IEC 62443-2:20 23规定了一套全面的安全相关流程要求，IACS服务提供商可以在自动化解决方案的集成和维护活动期间向资产所有者提供这些要求。因为不是所有的要求都适用于所有的行业团体和组织，所以第4.1.4款规定了“概要”的开发，允许这些要求的子集化。配置文件用于使本文档适应特定环境，包括不基于IACS的环境。 注1:术语“自动化解决方案”在本文档中用作专有名词（因此大写），以防止与该术语的其他用法混淆。总的来说，IACS服务提供商提供的安全流程被称为其针对IACS资产所有者的安全计划（SP）。在相关规范中，IEC 62443-2-1描述了对资产所有者的安全管理系统的要求。 注2一般而言，这些安全能力与政策、程序、实践和人员相关。图1示出了IACS的资产所有者、服务提供商和产品供应商的集成和维护安全流程以及它们彼此之间以及与自动化解决方案的关系。本文件中与安全计划相关的一些要求与IEC 62443-3-3和IEC 62443-4-2中描述的安全要求相关。 注3 IACS是自动化解决方案及其设计、部署、操作和维护所需的组织措施的组合。 注4安全技术能力不足的遗留系统的维护、政策、流程和程序的实施可以通过风险缓解来解决。

IEC 62443-2:2023 specifies a comprehensive set of requirements for security-related processes that IACS service providers can offer to the asset owner during integration and maintenance activities of an Automation Solution. Because not all requirements apply to all industry groups and organizations, Subclause 4.1.4 provides for the development of "profiles" that allow for the subsetting of these requirements. Profiles are used to adapt this document to specific environments, including environments not based on an IACS.
NOTE 1 The term "Automation Solution" is used as a proper noun (and therefore capitalized) in this document to prevent confusion with other uses of this term. Collectively, the security processes offered by an IACS service provider are referred to as its Security Program (SP) for IACS asset owners. In a related specification, IEC 62443-2-1 describes requirements for the Security Management System of the asset owner.
NOTE 2 In general, these security capabilities are policy, procedure, practice and personnel related. Figure 1 illustrates the integration and maintenance security processes of the asset owner, service provider(s), and product supplier(s) of an IACS and their relationships to each other and to the Automation Solution. Some of the requirements of this document relating to the safety program are associated with security requirements described in IEC 62443-3-3 and IEC 62443-4-2.
NOTE 3 The IACS is a combination of the Automation Solution and the organizational measures necessary for its design, deployment, operation, and maintenance.
NOTE 4 Maintenance of legacy system with insufficient security technical capabilities, implementation of policies, processes and procedures can be addressed through risk mitigation.