← Home

IACS Cybersecurity Roles

ISA/IEC 62443 treats industrial cybersecurity as a shared responsibility. Securing an Industrial Automation and Control System (IACS) depends on principal roles working together across product development, integration, operation, and maintenance — not on one organisation alone.

Series-wide concept: These principal roles are defined across the ISA/IEC 62443 series rather than in a single part. Part 2-1 centres on the Asset Owner’s Security Program; Part 2-4 sets requirements for Integration and Maintenance Service Providers; Parts 4-1 and 4-2 address Product Suppliers. Foundational terms and the relationship between roles, products, the Automation Solution, and the IACS are introduced with the series concepts (including Part 1-1).
ISA/IEC 62443 roles mapped to standard parts
Figure 1 – How principal roles relate to parts of the ISA/IEC 62443 series. Profiles and conformity assessment sit alongside the role-focused parts.

Roles Are Not Organisations

A role is a set of responsibilities — not the same thing as a company name. One organisation may hold several roles; one role may be split across several organisations under contract.

For example, an Asset Owner may also perform maintenance in-house, or a Product Supplier may also provide integration services. However work is allocated, accountability for cybersecurity risk of the IACS and the Equipment Under Control remains with the Asset Owner.

Principal Roles

The series identifies these principal roles and how they relate to products, the Automation Solution, and the IACS:

Product Suppliers work largely independent of a specific plant environment. Integration and Maintenance Service Providers, together with the Asset Owner, act inside the IACS environment where products become a configured Automation Solution (Zones, Conduits, essential and supporting functions), and the IACS adds the organisational measures for operation and routine maintenance.


Asset Owner

The Asset Owner is accountable and responsible for the IACS. The Asset Owner also operates the IACS and the Equipment Under Control. Before an Automation Solution project proceeds, the Asset Owner establishes the organisation’s IACS Security Program (Part 2-1), including how Product Suppliers and Service Providers will be engaged.

Across the Automation Solution Security Lifecycle, typical Asset Owner responsibilities include:

Primary part for Security Program requirements: ISA/IEC 62443-2-1


Service Providers

Service Providers work on behalf of the Asset Owner to deliver or sustain an Automation Solution. The series distinguishes two service roles; one organisation may hold both. Security program requirements for these roles are in Part 2-4.

Integration Service Provider

The Integration Service Provider designs and deploys the Automation Solution — including design, installation, configuration, testing, commissioning, and handover to the Asset Owner. The Integrator may also assist with partitioning the System Under Consideration into Zones and Conduits and with risk assessment.

Typical responsibilities include:

Primary part: ISA/IEC 62443-2-4

Maintenance Service Provider

The Maintenance Service Provider supports the Automation Solution after handover — maintaining security, reliability, and availability through the operational life of the IACS, including decommissioning activities when assets leave service.

Typical responsibilities include:

Primary part: ISA/IEC 62443-2-4 (facility patching also draws on Part 2-3)


Product Supplier

The Product Supplier manufactures and supports hardware and/or software products. Products may include Control Systems and Components — Embedded Devices, Host Devices, Network Devices, and/or Software Applications. The Product Supplier develops and supports these products largely outside a specific plant IACS environment; products are later configured into an Automation Solution at a site.

Typical responsibilities in the facility lifecycle include:

How products themselves are developed securely is covered by the Product Security Lifecycle (Part 4-1). System- and component-level security capabilities that manufacturers must provide are specified in Part 3-3 (system requirements) and Part 4-2 (component requirements).

Primary parts: ISA/IEC 62443-4-1 (secure development); 3-3 and 4-2 (security capabilities)

How Parts Map to Roles

Use this quick mapping when selecting which ISA/IEC 62443 parts apply to each audience:

In practice, Product Supplier and System/Component Manufacturer often sit in the same organisation: Part 4-1 covers how products are developed securely; Parts 3-3 and 4-2 specify what security capabilities the delivered system or component must provide.

Figure 1 shows which documents each principal audience is most likely to use. There is deliberate overlap beyond the primary mapping above:

Related lifecycle pages: Automation Solution Security Lifecycle · Product Security Lifecycle

Shared Responsibility Overview

Typical activities are shared across roles. A tick indicates primary ownership; “Support” indicates contributory involvement.

Responsibility Asset Owner Integration SP Maintenance SP Product Supplier
Own and operate the IACS
Establish Security Program Support Support Support
Cybersecurity risk assessment Support Support
Define security requirements / approve CRS Support
System design Support
System integration Support
Commissioning and technical verification
Organisational validation / handover Support
Routine operation
Routine maintenance
Patch management Support
Secure product development
Product security updates and support Support
Vulnerability management Support Support
Incident response Support Support Support
Decommissioning Approve

Key Takeaways

Standards References

AEBOK Standards Reference: Treat principal IACS roles as a series-level model. Use Part 2-1 for Asset Owner Security Program expectations, Part 2-4 for Service Providers / Integrators, Part 4-1 for Product Supplier secure development, and Parts 3-3 / 4-2 for system and component security capabilities. Lifecycle responsibilities by phase are summarised here and expanded on the Automation Solution and Product Security Lifecycle pages.