← Home

IEC 62443-2-4 Security Program Requirements for IACS Service Providers

ISA/IEC 62443-2-4 sets out the security capabilities that integration and maintenance service providers must be able to support through their security programmes when working on Industrial Automation and Control Systems (IACS). The principal audience is suppliers of control-system solutions — organisations that design, deploy or maintain Automation Solutions for asset owners.

Supporting a capability means the service provider can deliver it to the asset owner when asked — not that every capability must be applied on every project by default. The same document also gives service providers a structured way to organise and improve their own security programmes.

Teaching note: Content below paraphrases ISA training material and ISA/IEC 62443-2-4 themes for learning. Always refer to the published standard for normative wording, conformance claims and contract language.

Reference: ISA/IEC 62443-2-4 — Security program requirements for IACS service providers
Related: IACS Cybersecurity Roles | IEC 62443-2-1 Security Program (2024) | IEC 62443-2-2 Automation Solution Security Lifecycle | IEC 62443-2-3 Patch Management | IEC 62443-4-1 Product Security Lifecycle

ISA/IEC 62443-2-4 Security Program Functional Areas table
Figure – ISA/IEC 62443-2-4 Security Program Functional Areas (SP.01–SP.12), grouping the requirements against which service providers may claim conformance.

Learning objectives


What Part 2-4 covers

Part 2-4 sits in the Policies & Procedures group of the series. Where Part 2-1 addresses the asset owner’s Security Program, Part 2-4 addresses the programme that service providers use when they integrate or maintain Automation Solutions.

In practice that means expectations such as:

Asset owners increasingly ask for ISA/IEC 62443 conformance when contracting. Demonstrating alignment with Part 2-4 can therefore be both a risk-reduction measure and a commercial differentiator — evidence that cybersecurity is part of day-to-day delivery, not an afterthought.


What is a service provider?

A service provider is a person or organisation that supplies a defined support service (and related materials), usually under agreement with the asset owner. The role need not be a separate legal entity. Many large asset owners have internal departments that act as the service provider for their own plants.

The 62443 series prefers the terms provider and supplier over the vague word vendor, so integration, maintenance and product-supply roles can be distinguished clearly.

Related: IACS Cybersecurity Roles — Asset Owner, Integration Service Provider, Maintenance Service Provider and Product Supplier.


Types of IACS service providers

Part 2-4 is written primarily around integration and maintenance service providers. The broader role model also includes product suppliers, whose hardware and software products become part of Automation Solutions.

Integration Service Provider

An IACS Integration Service Provider implements and deploys Automation Solutions to meet asset-owner requirements. Integration work typically runs from design through to handover of the Automation Solution to the asset owner.

Typical integration activities include:

Maintenance Service Provider

An IACS Maintenance Service Provider maintains and services Automation Solutions according to asset-owner requirements. Maintenance activities are distinct from day-to-day operations. They generally begin after handover and can continue for as long as the asset owner needs them.

Typical maintenance activities include:

Teaching tip: Operations keep the plant running; maintenance keeps the Automation Solution fit for purpose over time. Part 2-4 focuses on the programme behind those maintenance (and integration) services — not on replacing the asset owner’s operational Security Program under Part 2-1.

Product Supplier

A product supplier manufactures hardware and/or software products. Control-system products are typically built from combinations of:

Those products are developed largely independently of any one plant’s IACS environment; they are later selected, configured and integrated into a site-specific Automation Solution. Secure development of the products themselves is the focus of ISA/IEC 62443-4-1, while system and component security capabilities sit in Parts 3-3 and 4-2.

Who may share maintenance work

In a live facility, maintenance activities may be shared across several parties:

Contracts and role definitions should make clear who owns each activity — and which Part 2-4 capabilities the service provider is expected to support when that work is outsourced.


Security Program Functional Areas (SP.01–SP.12)

To claim conformance, service providers must meet the applicable requirements in ISA/IEC 62443-2-4. Those requirements are grouped into twelve functional areas. The areas are a high-level map of where a service provider can claim conformance — not a substitute for reading the individual requirements.

Functional area SP Req ID Description
Solution staffing SP.01.XX Assignment of personnel by the service provider to Automation Solution–related activities.
Assurance SP.02.XX Providing confidence that the Automation Solution security policy is enforced.
Architecture SP.03.XX Design of the Automation Solution.
Wireless SP.04.XX Use of wireless in the Automation Solution.
SIS SP.05.XX Integration of Safety Instrumented Systems (SIS) into the Automation Solution.
Configuration management SP.06.XX Configuration control of the Automation Solution.
Remote access SP.07.XX Remote access to the Automation Solution.
Event management SP.08.XX Event handling in the Automation Solution.
Account management SP.09.XX Administration of user accounts in the Automation Solution.
Malware protection SP.10.XX Use of anti-malware software in the Automation Solution.
Patch management SP.11.XX Security aspects of approving and installing software patches.
Backup / Restore SP.12.XX Security aspects of backup and restore.

Each area uses a requirement-ID pattern such as SP.03.XX (Architecture). Facility patching under SP.11 also connects closely to the guidance in ISA/IEC TR 62443-2-3.


Evaluating service-provider programmes — TR/TS 62443-6-1

ISA/IEC TR/TS 62443-6-1 was published in 2024. It provides objective evaluation criteria for assessing a service provider’s security programme against ISA/IEC 62443-2-4. Both service providers preparing for assessment and evaluators conducting conformity assessments use it to keep results consistent.

Aligned with Part 2-4, the technical report establishes evaluation criteria and the evidence expected at each maturity level (ML 1 through ML 4). The aim is repeatable and reproducible evaluation outcomes — so two competent assessors looking at the same programme reach comparable conclusions.

Maturity-level thinking also appears elsewhere in the series (for example asset-owner programmes in Part 2-1 and secure-development programmes in Part 4-1). Use each part’s own tables and criteria when scoring; do not assume the evidence list for one part transfers unchanged to another.

Reference: ISA/IEC TR/TS 62443-6-1 — Security evaluation methodology for IEC 62443-2-4
Related: IEC 62443-2-1 Maturity Levels | IEC 62443-2-1 Conformance and Assessment


Key takeaways


Standards reference