← Home

IEC 62443-3-2 Cyber Risk Concepts

Cyber risk is the possibility that an Industrial Automation and Control System (IACS) is compromised through unauthorised access, use, modification, disruption or destruction — with adverse effects on operations, personnel safety, the environment or the organisation.

ISA/IEC 62443 applies general risk-management ideas to IACS design through ISA/IEC 62443-3-2 (security risk assessment for system design). The Clause 4 zone and conduit requirements (ZCRs) turn these concepts into a repeatable engineering workflow. Part 3-3 then supplies the system security requirements used to meet the resulting target security levels (SL-T).

Teaching note: This page is a conceptual primer for Part 3-2 risk thinking (including likelihood × consequence matrices of the kind illustrated in Annex B). It is not a verbatim extract of the standard — always refer to the published text for normative wording and assessment. For the Clause 4 method itself, start with the zone, conduit and risk assessment overview.

Reference: ISA/IEC 62443-3-2:2020 (risk concepts informing Clause 4 and Annex B)
Related: Zone, Conduit and Risk Assessment (Clause 4) | ZCR 2 – Initial Risk Assessment | ZCR 5 – Detailed Risk Assessment | IEC 62443-3-3 Security Levels | IEC 62443-1-1 Security Levels

ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7

Cyber Risk: Understanding, Assessing and Managing Cyber Risk in IACS
Figure – Understanding, assessing and managing cyber risk in IACS.

Understanding Cyber Risk

The conceptual cyber risk equation is:

Risk = Threat × Vulnerability × Consequence

Threats represent capability and intent to cause harm, vulnerabilities are exploitable weaknesses, and consequences are the impacts if exploitation succeeds.


Practical Risk Assessment

In engineering assessments, threat and vulnerability are often rolled into a single measure called likelihood:

Likelihood = Threat × Vulnerability
Risk = Likelihood × Consequence

That two-factor form fits corporate risk matrices — the same style Part 3-2 uses when combining impact and likelihood in the initial and detailed assessments (ZCR 2, ZCR 5; see also Annex B examples in the standard).


Risk Matrix

Low ConsequenceMediumHigh
LikelyMediumHighExtreme
PossibleLowMediumHigh
UnlikelyLowLowMedium

The ranking helps prioritise treatment and must align with the organisation’s risk tolerance (tolerable risk is compared explicitly in ZCR 4 and again inside ZCR 5).


Threat, Vulnerability and Consequence

Threat examples

Vulnerability examples

Consequence examples

In the detailed assessment these become structured lists per zone or conduit (ZCR 5.1–5.3), not one generic plant-wide bullet list.


Risk Tolerance (Tolerable Risk)

Risk tolerance (tolerable risk in Part 3-2) is the level of cyber risk the organisation is prepared to live with. Risks above that bar need treatment; those below may be accepted with monitoring. The bar is an organisational policy choice and is recorded in the CRS (ZCR 6.8).


Where This Fits in Part 3-2

Part 3-2 turns the concepts above into a design-time method. Read the Clause 4 overview for the full workflow; the ZCR sequence in brief is:

  1. ZCR 1 — Identify the System under Consideration (SUC).
  2. ZCR 2 — Perform an initial cybersecurity risk assessment.
  3. ZCR 3 — Partition the SUC into zones and conduits.
  4. ZCR 4 — Compare initial risk with tolerable risk.
  5. ZCR 5 — Perform detailed assessment, set SL-T, treat residual risk.
  6. ZCR 6 — Document requirements, assumptions and constraints (CRS).
  7. ZCR 7 — Obtain asset owner approval.

After design, implement and verify controls using ISA/IEC 62443-3-3, and keep residual risk under review across the lifecycle (operations programme support sits mainly in Part 2-1).


System under Consideration (SUC)

The SUC is the defined set of IACS assets in scope for the assessment — controllers, HMIs, servers, networking, safety systems and supporting infrastructure needed for the automation solution. Every asset belongs to a zone or a conduit (ZCR 1).


Zones and Conduits

Zones group assets with similar cybersecurity needs. Conduits are the controlled communications paths between (or within) zones. Detailed risk assessment and SL-T assignment run at zone/conduit level (ZCR 3, ZCR 5). Zone/conduit concepts are introduced in Part 1-1.


Relationship between Parts 3-2 and 3-3

62443-3-2Output62443-3-3
Risk assessment for system design (Clause 4 ZCRs) Target Security Levels (SL-T) per zone/conduit System security requirements and capability levels (SL-C) to meet SL-T

Risk Treatment Strategies


Engineering Perspective

Industrial organisations drive cyber risk down to a tolerable level while protecting safety, availability, reliability and continuity. Defence in depth, segmentation, access control, hardening and patching mainly reduce likelihood; safety systems, redundancy and recovery planning mainly limit consequence.


Key Takeaways


References