ISA/IEC 62443-2-4 sets out the security capabilities that integration and maintenance service providers must be able to support through their security programmes when working on Industrial Automation and Control Systems (IACS). The principal audience is suppliers of control-system solutions — organisations that design, deploy or maintain Automation Solutions for asset owners.
Supporting a capability means the service provider can deliver it to the asset owner when asked — not that every capability must be applied on every project by default. The same document also gives service providers a structured way to organise and improve their own security programmes.
Reference: ISA/IEC 62443-2-4 — Security program requirements for IACS service providers
Related:
IACS Cybersecurity Roles
|
IEC 62443-2-1 Security Program (2024)
|
IEC 62443-2-2 Automation Solution Security Lifecycle
|
IEC 62443-2-3 Patch Management
|
IEC 62443-4-1 Product Security Lifecycle
Part 2-4 sits in the Policies & Procedures group of the series. Where Part 2-1 addresses the asset owner’s Security Program, Part 2-4 addresses the programme that service providers use when they integrate or maintain Automation Solutions.
In practice that means expectations such as:
Asset owners increasingly ask for ISA/IEC 62443 conformance when contracting. Demonstrating alignment with Part 2-4 can therefore be both a risk-reduction measure and a commercial differentiator — evidence that cybersecurity is part of day-to-day delivery, not an afterthought.
A service provider is a person or organisation that supplies a defined support service (and related materials), usually under agreement with the asset owner. The role need not be a separate legal entity. Many large asset owners have internal departments that act as the service provider for their own plants.
The 62443 series prefers the terms provider and supplier over the vague word vendor, so integration, maintenance and product-supply roles can be distinguished clearly.
Related: IACS Cybersecurity Roles — Asset Owner, Integration Service Provider, Maintenance Service Provider and Product Supplier.
Part 2-4 is written primarily around integration and maintenance service providers. The broader role model also includes product suppliers, whose hardware and software products become part of Automation Solutions.
An IACS Integration Service Provider implements and deploys Automation Solutions to meet asset-owner requirements. Integration work typically runs from design through to handover of the Automation Solution to the asset owner.
Typical integration activities include:
An IACS Maintenance Service Provider maintains and services Automation Solutions according to asset-owner requirements. Maintenance activities are distinct from day-to-day operations. They generally begin after handover and can continue for as long as the asset owner needs them.
Typical maintenance activities include:
A product supplier manufactures hardware and/or software products. Control-system products are typically built from combinations of:
Those products are developed largely independently of any one plant’s IACS environment; they are later selected, configured and integrated into a site-specific Automation Solution. Secure development of the products themselves is the focus of ISA/IEC 62443-4-1, while system and component security capabilities sit in Parts 3-3 and 4-2.
In a live facility, maintenance activities may be shared across several parties:
Contracts and role definitions should make clear who owns each activity — and which Part 2-4 capabilities the service provider is expected to support when that work is outsourced.
To claim conformance, service providers must meet the applicable requirements in ISA/IEC 62443-2-4. Those requirements are grouped into twelve functional areas. The areas are a high-level map of where a service provider can claim conformance — not a substitute for reading the individual requirements.
| Functional area | SP Req ID | Description |
|---|---|---|
| Solution staffing | SP.01.XX | Assignment of personnel by the service provider to Automation Solution–related activities. |
| Assurance | SP.02.XX | Providing confidence that the Automation Solution security policy is enforced. |
| Architecture | SP.03.XX | Design of the Automation Solution. |
| Wireless | SP.04.XX | Use of wireless in the Automation Solution. |
| SIS | SP.05.XX | Integration of Safety Instrumented Systems (SIS) into the Automation Solution. |
| Configuration management | SP.06.XX | Configuration control of the Automation Solution. |
| Remote access | SP.07.XX | Remote access to the Automation Solution. |
| Event management | SP.08.XX | Event handling in the Automation Solution. |
| Account management | SP.09.XX | Administration of user accounts in the Automation Solution. |
| Malware protection | SP.10.XX | Use of anti-malware software in the Automation Solution. |
| Patch management | SP.11.XX | Security aspects of approving and installing software patches. |
| Backup / Restore | SP.12.XX | Security aspects of backup and restore. |
Each area uses a requirement-ID pattern such as SP.03.XX (Architecture). Facility patching under SP.11 also connects closely to the guidance in ISA/IEC TR 62443-2-3.
ISA/IEC TR/TS 62443-6-1 was published in 2024. It provides objective evaluation criteria for assessing a service provider’s security programme against ISA/IEC 62443-2-4. Both service providers preparing for assessment and evaluators conducting conformity assessments use it to keep results consistent.
Aligned with Part 2-4, the technical report establishes evaluation criteria and the evidence expected at each maturity level (ML 1 through ML 4). The aim is repeatable and reproducible evaluation outcomes — so two competent assessors looking at the same programme reach comparable conclusions.
Maturity-level thinking also appears elsewhere in the series (for example asset-owner programmes in Part 2-1 and secure-development programmes in Part 4-1). Use each part’s own tables and criteria when scoring; do not assume the evidence list for one part transfers unchanged to another.
Reference: ISA/IEC TR/TS 62443-6-1 — Security evaluation methodology for IEC 62443-2-4
Related:
IEC 62443-2-1 Maturity Levels
|
IEC 62443-2-1 Conformance and Assessment