ISA/IEC 62443 places primary accountability for cybersecurity risk on the asset owner, particularly during the Operation and Maintenance phase of the IACS lifecycle. This phase is where systems run for years or decades, and cybersecurity effectiveness depends less on design intent and more on how people and processes operate daily.
Step 1: Lifecycle responsibility of the asset owner
ISA/IEC 62443-2-1 requires the asset owner to establish, operate, and maintain an IACS Security Program. During operation, cybersecurity controls must be embedded into routine organizational activities such as operations, maintenance, incident handling, training, and change management.
Step 2: Integration with people and processes
The standard explicitly recognizes that technology alone cannot manage cybersecurity risk. Operators, engineers, maintenance staff, and managers must understand their cybersecurity roles. Embedding IACS security into organizational processes ensures consistent execution across shifts, teams, and sites.
Step 3: Avoiding incorrect interpretations
Immediate decommissioning is not an operational objective. Allowing unrestricted remote updates by suppliers contradicts governance requirements. Granting full control to maintenance providers violates the asset owner’s accountability.
Step 4: Operational resilience
By embedding IACS security into organizational culture and workflows, the asset owner ensures that security measures are sustained, monitored, and improved over time.
Therefore, the correct reason is to embed the IACS within organizational processes and people.
