ZCR 5 is applied to every zone and conduit (with permitted grouping where threats,
consequences or assets are similar, or where a standardised reference design is
replicated). It walks each partition from threats and vulnerabilities through unmitigated
risk and SL-T, then through existing and additional countermeasures to
residual risk, ending with protected documentation for stakeholders.
ZCR 5 – Detailed cybersecurity risk assessment
Reference: ISA/IEC 62443-3-2, Clause 4.6
ZCR 5.1: Identify threats
Clause: 4.6.2
Summary
Develop a list of threats that could affect assets inside the zone or conduit. Useful
threat records typically describe the source, capability/skill, possible vectors and
affected assets. Grouping into classes is acceptable when the raw list would be unwieldy.
ZCR 5.2: Identify vulnerabilities
Clause: 4.6.3
Summary
Analyse the zone or conduit and record known vulnerabilities of its assets — including
access points. Vulnerability assessments and trusted sources (for example ICS-CERT,
product suppliers) help keep the list realistic.
ZCR 5.3: Determine consequence and impact
Clause: 4.6.4
Summary
For each threat scenario, evaluate consequence and impact — ideally as worst-case effect
on areas such as personnel safety, finance, business interruption and environment. Draw
on existing PHAs and related risk studies. Low impact may mean moving quickly to the next
threat.
ZCR 5.4: Determine unmitigated likelihood
Clause: 4.6.5
Summary
Estimate the chance each threat materialises without counting existing
cybersecurity countermeasures (treat those as temporarily removed). Inherent component
behaviour and non-cyber IPLs (physical security, mechanical safeguards, emergency
procedures) may still be recognised. Qualitative or quantitative methods are allowed;
consequence-only methods that treat likelihood as constantly present are also permitted.
ZCR 5.5: Determine unmitigated cybersecurity risk
Clause: 4.6.6
Summary
Combine impact (ZCR 5.3) and unmitigated likelihood (ZCR 5.4) — typically via the
corporate risk matrix — to obtain unmitigated cybersecurity risk for each threat.
ZCR 5.6: Determine SL-T
Clause: 4.6.7
Summary
Establish a target security level (SL-T) for each zone or conduit. SL-T may be a single
value or a vector. There is no single mandated calculation: common approaches use the gap
to tolerable risk, the SL definitions in Part 3-3 / Annex A, or iterative risk-matrix
checks that raise SL until residual risk becomes acceptable.
SL-T communicates the desired protection level to designers, implementers and operators.
It later pairs with Part 3-3 capability levels when selecting technical requirements.
ZCR 5.7: Compare unmitigated risk with tolerable risk
Clause: 4.6.8
Summary
Compare each threat’s unmitigated risk with tolerable risk. If it exceeds tolerance,
decide whether to accept, transfer or mitigate. Mitigation continues through ZCR 5.8–5.12;
otherwise document under ZCR 5.13 and move to the next threat.
ZCR 5.8: Identify and evaluate existing countermeasures
Clause: 4.6.9
Summary
Identify controls already present in the SUC and judge how effectively they reduce
likelihood or impact. Part 3-3 SL-C assignments help reason about technical control
strength.
ZCR 5.9: Reevaluate likelihood and impact
Clause: 4.6.10
Summary
Re-score likelihood and impact with those existing countermeasures applied (technical,
administrative and procedural). This produces mitigated values for residual risk.
ZCR 5.10: Determine residual risk
Clause: 4.6.11
Summary
Combine mitigated likelihood and mitigated impact for each threat to obtain residual risk —
a measure of current exposure and of how well existing controls work.
ZCR 5.11: Compare residual risk with tolerable risk
Clause: 4.6.12
Summary
Compare residual risk against tolerable risk. Where residual risk remains too high,
decide under policy whether to accept, transfer or further mitigate.
ZCR 5.12: Identify additional cybersecurity countermeasures
Clause: 4.6.13
Summary
Unless the organisation chooses to tolerate or transfer remaining risk, identify further
technical, administrative or procedural controls to bring residual risk within tolerance.
Moving an asset into a higher-security zone can also reduce exposure. Part 3-3 is a guide
for selecting technical measures and judging SL-C effectiveness; cost and complexity
should be weighed in design.
ZCR 5.13: Document and communicate results
Clause: 4.6.14
Summary
Document, report and distribute the detailed assessment to appropriate stakeholders,
protecting confidentiality with suitable information-security classification. Record
session dates, participant names and titles, and archive supporting inputs (architecture
diagrams, PHAs, vulnerability and gap assessments, threat sources) with the assessment.
The assessment is a living artefact for testing, audit and later refresh — and a
sensitive one, because it often lists vulnerabilities and current safeguards.