ISA/IEC 62443 treats industrial cybersecurity as a shared responsibility. Securing an Industrial Automation and Control System (IACS) depends on principal roles working together across product development, integration, operation, and maintenance — not on one organisation alone.
A role is a set of responsibilities — not the same thing as a company name. One organisation may hold several roles; one role may be split across several organisations under contract.
For example, an Asset Owner may also perform maintenance in-house, or a Product Supplier may also provide integration services. However work is allocated, accountability for cybersecurity risk of the IACS and the Equipment Under Control remains with the Asset Owner.
The series identifies these principal roles and how they relate to products, the Automation Solution, and the IACS:
Product Suppliers work largely independent of a specific plant environment. Integration and Maintenance Service Providers, together with the Asset Owner, act inside the IACS environment where products become a configured Automation Solution (Zones, Conduits, essential and supporting functions), and the IACS adds the organisational measures for operation and routine maintenance.
The Asset Owner is accountable and responsible for the IACS. The Asset Owner also operates the IACS and the Equipment Under Control. Before an Automation Solution project proceeds, the Asset Owner establishes the organisation’s IACS Security Program (Part 2-1), including how Product Suppliers and Service Providers will be engaged.
Across the Automation Solution Security Lifecycle, typical Asset Owner responsibilities include:
Primary part for Security Program requirements: ISA/IEC 62443-2-1
Service Providers work on behalf of the Asset Owner to deliver or sustain an Automation Solution. The series distinguishes two service roles; one organisation may hold both. Security program requirements for these roles are in Part 2-4.
The Integration Service Provider designs and deploys the Automation Solution — including design, installation, configuration, testing, commissioning, and handover to the Asset Owner. The Integrator may also assist with partitioning the System Under Consideration into Zones and Conduits and with risk assessment.
Typical responsibilities include:
Primary part: ISA/IEC 62443-2-4
The Maintenance Service Provider supports the Automation Solution after handover — maintaining security, reliability, and availability through the operational life of the IACS, including decommissioning activities when assets leave service.
Typical responsibilities include:
Primary part: ISA/IEC 62443-2-4 (facility patching also draws on Part 2-3)
The Product Supplier manufactures and supports hardware and/or software products. Products may include Control Systems and Components — Embedded Devices, Host Devices, Network Devices, and/or Software Applications. The Product Supplier develops and supports these products largely outside a specific plant IACS environment; products are later configured into an Automation Solution at a site.
Typical responsibilities in the facility lifecycle include:
How products themselves are developed securely is covered by the Product Security Lifecycle (Part 4-1). System- and component-level security capabilities that manufacturers must provide are specified in Part 3-3 (system requirements) and Part 4-2 (component requirements).
Primary parts: ISA/IEC 62443-4-1 (secure development); 3-3 and 4-2 (security capabilities)
Use this quick mapping when selecting which ISA/IEC 62443 parts apply to each audience:
In practice, Product Supplier and System/Component Manufacturer often sit in the same organisation: Part 4-1 covers how products are developed securely; Parts 3-3 and 4-2 specify what security capabilities the delivered system or component must provide.
Figure 1 shows which documents each principal audience is most likely to use. There is deliberate overlap beyond the primary mapping above:
Related lifecycle pages: Automation Solution Security Lifecycle · Product Security Lifecycle
Typical activities are shared across roles. A tick indicates primary ownership; “Support” indicates contributory involvement.
| Responsibility | Asset Owner | Integration SP | Maintenance SP | Product Supplier |
|---|---|---|---|---|
| Own and operate the IACS | ✓ | |||
| Establish Security Program | ✓ | Support | Support | Support |
| Cybersecurity risk assessment | ✓ | Support | Support | |
| Define security requirements / approve CRS | ✓ | Support | ||
| System design | ✓ | ✓ | Support | |
| System integration | ✓ | Support | ||
| Commissioning and technical verification | ✓ | |||
| Organisational validation / handover | ✓ | Support | ✓ | |
| Routine operation | ✓ | |||
| Routine maintenance | ✓ | |||
| Patch management | ✓ | Support | ✓ | ✓ |
| Secure product development | ✓ | |||
| Product security updates and support | Support | ✓ | ||
| Vulnerability management | ✓ | Support | Support | ✓ |
| Incident response | ✓ | Support | Support | Support |
| Decommissioning | Approve | ✓ |