT 1.9: Vulnerability handling
Clause: 12.2.9
Summary
Known and newly found IACS vulnerabilities shall be identified, treated and closed out in a
timely way.