ISA/IEC 62443-2-4: Holding OT Integrators Accountable

ISA/IEC 62443 is becoming the de facto global standard for industrial control system security. Part 2-4 of the standard specifically addresses the competencies and practices required of system integrators—the companies that design, build, and implement control systems for industrial operators. If you're selecting an integrator, contracting with one, or evaluating your current integrators' security practices, understanding 62443-2-4 is essential. It's also a tool for holding vendors accountable to a clear standard.

Many organizations are unaware that 62443-2-4 exists or what it requires of integrators. Yet regulatory bodies in Europe and increasingly in the US are referencing 62443 in their guidance and expectations. NERC CIP implicitly expects control system integrators to follow secure development practices aligned with 62443. NIS2 mentions 62443 by name. If you're selecting integrators, you should evaluate them against 62443 criteria, and you should expect them to be certified or at least to demonstrate compliance with the standard.

What 62443-2-4 Requires of Integrators

The standard requires integrators to have competent personnel (trained and certified in security practices), secure development practices (threat modeling, secure coding, security testing), secure supply chain practices, and incident management capability. Integrators must perform security assessments of components they integrate. They must maintain documentation of their practices and be willing to audit and certify their compliance.

The standard also requires integrators to establish a security lifecycle for the products and systems they deliver. This means integrators must update customers when vulnerabilities are discovered, must provide patching or workarounds, and must support security maintenance throughout the product lifecycle. Many traditional integrators treated delivery as the end of their involvement. 62443 changes that—integrators have ongoing responsibility for security.

Practical Implications for Operator Procurement

• Evaluate vendor security maturity: When evaluating integrators, ask whether they're certified to 62443-2-4 or pursuing certification. If not, ask them to complete a gap assessment against the standard and provide a remediation plan. A vendor unwilling to do this is a red flag.
• Contractual security requirements: Include security requirements in your integrator contracts. Reference 62443-2-4. Require the integrator to perform threat modeling and security testing. Require security training for their personnel. Require them to notify you promptly of security vulnerabilities and provide patches or workarounds within defined timeframes.
• Ongoing oversight: After implementation, integrators should remain accountable for security. Require them to participate in security reviews, vulnerability assessments, and incident response. Require them to update systems to address new vulnerabilities. This ongoing relationship prevents systems from degrading into unpatched, insecure states.
• Supplier diversity with accountability: Having multiple vendors is good for redundancy, but each vendor should meet security standards. Don't accept lower security practices from secondary vendors just because they're smaller. Your most critical systems often deserve your best vendors, not your cheapest.

Building Vendor Security Accountability

The industrial sector is moving toward expecting integrators to meet 62443 standards. Organizations that build this expectation into their vendor selection and contracting now will be ahead of the curve. Organizations that don't will find themselves with vendors who lack security competency and can't support modern compliance requirements.

We help industrial organizations understand 62443 requirements, evaluate integrators against the standard, and build vendor security programs that hold integrators accountable. Contact us to assess your integrator security practices.