← Home

IEC 62443-2-1 Clause 8 – Network and Communications Security

ISA/IEC 62443-2-1:2024, Clause 8 covers network and communications security as Security Program Element SPE 3 in the asset owner’s IACS Security Program.

SPE 3 reduces attack paths that arrive over networks or other communications links — from outside the IACS, across zone boundaries, or from untrusted or compromised devices. Zone and conduit design guidance sits in ISA/IEC 62443-3-2.

Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-2-1:2024, Clause 8
Related: Security Program Requirements (2024) | CSMS (2010)

SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8


Requirements in this SPE


NET 1 – System segmentation

Reference: ISA/IEC 62443-2-1, Clause 8.2

NET 1.1: Segmentation from non-IACS zones

Clause: 8.2.1

Summary
IACS zones shall be separated from non-IACS zones. Links between them shall be kept to the minimum needed for operations and stay within tolerable risk.

NET 1.2: Documentation of zones and network zone interconnections

Clause: 8.2.2

Summary
A maintained baseline shall list IACS zones, conduits or other interconnections, the risks tied to each path, and whether each path is treated as trusted or untrusted.

NET 1.3: Network segmentation from safety systems

Clause: 8.2.3

Summary
Where a safety system network exists, policy shall protect it from interference by general control or other non-safety networks and devices.

NET 1.4: Network autonomy

Clause: 8.2.4

Summary
The IACS shall be able to continue designed operation when cut off from external networks — for example fail-safe behaviour, safe shutdown, reduced operation or normal local operation.

NET 1.5: Network disconnection from external networks

Clause: 8.2.5

Summary
Policy shall allow the IACS to be disconnected from external networks when needed to contain real or suspected threats affecting either side of the link.

NET 1.6: Internal network access control

Clause: 8.2.6

Summary
Risks from traffic between internal IACS segments shall be identified, recorded and treated, including deciding acceptable risk and responding when that limit is exceeded.

NET 1.7: Network accessible services

Clause: 8.2.7

Summary
Services that are reachable over the network shall be protected against unauthorised access.

NET 1.8: User messaging

Clause: 8.2.8

Summary
User-to-user messaging on IACS networks shall be constrained so messages cannot carry attachments, links or scripts that help attackers compromise the system.

NET 1.9: Network time distribution

Clause: 8.2.9

Summary
Accurate time shall be distributed and synchronised across the IACS in a secure way.

NET 2 – Secure wireless access

Reference: ISA/IEC 62443-2-1, Clause 8.3

NET 2.1: Wireless protocols

Clause: 8.3.1

Summary
Policy shall state whether wireless is allowed, and which industry-accepted protocols may be used. Approved wireless systems shall be documented with current configuration, data flows to other segments, and the security features in use.

NET 2.2: Wireless network segmentation

Clause: 8.3.2

Summary
Where wireless is permitted, wireless networks shall be segmented from other IACS network segments.

NET 2.3: Wireless properties and addresses

Clause: 8.3.3

Summary
Where wireless is permitted, configuration and addressing choices shall avoid giving attackers useful reconnaissance information.

NET 3 – Secure remote access

Reference: ISA/IEC 62443-2-1, Clause 8.4

NET 3.1: Remote access applications

Clause: 8.4.1

Summary
Where remote access is allowed, only commonly accepted remote-access applications shall be used under controlling policy.

NET 3.2: Remote access connections

Clause: 8.4.2

Summary
Interactive remote sessions shall be authorised, authenticated, encrypted, documented, logged and monitored. Records for each connection should capture purpose, tool, crypto and authentication methods, how the path is built (for example VPN via a DMZ), when it is needed, how long it may stay open including idle limits, who and what is connecting, and any pre-connection compliance checks.

NET 3.3: Remote access termination

Clause: 8.4.3

Summary
Where remote access is allowed, interactive sessions shall end automatically after a defined period of inactivity.

Key Takeaways