← Home

IEC 62443-3-2 Clause 4.3 – Initial Cybersecurity Risk Assessment

ISA/IEC 62443-3-2:2020, Clause 4.3 covers the initial cybersecurity risk assessment as zone and conduit requirement ZCR 2.

ZCR 2 answers a practical question early: if this SUC is interfered with, breached, disrupted or disabled, what is the worst-case unmitigated risk to the organisation? That first cut guides how aggressively to partition zones and whether a full detailed assessment (ZCR 5) is warranted.

Teaching note: The summaries below paraphrase ISA/IEC 62443-3-2:2020 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-3-2:2020, Clause 4.3
Related: Zone, Conduit and Risk Assessment (Clause 4) | ZCR 4 – Risk Comparison | ZCR 5 – Detailed Risk Assessment

ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7


Requirements in this ZCR


ZCR 2 – Initial cybersecurity risk assessment

Reference: ISA/IEC 62443-3-2, Clause 4.3

ZCR 2.1: Perform initial cybersecurity risk assessment

Clause: 4.3.1

Summary
The organisation shall assess cybersecurity risk for the SUC — or confirm that a prior initial assessment still applies — to identify the worst-case unmitigated risk that could arise from interference with, breach of, disruption of, or disablement of mission-critical IACS operations.

Impacts are usually framed against the organisation’s existing risk categories: health and safety, environment, business interruption, production loss, product quality, financial exposure, legal and regulatory exposure, reputation, and similar concerns. The point is not to finish the full threat catalogue yet; it is to size the stakes so work can be prioritised.

For hazardous processes, PHA and functional-safety assessment results (for example work aligned with IEC 61511) should inform that worst-case picture. Threat intelligence from government sources, sector ISACs and other trusted feeds is also useful where available.

Many organisations map the result onto their corporate risk matrix (likelihood versus impact). Annex B of Part 3-2 shows illustrative matrix styles; the important part is using a scale the organisation already understands.


Key Takeaways