IEC 62443‑2‑1 specifies asset owner security program (SP) requirements for an industrial
automation and control system (IACS). This document uses the broad definition and scope of what constitutes an IACS as described in IEC 62443‑1‑1. In the context of this document, asset owner also includes the operator of the IACS.
This document recognizes that the lifespan of an IACS can exceed twenty years, and that many legacy systems contain hardware and software that are no longer supported. Therefore, the SP for a legacy system may address only a subset of the requirements defined in this document. For example, if its software is no longer supported, security patching requirements cannot be met. Similarly, backup software for older systems may not be available for all components of the IACS. As a result, this document recognizes that not all requirements can be met by legacy systems. In situations where specific requirements or subsets of requirements are applicable but unable to be implemented in legacy systems, then compensating countermeasures should be implemented where possible.