← Home

IEC 62443-2-1 Clause 9 – Component Security

ISA/IEC 62443-2-1:2024, Clause 9 covers component security as Security Program Element SPE 4 in the asset owner’s IACS Security Program.

SPE 4 reduces attack opportunities through device and software interfaces — external ports, portable media, malware exposure and unpatched software. Patch-process detail is also covered in ISA-TR62443-2-3.

Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-2-1:2024, Clause 9
Related: Security Program Requirements (2024) | CSMS (2010)

SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8


Requirements in this SPE


COMP 1 – Components and portable media

Reference: ISA/IEC 62443-2-1, Clause 9.2

COMP 1.1: Component hardening

Clause: 9.2.1

Summary
Components shall be hardened before they enter service, kept in a hardened state for their operating life, and the hardening measures and methods shall be documented.

COMP 1.2: Dedicated portable media

Clause: 9.2.2

Summary
Policy shall state which portable-media uses and functions are allowed or forbidden on the IACS.

COMP 2 – Malware protection

Reference: ISA/IEC 62443-2-1, Clause 9.3

COMP 2.1: Malware free

Clause: 9.3.1

Summary
Components — and portable media where it is permitted — shall be checked for known malware before they are used on the IACS.

COMP 2.2: Malware protection

Clause: 9.3.2

Summary
Where it is practical, malware defences shall be installed, operated and kept maintained.

COMP 2.3: Malware protection software validation and installation

Clause: 9.3.3

Summary
Malware-protection software and signature updates shall be compatibility-tested, approved and installed promptly after release.

COMP 3 – Patch management

Reference: ISA/IEC 62443-2-1, Clause 9.4

COMP 3.1: Security patch authenticity/integrity

Clause: 9.4.1

Summary
Patches shall be verified as authentic and intact before they are installed.

COMP 3.2: Security patch validation and installation

Clause: 9.4.2

Summary
Applicable security patches shall be compatibility-tested, approved and installed on components in a timely way after release.

COMP 3.3: Security patch status

Clause: 9.4.3

Summary
The patch status of every component shall be recorded and kept current.

COMP 3.4: Security patching retention of security

Clause: 9.4.4

Summary
After a security patch is applied, checks shall confirm the component’s security posture has not been weakened.

COMP 3.5: Security patch mitigation

Clause: 9.4.5

Summary
If an applicable patch is not installed, the resulting risk shall be assessed. If that risk is not tolerable, compensating action shall be taken and the decision recorded.

Key Takeaways