ISA/IEC 62443 clearly assigns operational cybersecurity responsibility to the asset owner. During the Operate and Maintain phase of the IACS lifecycle, the asset owner is accountable for ensuring that cybersecurity controls are executed, monitored, and adapted as risks evolve.

Step 1: Definition of the SPS

IEC 62443-2-2 defines the Security Protection Scheme (SPS) as a documented set of technical, procedural, and physical measures selected to manage cybersecurity risk. While other parties may contribute to its design or implementation, execution during operation is the asset owner’s responsibility.

Step 2: Operational accountability

ISA/IEC 62443-2-1 establishes that the asset owner must operate and maintain the IACS security program, including incident handling, vulnerability management, patching, monitoring, and response to emerging threats.

Step 3: Why other roles are incorrect

Product vendors are responsible for product security, not operational risk response.

System integrators support design and implementation, not ongoing ownership.

External auditors assess compliance but do not execute controls.

Step 4: Risk ownership principle

Because the asset owner bears the consequences of downtime, safety incidents, and regulatory impact, the standard assigns them responsibility for executing SPS measures and responding to new risks.

Therefore, Option A is correct.