IEC 62443-3-2:2020

IEC 62443-3-2 ®
Edition 1.0 2020-06
INTERNATIONAL
STANDARD
colour
inside
Security for industrial automation and control systems –
Part 3-2: Security risk assessment for system design

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about IEC
copyright or have an enquiry about obtaining additional rights to this publication, please contact the address below or
your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform Electropedia - www.electropedia.org
The advanced search enables to find IEC publications by a The world's leading online dictionary on electrotechnology,
variety of criteria (reference number, text, technical containing more than 22 000 terminological entries in English
committee,…). It also gives information on projects, replaced and French, with equivalent terms in 16 additional languages.
and withdrawn publications. Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Just Published - webstore.iec.ch/justpublished
Stay up to date on all new IEC publications. Just Published IEC Glossary - std.iec.ch/glossary
details all new publications released. Available online and 67 000 electrotechnical terminology entries in English and
once a month by email. French extracted from the Terms and Definitions clause of
IEC publications issued since 2002. Some entries have been
IEC Customer Service Centre - webstore.iec.ch/csc collected from earlier publications of IEC TC 37, 77, 86 and
If you wish to give us your feedback on this publication or CISPR.

need further assistance, please contact the Customer Service

Centre: sales@iec.ch.
IEC 62443-3-2 ®
Edition 1.0 2020-06
INTERNATIONAL
STANDARD
colour
inside
Security for industrial automation and control systems –

Part 3-2: Security risk assessment for system design

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 25.040.40; 35.030 ISBN 978-2-8322-8501-5

– 2 – IEC 62443-3-2:2020 © IEC 2020
CONTENTS
FOREWORD . 4
INTRODUCTION . 6
1 Scope . 7
2 Normative references . 7
3 Terms, definitions, abbreviated terms, acronyms and conventions . 7
3.1 Terms and definitions . 7
3.2 Abbreviated terms and acronyms . 10
3.3 Conventions . 11
4 Zone, conduit and risk assessment requirements . 11
4.1 Overview. 11
4.2 ZCR 1: Identify the SUC . 13
4.2.1 ZCR 1.1: Identify the SUC perimeter and access points . 13
4.3 ZCR 2: Initial cyber security risk assessment . 13
4.3.1 ZCR 2.1: Perform initial cyber security risk assessment . 13
4.4 ZCR 3: Partition the SUC into zones and conduits . 14
4.4.1 Overview . 14
4.4.2 ZCR 3.1: Establish zones and conduits . 14
4.4.3 ZCR 3.2: Separate business and IACS assets . 14
4.4.4 ZCR 3.3: Separate safety related assets . 14
4.4.5 ZCR 3.4: Separate temporarily connected devices . 15
4.4.6 ZCR 3.5: Separate wireless devices . 15
4.4.7 ZCR 3.6: Separate devices connected via external networks . 15
4.5 ZCR 4: Risk comparison . 16
4.5.1 Overview . 16
4.5.2 ZCR 4.1: Compare initial risk to tolerable risk . 16
4.6 ZCR 5: Perform a detailed cyber security risk assessment . 16
4.6.1 Overview . 16
4.6.2 ZCR 5.1: Identify threats . 17
4.6.3 ZCR 5.2: Identify vulnerabilities . 18
4.6.4 ZCR 5.3: Determine consequence and impact . 18
4.6.5 ZCR 5.4: Determine unmitigated likelihood . 19
4.6.6 ZCR 5.5: Determine unmitigated cyber security risk . 19
4.6.7 ZCR 5.6: Determine SL-T . 19
4.6.8 ZCR 5.7: Compare unmitigated risk with tolerable risk . 20
4.6.9 ZCR 5.8: Identify and evaluate existing countermeasures . 20
4.6.10 ZCR 5.9: Reevaluate likelihood and impact . 20
4.6.11 ZCR 5.10: Determine residual risk . 21
4.6.12 ZCR 5.11: Compare residual risk with tolerable risk . 21
4.6.13 ZCR 5.12: Identify additional cyber security countermeasures . 21
4.6.14 ZCR 5.13: Document and communicate results . 22
4.7 ZCR 6: Document cyber security requirements, assumptions and constraints . 22
4.7.1 Overview . 22
4.7.2 ZCR 6.1: Cyber security requirements specification . 22
4.7.3 ZCR 6.2: SUC description . 23
4.7.4 ZCR 6.3: Zone and conduit drawings . 23
4.7.5 ZCR 6.4: Zone and conduit characteristics. 23
4.7.6 ZCR 6.5: Operating environment assumptions . 24

4.7.7 ZCR 6.6: Threat environment . 25
4.7.8 ZCR 6.7: Organizational security policies . 25
4.7.9 ZCR 6.8: Tolerable risk . 25
4.7.10 ZCR 6.9: Regulatory requirements . 26
4.8 ZCR 7: Asset owner approval . 26
4.8.1 Overview . 26
4.8.2 ZCR 7.1: Attain asset owner approval . 26
Annex A (informative) Security levels . 27
Annex B (informative) Risk matrices . 28
Bibliography . 31

Figure 1 – Workflow diagram outlining the primary steps required to establish zones
and conduits, as well as to assess risk . 12
Figure 2 – Detailed cyber security risk assessment workflow per zone or conduit . 17

Table B.1 – Example of a 3 x 5 risk matrix . 28
Table B.2 – Example of likelihood scale . 28
Table B.3 – Example of consequence or severity scale . 29
Table B.4 – Example of a simple 3 x 3 risk matrix . 29
Table B.5 – Example of a 5 x 5 risk matrix . 30
Table B.6 – Example of a 3 x 4 matrix . 30

– 4 – IEC 62443-3-2:2020 © IEC 2020
INTERNATIONAL ELECTROTECHNICAL COMMISSION
____________
SECURITY FOR INDUSTRIAL AUTOMATION AND CONTROL SYSTEMS –

Part 3-2: Security risk assessment for system design

FOREWORD
1) The International Electrotechnical Commission (IEC) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of IEC is to promote
international co-operation on all questions concerning standardization in the electrical and electronic fields. To
this end and in addition to other activities, IEC publishes International Standards, Technical Specifications,
Technical Reports, Publicly Available Specifications (PAS) and Guides (hereafter referred to as “IEC
Publication(s)”). Their preparation is entrusted to technical committees; any IEC National Committee interested
in the subject dealt with may participate in this preparatory work. International, governmental and non-
governmental organizations liaising with the IEC also participate in this preparation. IEC collaborates closely
with the International Organization for Standardization (ISO) in accordance with conditions determined by
agreement between the two organizations.
2) The formal decisions or agreements of IEC on technical matters express, as nearly as possible, an international
consensus of opinion on the relevant subjects since each technical committee has representation from all
interested IEC National Committees.
3) IEC Publications have the form of recommendations for international use and are accepted by IEC National
Committees in that sense. While all reasonable efforts are made to ensure that the technical content of IEC
Publications is accurate, IEC cannot be held responsible for the way in which they are used or for any
misinterpretation by any end user.
4) In order to promote international uniformity, IEC National Committees undertake to apply IEC Publications
transparently to the maximum extent possible in their national and regional publications. Any divergence
between any IEC Publication and the corresponding national or regional publication shall be clearly indicated in
the latter.
5) IEC itself does not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC marks of conformity. IEC is not responsible for any
services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this publication.
7) No liability shall attach to IEC or its directors, employees, servants or agents including individual experts and
members of its technical committees and IEC National Committees for any personal injury, property damage or
other damage of any nature whatsoever, whether direct or indirect, or for costs (including legal fees) and
expenses arising out of the publication, use of, or reliance upon, this IEC Publication or any other IEC
Publications.
8) Attention is drawn to the Normative references cited in this publication. Use of the referenced publications is
indispensable for the correct application of this publication.
9) Attention is drawn to the possibility that some of the elements of this IEC Publication may be the subject of
patent rights. IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62443-3‑2 has been prepared by IEC technical committee 65:
Industrial-process measurement, control and automation.
The text of this standard is based on the following documents:
FDIS Report on voting
65/799/FDIS 65/804/RVD
Full information on the voting for the approval of this International Standard can be found in
the report on voting indicated in the above table.
This document has been drafted in accordance with the ISO/IEC Directives, Part 2.
A list of all parts in the
...