IEC 62443-3-2

Home » Technical standards » EN IEC Standards » IEC 62443 Series » IEC 62443-3-2

Get information

Last edit: 23/02/2026

IEC 62443-3-2 is the standard that defines how to run a risk assessment of an IACS.

The standard is developed by the same IEC Technical Committee that develops the Functional Safety Standards IEC 61508 and IEC 61511 series (IEC TC 65). That means is it tailored more to the risks for large chemical facilities, more than for the risks of a Machinery like a Transfer Machine or a rolling mill.

In any case there is no simple recipe for how to secure an industrial automation and control system (IACS) and there is good reason for this. It is because security is a matter of risk management. Every IACS presents a different risk to the organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system and the consequences if the system were to be compromised. Furthermore, every organization that owns and operates an IACS has a different tolerance for risk.

The standard defines a set of engineering measures that will guide an organization through the process of assessing the risk of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.

[IEC 62443-3-3: 2009] 3 Terms, definitions, abbreviated terms, acronyms and conventions

3.1.6 countermeasure. Action, device, procedure, or technique that reduces a threat, a vulnerability, or the consequences of an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken

Scope of the Standard

This part of IEC 62443 establishes requirements for:

  • defining a system under consideration (SUC) for an industrial automation and control system (IACS);
  • partitioning the SUC into zones and conduits;
  • assessing risk for each zone and conduit;
  • establishing the target security level (SL-T) for each zone and conduit; and
  • documenting the security requirements.

[IEC 62443-3-3: 2009] 3 Terms, definitions, abbreviated terms, acronyms and conventions

3.1.1 Channel. Specific logical or physical communication link between assets

3.1.3 Conduit. Logical grouping of communication channels that share common security requirements connecting two or more zones.

3.1.25 Zone. Grouping of logical or physical assets based upon risk or other criteria, such as criticality of assets, operational function, physical or logical location, required access (for example, least privilege principles) or responsible organization

Note 1 to entry: Collection of logical or physical assets that represents partitioning of a system under consideration on the basis of their common security requirements, criticality (for example, high financial, health, safety, or environmental impact), functionality, logical and physical (including location) relationship.

The Initial Risk Assessement

The purpose of the initial cyber security risk assessment is to gain an initial understanding of the worst-case risk the SUC presents to the organization should it be compromised. This is typically evaluated in terms of impacts to health, safety, environmental, business interruption, production loss, product quality, financial, legal, regulatory, reputation, etc. This assessment assists with the prioritization of detailed risk assessments and facilitates the grouping of assets into zones and conduits within the SUC.

The initial Risk Assessment allows a better grouping of Assets into Zones and Conduits. That is needed to identify those assets which share common security requirements and to permit the identification of common security measures required to mitigate risk. The assignment of IACS assets to zones and conduits may be adjusted based upon the results of the detailed risk assessment.

The Detailed Risk Assessment

The main objective of the IEC 62443-3-2 detailed risk assessment is to:

    • Identify cybersecurity threats to the IACS
    • Evaluate the potential impact of cyber incidents on safety, operations, and business
    • Determine appropriate target security levels (SL-T) for each part of the system
    • Provide traceable inputs for system security requirements

The assessment is risk-based, meaning security controls are proportional to the consequences and likelihood of cyber threats.

Some examples of threat descriptions are:

    • A non-malicious employee physically accesses the process control zone and plugs a USB memory stick into one of the computers;
    • An authorized support person logically accesses the process control zone using an infected laptop; and
    • A non-malicious employee opens a phishing email compromising their access credentials.

The objective is to determine the required Security Level each Zone and Conduit must have. There is no such a thing as a 100% Secure Control System; like there no such a thing as a 100% Safe Control System. The IEC 62443 series defines 4 security levels.

The IEC 62443 Security Levels

Index

IEC 62443 Series How is IEC 62443 Series structured? IEC 62443-3-2 The IEC 62443 Security Levels
Safety in Collaborative Robotics
There is no “Collaborative Robot”. That is one of the first statements you hear from people working in Collaborative Robotics. The reason is because...
Read more