← Home

IEC 62443-2-2 Security Protection Scheme (SPS)

ISA/IEC 62443-2-2 (published 2025) defines the Security Protection Scheme (SPS) for an IACS — the set of technical, physical and process security measures that address cybersecurity concerns while that system is in operation. The asset owner designs and applies an SPS for each IACS, involving the roles defined across the ISA/IEC 62443 series.

Part 2-2 is the bridge from organisation-wide strategy to site action: it turns Security Program expectations into concrete measures for a specific Automation Solution, then keeps those measures alive across the IACS lifecycle.

Teaching note: Content paraphrases ISA training material and ISA/IEC 62443-2-2 themes for learning. Always refer to the published standard for normative wording, SPR scoring and conformity language. Companion lifecycle teaching notes remain on Automation Solution Security Lifecycle.

Reference: ISA/IEC 62443-2-2 — Security Protection Scheme (SPS)
Related: IEC 62443-2-1 Security Program | IEC 62443-3-2 Zone & Risk Assessment | IEC 62443-3-3 Foundational Requirements | IEC 62443-2-4 Service Providers | IACS Cybersecurity Roles

IACS lifecycle with Security Protection Scheme (SPS)
Figure – SPS through the IACS lifecycle: Cybersecurity Requirements Specification feeds SPS design (technical + process measures); validation produces an approved SPS at handover; operation applies and periodically revalidates the SPS against the Asset Owner Security Program, with integration, maintenance and product-supplier support.

Learning objectives


From strategy to action — Part 2-1 and Part 2-2

IEC 62443-2-1 is how the asset owner manages an organisation-wide OT Security Program (SP) — policies, process expectations and governance that span the enterprise and every IACS under control.

IEC 62443-2-2 supplies concrete guidance for implementing technical, physical and procedural security measures for a specific IACS. The resulting SPS is how that broad SP shows up on a particular Automation Solution in operation.

In teaching terms: Part 2-1 sets the organisational strategy; Part 2-2 turns strategy into the living scheme of measures on the plant floor. The asset owner owns and executes the SPS, while integrators, maintainers and product suppliers contribute under contract and role definitions.

Security Program and SPS relationship
Figure – Asset Owner Security Program spans enterprise ISMS/lifecycle topics and each IACS. For a given IACS, the SPS packages process and technical security measures — some common across sites, some risk-based and specific — fulfilling Part 2-1 / ISMS expectations for that system.

What the SPS contains

An SPS is the combination of:

Some measures are zone- or conduit-specific; others apply across all zones. The SPS also reaches enterprise-facing topics that sit on the enterprise lifecycle — policies, KPIs, escalation paths — so local IACS security stays wired to organisational priorities, not a disconnected plant checklist.


How an SPS is generated

Typical process flow (example pattern from Part 2-2 teaching material):

  1. Start from Asset Owner SP requirements (Part 2-1), enterprise/business/operational constraints, and tolerable cybersecurity residual risk.
  2. Perform risk-based system partitioning into zones and conduits (Part 3-2).
  3. Build a Cybersecurity Requirements Specification per zone (and conduits as needed), including applicable Part 2-1 expectations, derived system security requirements (Part 3-3) sized to residual-risk targets, and local constraints.
  4. Design the SPS — technical and process measures for each zone/conduit, plus measures that apply everywhere.

During design, the requirements specification is the basis for the SPS. In operation, the SPS must continue to comply with that specification — or the specification and SPS must be updated together when the world changes.

Process steps for generating a Security Protection Scheme
Figure – Example process steps for generating an SPS: SP / constraints / tolerable risk → Part 3-2 partitioning → Cybersecurity Requirements Specification by zone → SPS (zone-specific and common measures), with ongoing compliance between specification and SPS.

SPS lifecycle mirrors the IACS

The SPS is a living document. It evolves whenever the system changes, threats shift, or compliance needs update — just as the IACS itself moves through specification, design and implementation, verification and validation, operation and maintenance, and eventually decommissioning.

Key teaching points along that path:

Integration service providers typically support engineering contracts through design and V&V; maintenance service providers support operations contracts thereafter; product suppliers underpin the whole lifecycle with capabilities, guidelines and product support. Accountability for the SPS remains with the asset owner.


Security Protection Ratings (SPR)

Security Protection Ratings (SPR) evaluate how well the SPS has been put into practice — how effectively it meets the system’s security requirements in operation. SPR compares actual implementation against predefined security expectations grounded in system need.

Requirements under consideration are typically mapped using the Part 3-3 Security Level model: they state what the operational system must achieve to keep cybersecurity at the intended level.

SPR brings together two ideas:

Illustrative scoring themes (0–4)

Teaching materials describe a 0–4 style scale for how thoroughly requirements are met. Exact normative labels live in the published Part 2-2 text; the progression below is a learning aid:

Score theme Intent (teaching summary)
0 – Not addressed Requirement has not been taken up in the operational SPS picture.
Target Desired fulfilment level of system security requirements the asset owner wants during operation.
Implemented Goes beyond target definition: process security measures are executed in operation with proven repeatability and effectiveness.
Operated Adds demonstration that those process measures are repeated and effective under actual operating conditions.
Fully operational / repeatable Highest maturity of sustained practice — the SPS measures hold as repeatable operations, not a one-off project delivery.
Teaching tip: Do not treat SPR as a replacement for Security Levels (SL) or Maturity Levels (ML). SPR asks whether the operational SPS actually delivers and sustains the security the system requires — technical capability and organisational repeatability together.

Key takeaways


Standards references