Cyber risk is the possibility that an Industrial Automation and Control System (IACS) is compromised through unauthorised access, use, modification, disruption or destruction — with adverse effects on operations, personnel safety, the environment or the organisation.
ISA/IEC 62443 applies general risk-management ideas to IACS design through ISA/IEC 62443-3-2 (security risk assessment for system design). The Clause 4 zone and conduit requirements (ZCRs) turn these concepts into a repeatable engineering workflow. Part 3-3 then supplies the system security requirements used to meet the resulting target security levels (SL-T).
Reference: ISA/IEC 62443-3-2:2020 (risk concepts informing Clause 4 and Annex B)
Related:
Zone, Conduit and Risk Assessment (Clause 4)
|
ZCR 2 – Initial Risk Assessment
|
ZCR 5 – Detailed Risk Assessment
|
IEC 62443-3-3 Security Levels
|
IEC 62443-1-1 Security Levels
ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7
The conceptual cyber risk equation is:
Threats represent capability and intent to cause harm, vulnerabilities are exploitable weaknesses, and consequences are the impacts if exploitation succeeds.
In engineering assessments, threat and vulnerability are often rolled into a single measure called likelihood:
That two-factor form fits corporate risk matrices — the same style Part 3-2 uses when combining impact and likelihood in the initial and detailed assessments (ZCR 2, ZCR 5; see also Annex B examples in the standard).
| Low Consequence | Medium | High | |
|---|---|---|---|
| Likely | Medium | High | Extreme |
| Possible | Low | Medium | High |
| Unlikely | Low | Low | Medium |
The ranking helps prioritise treatment and must align with the organisation’s risk tolerance (tolerable risk is compared explicitly in ZCR 4 and again inside ZCR 5).
In the detailed assessment these become structured lists per zone or conduit (ZCR 5.1–5.3), not one generic plant-wide bullet list.
Risk tolerance (tolerable risk in Part 3-2) is the level of cyber risk the organisation is prepared to live with. Risks above that bar need treatment; those below may be accepted with monitoring. The bar is an organisational policy choice and is recorded in the CRS (ZCR 6.8).
Part 3-2 turns the concepts above into a design-time method. Read the Clause 4 overview for the full workflow; the ZCR sequence in brief is:
After design, implement and verify controls using ISA/IEC 62443-3-3, and keep residual risk under review across the lifecycle (operations programme support sits mainly in Part 2-1).
The SUC is the defined set of IACS assets in scope for the assessment — controllers, HMIs, servers, networking, safety systems and supporting infrastructure needed for the automation solution. Every asset belongs to a zone or a conduit (ZCR 1).
Zones group assets with similar cybersecurity needs. Conduits are the controlled communications paths between (or within) zones. Detailed risk assessment and SL-T assignment run at zone/conduit level (ZCR 3, ZCR 5). Zone/conduit concepts are introduced in Part 1-1.
| 62443-3-2 | Output | 62443-3-3 |
|---|---|---|
| Risk assessment for system design (Clause 4 ZCRs) | Target Security Levels (SL-T) per zone/conduit | System security requirements and capability levels (SL-C) to meet SL-T |
Industrial organisations drive cyber risk down to a tolerable level while protecting safety, availability, reliability and continuity. Defence in depth, segmentation, access control, hardening and patching mainly reduce likelihood; safety systems, redundancy and recovery planning mainly limit consequence.