← Home
IEC 62443-4-1 Clause 11 – Security Update Management
ISA/IEC 62443-4-1:2018, Clause 11 defines
Practice 7 – Security update management (SUM) in the Product Supplier’s secure
product development lifecycle.
SUM ensures security updates for the product — including patches from the developer and from
dependent components or platforms — are qualified for regressions, documented, delivered
authentically and made available in a useful timeframe. Facility-side patch programmes
(TR 62443-2-3) and service-provider patch expectations
(Part 2-4) rely on this supplier work.
Teaching note: Summaries paraphrase ISA/IEC 62443-4-1:2018 for learning.
They are not verbatim extracts — always use the published standard for normative wording and assessment.
Reference: ISA/IEC 62443-4-1:2018, Clause 11
Related:
Product Security Lifecycle overview
|
Practice 6 – Security-related issues
|
IEC 62443-2-3 Patch Management
Practice pages: SM | SR | SD | SI | SVV | DM | SUM | SG
Requirements in this practice
SUM requirement summaries
SUM-1: Security update qualification
Clause: 11.2
Summary
Verify that security updates actually fix the intended vulnerabilities and do not introduce
regressions — whether the patch comes from the product developer, embedded component suppliers,
or platforms the product depends on. Confirm the update does not conflict with operational,
safety or legal constraints.
SUM-2: Security update documentation
Clause: 11.3
Summary
Give users documentation covering applicable product versions, how to apply patches (manual and
automated), operational impacts (including reboot), how to verify installation, and risks /
interim remediations when a patch is not approved or not yet deployed.
SUM-3: Dependent component or operating system security update documentation
Clause: 11.4
Summary
State clearly whether the product is compatible with dependent-component or OS security updates,
and provide mitigations when the product supplier does not approve applying that update.
SUM-4: Security update delivery
Clause: 11.5
Summary
Make security updates for supported products and versions available through a channel that lets
users verify authenticity — reducing the chance of fraudulent patches.
SUM-5: Timely delivery of security patches
Clause: 11.6
Summary
Release security patches within a reasonable timeframe once an issue is confirmed, so the window
between disclosure and available remediation stays as short as practical for supported releases.
Key takeaways
- SUM is the supplier half of IACS patching — qualification, documentation, trusted delivery and timeliness.
- OS and third-party component updates need explicit compatibility or mitigation guidance (SUM-3).
- Asset owners still run site patch processes under Part 2-1 / TR 2-3; SUM makes those processes workable.