An asset owner is defined in IEC 62443-2-4 as following: “individual or organization responsible for one or more IACSs”. Similar to quality management system, the requirement for the Security Management System of the asset owner is described in IEC 62443-2-1, which shows how the risk is analysed and addressed by the Cyber Security Management System (CSMS).
In most cases, an asset owner would engage:
- The system integrator service provider who provides integration activities for an Automation Solution including design, installation, configuration, testing, commissioning, and handover, and
- The maintenance service provider who provides support activities for an Automation Solution after handover
IEC 62443-2-4 can be used by asset owners to request specific security capabilities from the service provider. More specifically, prior to such a request, IEC 62443-2-4 can be used by asset owners to determine whether or not a specific service provider’s security program includes the capabilities that the asset owner needs. The maturity model (Maturity Level 1 to 4 where ML4 is the most mature) also allows asset owners to better understand the maturity of a specific service provider’s capabilities.
As required in ML2: “The service provider also has evidence to show that personnel who will perform the service have the expertise, are trained, and/or are capable of following written procedures to perform the service.”. That is to say, the person who conducts the work must be competent to do it.
So in summary, an asset owner should
- Check that the appointed service provider has the competency to do their work as required by IEC 62443-2-4
At exida Asia Pacific, we provides instructor-led CS 204: IEC 62443 Cybersecurity for Integrators and Solution Providers courses for asset owners and system integrators to be competent as required by IEC 62443 certification. View our course schedule here and contact us for more information!