IEC PAS 62443-2-2-2025 PDF

Full title and description

IEC/PAS 62443-2-2:2025 — Security for industrial automation and control systems – Part 2-2: IACS security protection scheme. This Publicly Available Specification provides guidance for the development, validation, operation and maintenance of a coordinated set of technical, physical and process security measures (the Security Protection Scheme, SPS) to manage cyber risks to Industrial Automation and Control Systems (IACS) during the operational phase.

Abstract

IEC/PAS 62443-2-2:2025 describes a Security Protection Scheme (SPS) concept and practical measures that asset owners and operators can apply to protect IACS assets. The document draws on requirements and concepts from other parts of the IEC 62443 series and explains how to select, implement, validate and maintain technical, physical and procedural controls so that an IACS Security Program can reduce cyberthreat risk throughout operation, maintenance and change activities.

General information

• Status: Published (IEC Publicly Available Specification).
• Publication date: 11 March 2025.
• Publisher: International Electrotechnical Commission (IEC).
• ICS / categories: 25.040.40 (Industrial process measurement and control), 35.100.05 (Multilayer applications).
• Edition / version: Edition 1.0.
• Number of pages: 44.

Scope

This PAS defines the concepts, lifecycle activities and supporting measures for a Security Protection Scheme (SPS) intended to protect IACS in operational environments. It addresses selection and configuration of technical controls (for example segmentation, access control and monitoring), supporting physical and process controls, validation and acceptance testing, operational procedures, maintenance and change control, and roles and responsibilities for asset owners and service providers. The scope is the operational phase of IACS and how to integrate SPS elements with an IACS Security Program and other IEC 62443 deliverables.

Key topics and requirements

• Definition and components of a Security Protection Scheme (SPS) for IACS.
• Guidance on mapping SPS elements to IEC 62443 requirements and security levels.
• Design, validation and acceptance testing of technical, physical and procedural controls.
• Network segmentation, zone/conduit concepts and secure architecture practices for OT.
• Access control, authentication, and privileged account management for IACS.
• Monitoring, logging, anomaly detection and continuous assurance for operational systems.
• Incident response, recovery and forensic readiness considerations for IACS.
• Procedures for maintenance, change management and secure decommissioning.
• Supplier and third‑party component assurance, including firmware and patch processes.
• Roles, responsibilities and governance for asset owners, integrators and operators.
• Documentation, traceability and evidence requirements to support audits and compliance.

Typical use and users

This PAS is intended for asset owners and facility operators responsible for OT/ICS environments who are implementing or maturing an IACS Security Program. Typical users include OT security managers, control systems engineers, operations and maintenance teams, system integrators, solution architects, cybersecurity consultants, assessors and auditors who need practical guidance for designing, operating and maintaining protective schemes that reduce cyber risk to production systems.

Related standards

IEC/PAS 62443-2-2:2025 is part of the IEC 62443 series. Relevant related documents include IEC 62443-1-1 (terminology and concepts), IEC 62443-2-1 (security program requirements for asset owners), IEC 62443-2-4 (security for service providers), IEC 62443-3-3 (system security requirements and security levels), IEC 62443-4-1 and 4-2 (product development and component requirements). Complementary frameworks such as ISO/IEC 27001 and guidance like NIST SP 800-82 are also commonly referenced alongside IEC 62443 guidance.

Keywords

IACS, SPS, Security Protection Scheme, IEC 62443, OT security, industrial control system, asset owner, network segmentation, access control, incident response, validation, maintenance.

FAQ

Q: What is this standard?

A: IEC/PAS 62443-2-2:2025 is a Publicly Available Specification that provides guidance on creating and operating a Security Protection Scheme (SPS) to protect Industrial Automation and Control Systems during the operational phase.

Q: What does it cover?

A: It covers the design, validation, operation and maintenance of coordinated technical, physical and process controls (the SPS), mapping those measures to IEC 62443 concepts and providing practical procedures for asset owners and operators to manage cyber risks to IACS.

Q: Who typically uses it?

A: Asset owners, OT/ICS security managers, control systems engineers, system integrators, maintenance teams, cybersecurity consultants, assessors and auditors use this PAS to design and operate protective schemes for industrial control environments.

Q: Is it current or superseded?

A: This document was published on 11 March 2025 and is current as a PAS. Its documented stability date is 2026; as a PAS it may be reviewed or incorporated into a full IEC standard in the future.

Q: Is it part of a series?

A: Yes. It is part of the IEC 62443 series addressing security for industrial automation and control systems and is intended to be used alongside other parts of that series (for example 62443-1-x, -2-x, -3-x and -4-x).

Q: What are the key keywords?

A: IACS, Security Protection Scheme (SPS), OT security, IEC 62443, network segmentation, access control, incident response, validation, maintenance, asset owner.