What is IEC 62443-3-2?
IEC 62443-3-2 is part of the international IEC 62443 series for industrial Cybersecurity. This standard describes how to systematically analyse risks, define Zones and assign Security Levels within industrial automation and control systems (IACS).
IEC 62443-3-2 forms the bridge between risk assessment and the technical security measures described in IEC 62443-3-3.
🧠 What does IEC 62443-3-2 cover?
The standard introduces a step-by-step approach for:
- Identifying and assessing cybersecurity risks
- Defining zones and conduits in line with the Zone and Conduits model
- Assigning Security Levels (SL) based on threats, impact and the protection required
- Determining mitigating measures for risk reduction
🔁 The five core steps in IEC 62443-3-2
- System Definition
- Inventory of assets, functions and interfaces
- Defining the IACS system boundary (scope)
- Zone and Conduit Definition
- Grouping systems with similar security requirements
- Defining logical zones and the communication links (conduits)
- Risk Assessment
- Assessment of threats, vulnerabilities and impact on availability, integrity and confidentiality
- Use of Business Impact Analysis, threat models or Cybersecurity Risk Assessment
- Security Level Target (SL-T) Assignment
- Assigning an SL to each zone or conduit (SL1 through SL4)
- Based on threat profiles and risk acceptance
- Identification of Countermeasures
- Determining which measures are needed to reach the desired SL
- Linkage with the requirements of IEC 62443-3-3
🏭 Application in an OT context
| Zone | Components | SL Target | Example controls |
|---|---|---|---|
| Engineering Zone | Engineering Station, SCADA | SL 2 | Access Control, Patch management |
| Control Zone | PLC, RTU, IO modules | SL 3 | Protocol Filtering, Firewall |
| DMZ / iDMZ | Remote Access, reporting systems | SL 3-4 | Jump Server, MFA, Monitoring |
This approach makes it possible to focus security on the highest-risk zones, without over-engineering elsewhere.
🔐 Linkage with other parts of IEC 62443
| Standard | Role |
|---|---|
| IEC 62443-2-1 | Organisational policy and management system (CSMS) |
| IEC 62443-3-2 | Risk assessment, zones, SL allocation |
| IEC 62443-3-3 | Technical requirements per SL level |
| IEC 62443-2-4 | Requirements for suppliers / integrators |
✅ Benefits of IEC 62443-3-2
- Standardised methodology for OT risk assessment
- Substantiated allocation of Security Levels
- Improved communication between IT, OT and management
- Supports compliance with NIS2, ISO 27001, NIST CSF
📌 In summary
IEC 62443-3-2 provides a structured method for risk assessment and security design in OT networks. It forms the basis for zone classification, SL determination and the selection of appropriate mitigating measures.