← Home
IEC 62443-2-1 Clause 9 – Component Security
ISA/IEC 62443-2-1:2024, Clause 9 covers
component security as Security Program Element SPE 4
in the asset owner’s IACS Security Program.
SPE 4 reduces attack opportunities through device and software interfaces — external ports,
portable media, malware exposure and unpatched software. Patch-process detail is also
covered in ISA-TR62443-2-3.
Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for
learning purposes. They are not a verbatim extract of the standard — always refer to the
published text for normative wording and assessment.
Reference: ISA/IEC 62443-2-1:2024, Clause 9
Related:
Security Program Requirements (2024)
|
CSMS (2010)
SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8
COMP 1 – Components and portable media
Reference: ISA/IEC 62443-2-1, Clause 9.2
COMP 1.1: Component hardening
Clause: 9.2.1
Summary
Components shall be hardened before they enter service, kept in a hardened state for their
operating life, and the hardening measures and methods shall be documented.
COMP 1.2: Dedicated portable media
Clause: 9.2.2
Summary
Policy shall state which portable-media uses and functions are allowed or forbidden on the
IACS.
COMP 2 – Malware protection
Reference: ISA/IEC 62443-2-1, Clause 9.3
COMP 2.1: Malware free
Clause: 9.3.1
Summary
Components — and portable media where it is permitted — shall be checked for known malware
before they are used on the IACS.
COMP 2.2: Malware protection
Clause: 9.3.2
Summary
Where it is practical, malware defences shall be installed, operated and kept maintained.
COMP 2.3: Malware protection software validation and installation
Clause: 9.3.3
Summary
Malware-protection software and signature updates shall be compatibility-tested, approved and
installed promptly after release.
COMP 3 – Patch management
Reference: ISA/IEC 62443-2-1, Clause 9.4
COMP 3.1: Security patch authenticity/integrity
Clause: 9.4.1
Summary
Patches shall be verified as authentic and intact before they are installed.
COMP 3.2: Security patch validation and installation
Clause: 9.4.2
Summary
Applicable security patches shall be compatibility-tested, approved and installed on
components in a timely way after release.
COMP 3.3: Security patch status
Clause: 9.4.3
Summary
The patch status of every component shall be recorded and kept current.
COMP 3.4: Security patching retention of security
Clause: 9.4.4
Summary
After a security patch is applied, checks shall confirm the component’s security posture has
not been weakened.
COMP 3.5: Security patch mitigation
Clause: 9.4.5
Summary
If an applicable patch is not installed, the resulting risk shall be assessed. If that risk is
not tolerable, compensating action shall be taken and the decision recorded.
Key Takeaways
- SPE 4 hardens components and controls media, malware and patching risk.
- Ten COMP requirements under Clause 9 span hardening, malware protection and patches.
- See Security Program Requirements (2024) for SP context.