← Home
IEC 62443-2-1 Clause 8 – Network and Communications Security
ISA/IEC 62443-2-1:2024, Clause 8 covers
network and communications security as Security Program Element SPE 3
in the asset owner’s IACS Security Program.
SPE 3 reduces attack paths that arrive over networks or other communications links —
from outside the IACS, across zone boundaries, or from untrusted or compromised devices.
Zone and conduit design guidance sits in ISA/IEC 62443-3-2.
Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for
learning purposes. They are not a verbatim extract of the standard — always refer to the
published text for normative wording and assessment.
Reference: ISA/IEC 62443-2-1:2024, Clause 8
Related:
Security Program Requirements (2024)
|
CSMS (2010)
SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8
NET 1 – System segmentation
Reference: ISA/IEC 62443-2-1, Clause 8.2
NET 1.1: Segmentation from non-IACS zones
Clause: 8.2.1
Summary
IACS zones shall be separated from non-IACS zones. Links between them shall be kept to the
minimum needed for operations and stay within tolerable risk.
NET 1.2: Documentation of zones and network zone interconnections
Clause: 8.2.2
Summary
A maintained baseline shall list IACS zones, conduits or other interconnections, the risks
tied to each path, and whether each path is treated as trusted or untrusted.
NET 1.3: Network segmentation from safety systems
Clause: 8.2.3
Summary
Where a safety system network exists, policy shall protect it from interference by general
control or other non-safety networks and devices.
NET 1.4: Network autonomy
Clause: 8.2.4
Summary
The IACS shall be able to continue designed operation when cut off from external networks —
for example fail-safe behaviour, safe shutdown, reduced operation or normal local operation.
NET 1.5: Network disconnection from external networks
Clause: 8.2.5
Summary
Policy shall allow the IACS to be disconnected from external networks when needed to contain
real or suspected threats affecting either side of the link.
NET 1.6: Internal network access control
Clause: 8.2.6
Summary
Risks from traffic between internal IACS segments shall be identified, recorded and treated,
including deciding acceptable risk and responding when that limit is exceeded.
NET 1.7: Network accessible services
Clause: 8.2.7
Summary
Services that are reachable over the network shall be protected against unauthorised access.
NET 1.8: User messaging
Clause: 8.2.8
Summary
User-to-user messaging on IACS networks shall be constrained so messages cannot carry
attachments, links or scripts that help attackers compromise the system.
NET 1.9: Network time distribution
Clause: 8.2.9
Summary
Accurate time shall be distributed and synchronised across the IACS in a secure way.
NET 2 – Secure wireless access
Reference: ISA/IEC 62443-2-1, Clause 8.3
NET 2.1: Wireless protocols
Clause: 8.3.1
Summary
Policy shall state whether wireless is allowed, and which industry-accepted protocols may be
used. Approved wireless systems shall be documented with current configuration, data flows
to other segments, and the security features in use.
NET 2.2: Wireless network segmentation
Clause: 8.3.2
Summary
Where wireless is permitted, wireless networks shall be segmented from other IACS network
segments.
NET 2.3: Wireless properties and addresses
Clause: 8.3.3
Summary
Where wireless is permitted, configuration and addressing choices shall avoid giving attackers
useful reconnaissance information.
NET 3 – Secure remote access
Reference: ISA/IEC 62443-2-1, Clause 8.4
NET 3.1: Remote access applications
Clause: 8.4.1
Summary
Where remote access is allowed, only commonly accepted remote-access applications shall be
used under controlling policy.
NET 3.2: Remote access connections
Clause: 8.4.2
Summary
Interactive remote sessions shall be authorised, authenticated, encrypted, documented,
logged and monitored. Records for each connection should capture purpose, tool, crypto and
authentication methods, how the path is built (for example VPN via a DMZ), when it is
needed, how long it may stay open including idle limits, who and what is connecting, and
any pre-connection compliance checks.
NET 3.3: Remote access termination
Clause: 8.4.3
Summary
Where remote access is allowed, interactive sessions shall end automatically after a defined
period of inactivity.
Key Takeaways
- SPE 3 protects IACS communications through segmentation, wireless control and remote-access discipline.
- Fifteen NET requirements under Clause 8 cover zones, wireless and remote access.
- See Security Program Requirements (2024) for SP context.