← Home

IEC 62443-3-2 Clause 4 – Zone, Conduit and Risk Assessment Requirements

ISA/IEC 62443-3-2:2020 (ANSI/ISA-62443-3-2-2020) specifies how to define a system under consideration (SUC), partition it into zones and conduits, assess cybersecurity risk for each partition, set a target security level (SL-T), and capture the outcome in a cybersecurity requirements specification (CRS).

Clause 4 organises those engineering steps as zone and conduit requirements (ZCRs). The series does not offer a single “secure by recipe” design: every plant presents different threats, vulnerabilities and business tolerance for risk. Part 3-2 gives a consistent method so design decisions follow risk rather than guesswork.

Teaching note: The summaries on this site paraphrase ISA/IEC 62443-3-2:2020 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-3-2:2020, Clause 4
Related: Cyber Risk Concepts | IEC 62443-1-1 Models | IEC 62443-3-3 Security Levels | IEC 62443-3-3 Foundational Requirements | IEC 62443-2-1 Security Program (2024) | Network Segmentation

ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7

Workflow for establishing zones and conduits and assessing risk (ZCR 1 through ZCR 7)
Figure 2 – Workflow diagram outlining the primary steps required to establish zones and conduits, as well as to assess risk (ANSI/ISA-62443-3-2-2020).

Purpose and Scope

Part 3-2 sits in the “system” group of the ISA/IEC 62443 series. It tells asset owners, integrators, suppliers, service providers and compliance authorities what to produce when assessing risk for system design — not which firewall brand to buy.

In practice the outputs feed Part 3-3: each zone and conduit’s SL-T is aligned with the capability security levels (SL-C) that technical requirements are expected to deliver. Day-to-day organisational programme requirements live in Part 2-1; Part 3-2 is the design-time risk and zone/conduit method.

Zones and conduits themselves are introduced in Part 1-1. A zone groups assets that share common security needs; a conduit is the controlled communications path between zones (or within them). Every asset in an SUC belongs to a zone or a conduit.


What Clause 4 Requires

Clause 4 sets out seven ZCR groups that follow a workflow from scoping the SUC through to management approval. Flowcharts in the standard are informative — alternate sequences are acceptable if the requirements are still met.

ZCR Title In plain terms Clause
ZCR 1 Identify the SUC Draw a clear perimeter and list every way in. 4.2
ZCR 2 Initial cybersecurity risk assessment Estimate worst-case unmitigated risk if the IACS is compromised. 4.3
ZCR 3 Partition into zones and conduits Group assets by risk and best-practice separation rules. 4.4
ZCR 4 Risk comparison Decide whether detailed assessment is needed against tolerable risk. 4.5
ZCR 5 Detailed cybersecurity risk assessment Per zone/conduit: threats, vulnerabilities, SL-T, residual risk, controls. 4.6
ZCR 6 Document requirements, assumptions and constraints Produce the CRS and the supporting zone/conduit record. 4.7
ZCR 7 Asset owner approval Accountable management reviews and signs the risk outcome. 4.8

Recommended Workflow

A typical path (as outlined in the standard’s Clause 4 workflow) looks like this:

  1. ZCR 1 — Define the SUC boundary and access points using inventories, architecture drawings and data flows.
  2. ZCR 2 — Run (or refresh) an initial risk view of worst-case impact, drawing on PHAs, corporate risk matrices and threat intelligence where relevant.
  3. ZCR 3 — Partition the SUC into zones and conduits, applying mandatory separations (business vs IACS, safety vs non-safety) and the recommended separations for temporary, wireless and externally connected devices.
  4. ZCR 4 — Compare that initial risk with organisational tolerable risk. If risk is already tolerable, you may skip the detailed loop; if not, continue.
  5. ZCR 5 — Perform a detailed assessment per zone or conduit (or grouped where similar), set SL-T, evaluate existing and additional countermeasures, and document residual risk.
  6. ZCR 6 — Capture mandatory controls, assumptions and constraints in a CRS.
  7. ZCR 7 — Obtain approval from asset-owner management accountable for process safety, integrity and reliability.
Design tip: Zone assignments can be refined after the detailed risk assessment. Initial partitioning is a starting model, not a permanently frozen drawing.

Key Outcomes


Relationship to Other Parts

Part Role relative to 3-2
1-1 Defines zone/conduit concepts and models used throughout the series.
2-1 Operational Security Program that keeps controls alive after design handover.
3-3 System security requirements and SL-C guidance aligned with SL-T from 3-2.
4-1 / 4-2 Product development lifecycle and component capability requirements that suppliers use when matching design needs.

Key Takeaways


References