ISA/IEC 62443-3-2:2020 (ANSI/ISA-62443-3-2-2020) specifies how to define a system under consideration (SUC), partition it into zones and conduits, assess cybersecurity risk for each partition, set a target security level (SL-T), and capture the outcome in a cybersecurity requirements specification (CRS).
Clause 4 organises those engineering steps as zone and conduit requirements (ZCRs). The series does not offer a single “secure by recipe” design: every plant presents different threats, vulnerabilities and business tolerance for risk. Part 3-2 gives a consistent method so design decisions follow risk rather than guesswork.
Reference: ISA/IEC 62443-3-2:2020, Clause 4
Related:
Cyber Risk Concepts
|
IEC 62443-1-1 Models
|
IEC 62443-3-3 Security Levels
|
IEC 62443-3-3 Foundational Requirements
|
IEC 62443-2-1 Security Program (2024)
|
Network Segmentation
ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7
Part 3-2 sits in the “system” group of the ISA/IEC 62443 series. It tells asset owners, integrators, suppliers, service providers and compliance authorities what to produce when assessing risk for system design — not which firewall brand to buy.
In practice the outputs feed Part 3-3: each zone and conduit’s SL-T is aligned with the capability security levels (SL-C) that technical requirements are expected to deliver. Day-to-day organisational programme requirements live in Part 2-1; Part 3-2 is the design-time risk and zone/conduit method.
Zones and conduits themselves are introduced in Part 1-1. A zone groups assets that share common security needs; a conduit is the controlled communications path between zones (or within them). Every asset in an SUC belongs to a zone or a conduit.
Clause 4 sets out seven ZCR groups that follow a workflow from scoping the SUC through to management approval. Flowcharts in the standard are informative — alternate sequences are acceptable if the requirements are still met.
| ZCR | Title | In plain terms | Clause |
|---|---|---|---|
| ZCR 1 | Identify the SUC | Draw a clear perimeter and list every way in. | 4.2 |
| ZCR 2 | Initial cybersecurity risk assessment | Estimate worst-case unmitigated risk if the IACS is compromised. | 4.3 |
| ZCR 3 | Partition into zones and conduits | Group assets by risk and best-practice separation rules. | 4.4 |
| ZCR 4 | Risk comparison | Decide whether detailed assessment is needed against tolerable risk. | 4.5 |
| ZCR 5 | Detailed cybersecurity risk assessment | Per zone/conduit: threats, vulnerabilities, SL-T, residual risk, controls. | 4.6 |
| ZCR 6 | Document requirements, assumptions and constraints | Produce the CRS and the supporting zone/conduit record. | 4.7 |
| ZCR 7 | Asset owner approval | Accountable management reviews and signs the risk outcome. | 4.8 |
A typical path (as outlined in the standard’s Clause 4 workflow) looks like this:
| Part | Role relative to 3-2 |
|---|---|
| 1-1 | Defines zone/conduit concepts and models used throughout the series. |
| 2-1 | Operational Security Program that keeps controls alive after design handover. |
| 3-3 | System security requirements and SL-C guidance aligned with SL-T from 3-2. |
| 4-1 / 4-2 | Product development lifecycle and component capability requirements that suppliers use when matching design needs. |