The Security Program (SP) portfolio is the correct foundational document for an evolving IACS cybersecurity approach according to the ISA/IEC 62443 family of standards. ISA/IEC 62443 is explicitly designed around the concept of continuous risk management and lifecycle-based cybersecurity, rather than static or one-time security implementations.
Step 1: Role of the Security Program (SP)
ISA/IEC 62443-2-1 defines the requirements for establishing, implementing, maintaining, and continuously improving an IACS Cybersecurity Management System. The Security Program provides organizational governance through policies, roles, responsibilities, procedures, training, incident handling, change management, and continuous improvement activities. These elements ensure cybersecurity adapts as threats, vulnerabilities, and system configurations evolve.
Step 2: Need for an evolving security approach
The standard recognizes that IACS environments are long-lived and subject to changing operational conditions, emerging threat actors, and new vulnerabilities. Therefore, cybersecurity must be managed as an ongoing process. The SP portfolio enables periodic reassessment of risks, updates to controls, and improvements to security processes throughout the system lifecycle.
Step 3: Relationship between SP and SPS
IEC 62443-2-2 introduces the Security Protection Scheme (SPS), which is a documented set of technical, procedural, and physical security measures selected to mitigate identified risks. However, the SPS is not the foundation; it is a product of the Security Program. The SP governs how the SPS is developed, implemented, operated, and modified over time.
Step 4: Elimination of incorrect options
“IEC 62443-2-2 only” is insufficient because it addresses SPS development without broader governance.
Corporate KPIs unrelated to IACS do not manage cybersecurity risk.
An SPS alone cannot evolve without programmatic oversight.
In alignment with the intent and structure of ISA/IEC 62443, the Security Program (SP) portfolio is the correct foundation for a cybersecurity plan that must continuously evolve.
