Overview of Major Roles in the Industrial Control Systems

To understand the processes that make up a cybersecurity management system fully it is necessary to understand the roles involved in executing them. A role is responsible for fulfilling certain activities and is held accountable for doing so. A role may be executed by an individual or a legal entity, such as a company or government agency, or a subdivision of the legal entity, such as a department. 

Overview of Roles:

Asset Owner

1. The asset owner is accountable for the IACS including its cybersecurity posture and the associated risks throughout the life cycle.
2. The asset owner also defines the acceptable residual cybersecurity risk as an input requirement for all activities along the IACS life cycle.
3. The asset owner is also responsible for the operation of the IACS. In many cases, the company that operates the IACS is also the legal owner and is accountable for the IACS.

Integration Service Provider

1. The integration service provider for the IACS is responsible for the design, deployment, commissioning, and validation of its security measures.
2. The activities cover the development and validation of a security protection scheme for the IACS to match the acceptable residual cybersecurity risk.
3. These include the development of technical measures for the automation solution and guidelines for organizational measures to be implemented during operation and maintenance.

Maintenance Service Provider

1. The maintenance service provider for the IACS is responsible for its maintenance and decommissioning.
2. The maintenance activities are performed on a regular schedule of scheduled maintenance, and when needed due to changes in the operational requirements or the threat environment.
3. This role also has the responsibility for decommissioning parts or the whole automation solution.

Product Supplier

1. The product supplier is responsible for the development and support of products used in the IACS. 
2. The activities include the development and deployment of security capabilities.
3. The product supplier is responsible for supplying integration and hardening guidelines and for establishing a process for incident handling and vulnerability management applied to its products.

So basically these four roles are major roles as per IEC 62443 and we need to consider our cybersecurity measures centered around these roles. All user management will rely on these roles only.