{"id":51277,"date":"2026-02-23T11:51:27","date_gmt":"2026-02-23T10:51:27","guid":{"rendered":"https:\/\/www.gt-engineering.it\/?post_type=normativa_tecnica&p=51277"},"modified":"2026-03-03T10:02:34","modified_gmt":"2026-03-03T09:02:34","slug":"iec-62443-3-2","status":"publish","type":"normativa_tecnica","link":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/","title":{"rendered":"IEC 62443-3-2"},"content":{"rendered":"\n\n \n \n \n
\n\n \n \n \n \r\n\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n <\/picture>\r\n\r\n \r\n\r\n \r\n \r\n <\/div>\n \n
\n \n
\n

IEC 62443-3-2 is the standard that defines how to run a risk assessment of an IACS.<\/p>\n

The standard is developed by the same IEC Technical Committee that develops the Functional Safety Standards IEC 61508 and IEC 61511 series (IEC TC 65). That means is it tailored more to the risks for large chemical facilities, more than for the risks of a Machinery like a Transfer Machine or a rolling mill.<\/p>\n

In any case there is no simple recipe for how to secure an industrial automation and control system (IACS) and there is good reason for this. It is because security is a matter of risk management. Every IACS presents a different risk to the organization depending upon the threats it is exposed to, the likelihood of those threats arising, the inherent vulnerabilities in the system and the consequences if the system were to be compromised. Furthermore, every organization that owns and operates an IACS has a different tolerance for risk.<\/p>\n

The standard defines a set of engineering measures that will guide an organization through the process of assessing the risk<\/strong> of a particular IACS and identifying and applying security countermeasures to reduce that risk to tolerable levels.<\/p>\n

[IEC 62443-3-3: 2009] 3 Terms, definitions, abbreviated terms, acronyms and conventions<\/strong><\/em><\/p>\n

3.1.6 countermeasure. <\/em><\/strong>Action, device, procedure, or technique that reduces a threat, a vulnerability, or the consequences of an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that corrective action can be taken<\/em><\/p><\/blockquote>\n<\/div> <\/div>\n \n \n

<\/div>\n \n\n <\/div>\n <\/section>\n\n \n\n\n\n\n \n \n \n
\n\n \n
\n \n
\n \n \n

\n Scope of the Standard <\/h2>\n <\/div>\n <\/div>\n \n \n
\n \n
\n

This part of IEC 62443 establishes requirements for:<\/p>\n

    \n
  • defining a system under consideration (SUC) for an industrial automation and control system (IACS);<\/li>\n
  • partitioning the SUC into zones and conduits;<\/li>\n
  • assessing risk for each zone and conduit;<\/li>\n
  • establishing the target security level (SL-T) for each zone and conduit; and<\/li>\n
  • documenting the security requirements.<\/li>\n<\/ul>\n

    [IEC 62443-3-3: 2009] 3 Terms, definitions, abbreviated terms, acronyms and conventions<\/strong><\/em><\/p>\n

    3.1.1 Channel. <\/em><\/strong>Specific logical or physical communication link between assets<\/em><\/p>\n

    3.1.3 Conduit. <\/em><\/strong>Logical grouping of communication channels that share common security requirements connecting two or more zones.<\/em><\/p>\n

    3.1.25 Zone. <\/em><\/strong>Grouping of logical or physical assets based upon risk or other criteria, such as criticality of assets, operational function, physical or logical location, required access (for example, least privilege principles) or responsible organization<\/em><\/p>\n

    Note 1 to entry: <\/em><\/strong>Collection of logical or physical assets that represents partitioning of a system under consideration on the basis of their common security requirements, criticality (for example, high financial, health, safety, or environmental impact), functionality, logical and physical (including location) relationship.<\/em><\/p>\n<\/div> <\/div>\n \n \n

    <\/div>\n \n\n <\/div>\n <\/section>\n\n \n\n\n\n\n \n \n \n
    \n\n \n
    \n \n
    \n \n \n

    \n The Initial Risk Assessement <\/h2>\n <\/div>\n <\/div>\n \n \n
    \n \n
    \n

    The purpose of the initial cyber security risk assessment<\/strong> is to gain an initial understanding of the worst-case risk the SUC presents to the organization should it be compromised. This is typically evaluated in terms of impacts to health, safety, environmental, business interruption, production loss, product quality, financial, legal, regulatory, reputation, etc. This assessment assists with the prioritization of detailed risk assessments and facilitates the grouping of assets into zones and conduits within the SUC.<\/p>\n

    The initial Risk Assessment allows a better grouping of Assets into Zones and Conduits. That is needed to identify those assets which share common security requirements and to permit the identification of common security measures required to mitigate risk. The assignment of IACS assets to zones and conduits may be adjusted based upon the results of the detailed risk assessment.<\/p>\n<\/div> <\/div>\n \n \n

    <\/div>\n \n\n <\/div>\n <\/section>\n\n \n\n\n\n\n \n \n \n
    \n\n \n
    \n \n
    \n \n \n

    \n The Detailed Risk Assessment <\/h2>\n <\/div>\n <\/div>\n \n \n
    \n \n
    \n

    The main objective of the IEC 62443-3-2 detailed risk assessment is to:<\/p>\n

      \n
    • \n
        \n
      • Identify cybersecurity threats to the IACS<\/li>\n
      • Evaluate the potential impact of cyber incidents on safety, operations, and business<\/li>\n
      • Determine appropriate target security levels (SL-T) for each part of the system<\/li>\n
      • Provide traceable inputs for system security requirements<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

        The assessment is risk-based, meaning security controls are proportional to the consequences and likelihood of cyber threats.<\/p>\n

        Some examples of threat descriptions are<\/strong>:<\/p>\n

          \n
        • \n
            \n
          • A non-malicious employee physically accesses the process control zone and plugs a USB memory stick into one of the computers;<\/li>\n
          • An authorized support person logically accesses the process control zone using an infected laptop; and<\/li>\n
          • A non-malicious employee opens a phishing email compromising their access credentials.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n

            The objective is to determine the required Security Level each Zone and Conduit must have. There is no such a thing as a 100% Secure Control System<\/strong>; like there no such a thing as a 100% Safe Control System<\/strong>. The IEC 62443 series defines 4 security levels.<\/p>\n<\/div> <\/div>\n \n \n

            <\/div>\n \n\n <\/div>\n <\/section>\n\n \n","protected":false},"excerpt":{"rendered":"

            IEC 62443-3-2 is the standard that defines how to run a risk assessment of an IACS<\/p>\n","protected":false},"author":2,"featured_media":51278,"parent":51140,"menu_order":0,"template":"","meta":{"_acf_changed":false,"footnotes":""},"normative-tecniche":[58],"class_list":["post-51277","normativa_tecnica","type-normativa_tecnica","status-publish","has-post-thumbnail","hentry","tipologia_normativa-en-iec-standards"],"acf":{"sottotitolo":"","allegati":null},"yoast_head":"\nIEC 62443-3-2 - Gt-Engineering<\/title>\n<meta name=\"description\" content=\"IEC 62443-3-2 defines a risk-based method to assess and reduce cybersecurity risks in Industrial Automation and Control Systems (IACS).\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IEC 62443-3-2 - Gt-Engineering\" \/>\n<meta property=\"og:description\" content=\"IEC 62443-3-2 defines a risk-based method to assess and reduce cybersecurity risks in Industrial Automation and Control Systems (IACS).\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/\" \/>\n<meta property=\"og:site_name\" content=\"Gt-Engineering\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-03T09:02:34+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png\" \/>\n\t<meta property=\"og:image:width\" content=\"906\" \/>\n\t<meta property=\"og:image:height\" content=\"724\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/\",\"url\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/\",\"name\":\"IEC 62443-3-2 - Gt-Engineering\",\"isPartOf\":{\"@id\":\"https:\/\/www.gt-engineering.it\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png\",\"datePublished\":\"2026-02-23T10:51:27+00:00\",\"dateModified\":\"2026-03-03T09:02:34+00:00\",\"description\":\"IEC 62443-3-2 defines a risk-based method to assess and reduce cybersecurity risks in Industrial Automation and Control Systems (IACS).\",\"breadcrumb\":{\"@id\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#primaryimage\",\"url\":\"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png\",\"contentUrl\":\"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png\",\"width\":906,\"height\":724,\"caption\":\"IEC 62443-3-2 is the standard that defines how to run a risk assessment of an IACS.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.gt-engineering.it\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Technical standards\",\"item\":\"https:\/\/www.gt-engineering.it\/en\/normative-tecniche\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"EN IEC Standards\",\"item\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"IEC 62443 Series\",\"item\":\"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"IEC 62443-3-2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.gt-engineering.it\/en\/#website\",\"url\":\"https:\/\/www.gt-engineering.it\/en\/\",\"name\":\"Gt-Engineering\",\"description\":\"bizonweb\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.gt-engineering.it\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"IEC 62443-3-2 - Gt-Engineering","description":"IEC 62443-3-2 defines a risk-based method to assess and reduce cybersecurity risks in Industrial Automation and Control Systems (IACS).","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/","og_locale":"en_US","og_type":"article","og_title":"IEC 62443-3-2 - Gt-Engineering","og_description":"IEC 62443-3-2 defines a risk-based method to assess and reduce cybersecurity risks in Industrial Automation and Control Systems (IACS).","og_url":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/","og_site_name":"Gt-Engineering","article_modified_time":"2026-03-03T09:02:34+00:00","og_image":[{"width":906,"height":724,"url":"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/","url":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/","name":"IEC 62443-3-2 - Gt-Engineering","isPartOf":{"@id":"https:\/\/www.gt-engineering.it\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#primaryimage"},"image":{"@id":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#primaryimage"},"thumbnailUrl":"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png","datePublished":"2026-02-23T10:51:27+00:00","dateModified":"2026-03-03T09:02:34+00:00","description":"IEC 62443-3-2 defines a risk-based method to assess and reduce cybersecurity risks in Industrial Automation and Control Systems (IACS).","breadcrumb":{"@id":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#primaryimage","url":"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png","contentUrl":"https:\/\/www.gt-engineering.it\/wp-content\/uploads\/2026\/02\/immagine-3-parte.png","width":906,"height":724,"caption":"IEC 62443-3-2 is the standard that defines how to run a risk assessment of an IACS."},{"@type":"BreadcrumbList","@id":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/iec-62443-3-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.gt-engineering.it\/en\/"},{"@type":"ListItem","position":2,"name":"Technical standards","item":"https:\/\/www.gt-engineering.it\/en\/normative-tecniche\/"},{"@type":"ListItem","position":3,"name":"EN IEC Standards","item":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/"},{"@type":"ListItem","position":4,"name":"IEC 62443 Series","item":"https:\/\/www.gt-engineering.it\/en\/technical-standards\/en-iec-standards\/iec-62443-series\/"},{"@type":"ListItem","position":5,"name":"IEC 62443-3-2"}]},{"@type":"WebSite","@id":"https:\/\/www.gt-engineering.it\/en\/#website","url":"https:\/\/www.gt-engineering.it\/en\/","name":"Gt-Engineering","description":"bizonweb","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.gt-engineering.it\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/normativa_tecnica\/51277","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/normativa_tecnica"}],"about":[{"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/types\/normativa_tecnica"}],"author":[{"embeddable":true,"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/users\/2"}],"version-history":[{"count":2,"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/normativa_tecnica\/51277\/revisions"}],"predecessor-version":[{"id":51449,"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/normativa_tecnica\/51277\/revisions\/51449"}],"up":[{"embeddable":true,"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/normativa_tecnica\/51140"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/media\/51278"}],"wp:attachment":[{"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/media?parent=51277"}],"wp:term":[{"taxonomy":"tipologia_normativa","embeddable":true,"href":"https:\/\/www.gt-engineering.it\/en\/wp-json\/wp\/v2\/normative-tecniche?post=51277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}