← Home

IEC 62443-3-2 Clause 4.2 – Identify the SUC

ISA/IEC 62443-3-2:2020, Clause 4.2 covers identifying the system under consideration (SUC) as zone and conduit requirement ZCR 1.

ZCR 1 makes the assessment scope unambiguous: which automation assets are in, where the security boundary sits, and every path that crosses it. Without that clarity, zone partitions and risk scores have nothing solid to hang on.

Teaching note: The summaries below paraphrase ISA/IEC 62443-3-2:2020 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-3-2:2020, Clause 4.2
Related: Zone, Conduit and Risk Assessment (Clause 4) | IEC 62443-1-1 Models

ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7


Requirements in this ZCR


ZCR 1 – Identify the SUC

Reference: ISA/IEC 62443-3-2, Clause 4.2

ZCR 1.1: Identify the SUC perimeter and access points

Clause: 4.2.1

Summary
The organisation shall define the SUC clearly: mark the security perimeter and list all access points into that boundary. The SUC should include every IACS asset needed for a complete automation solution — not a thin slice of devices that ignores supporting subsystems.

Large sites often run several control systems. Any one of them can be declared an SUC for analysis. Typical contents can span BPCS/DCS, SIS, SCADA packages, supplier packages, and increasingly IIoT or cloud-linked services when they form part of the automation solution.

Inventories, system and network diagrams, and data-flow views are the usual evidence used to justify what sits inside the perimeter and where traffic crosses it.


Key Takeaways