IEC 62443-3-2-2020 PDF

Full title and description

IEC 62443-3-2:2020 — Security for industrial automation and control systems (IACS) — Part 3-2: Security risk assessment for system design. Establishes a structured, zone-and-conduit based methodology to define a System Under Consideration (SUC), assess cyber risk per zone/conduit, determine target security levels (SL‑T), and document security requirements to support secure system design and procurement.

Abstract

IEC 62443-3-2:2020 defines a repeatable approach for performing security risk assessments during the system-design phase for industrial automation and control systems. The standard covers how to identify and bound the SUC, partition the SUC into zones and conduits, perform initial and detailed risk assessments for each partition, set target security levels (SL‑T) based on assessed risk, and capture the resulting security requirements and assumptions for use by asset owners, system integrators and product suppliers.

General information

• Status: Published — current (stability date: 2027).
• Publication date: 24 June 2020.
• Publisher: IEC (International Electrotechnical Commission); also available as regional/adopted editions (e.g., EN/BS/ANSI-ISA adoptions).
• ICS / categories: 25.040.40, 35.030.
• Edition / version: Edition 1.0 (IEC 62443-3-2:2020).
• Number of pages: 31.

Scope

The standard provides requirements and guidance for conducting risk assessments for IACS system design. It specifies the steps to define the System Under Consideration (SUC), partition the SUC into zones and conduits, identify threats and vulnerabilities for each zone/conduit, evaluate consequence and likelihood, derive target security levels (SL‑T), and record the security requirements, assumptions and rationale needed for design, procurement and verification of secure IACS solutions.

Key topics and requirements

• Definition and scoping of the System Under Consideration (SUC).
• Zone and conduit model for partitioning the SUC into security domains and communication paths.
• Initial and detailed risk assessment processes (threats, vulnerabilities, consequence, likelihood, residual risk).
• Derivation and assignment of Target Security Levels (SL‑T) for confidentiality, integrity and availability per zone and conduit.
• Documentation requirements: SUC descriptions, zone/conduit diagrams, risk assessment records, SL‑T rationale and security requirements specification.
• Guidance on aligning assessed risk with tolerable risk and identifying countermeasures or compensating controls.
• Requirements for stakeholder review and asset-owner approval of assessment outcomes and documented requirements.
• Use of the results to inform procurement, system architecture design and verification activities.

Typical use and users

This standard is used during system design and procurement of industrial control systems. Typical users include asset owners/operators, control-system engineers, system integrators, cybersecurity and risk assessment teams, procurement and compliance personnel, and auditors. It is applied when specifying security requirements for new builds, major upgrades, system replacements, or when formalizing security requirements for vendor deliverables.

Related standards

IEC 62443-3-2 is part of the IEC 62443 series. Closely related parts include: IEC 62443-1-1 (terminology, concepts and models); IEC 62443-2-1 (establishing an IACS security program); IEC 62443-2-4 (security program requirements for service providers/integrators); IEC 62443-3-3 (system security requirements and security levels); IEC 62443-4-1 (secure product development lifecycle requirements); and IEC 62443-4-2 (technical security requirements for components). Together these parts cover programmatic, system-level and component-level cybersecurity for IACS.

Keywords

IEC 62443, IACS, industrial cybersecurity, risk assessment, system design, zones and conduits, SL‑T, System Under Consideration, security requirements, asset owner, system integrator.

FAQ

Q: What is this standard?

A: IEC 62443-3-2:2020 is an international standard that defines a structured method for conducting security risk assessments focused on system design for industrial automation and control systems (IACS).

Q: What does it cover?

A: It covers scoping the System Under Consideration (SUC), partitioning into zones and conduits, performing risk assessments by partition, deriving target security levels (SL‑T), and documenting the resulting security requirements and assumptions to support secure system design and procurement.

Q: Who typically uses it?

A: Asset owners/operators, control-system designers, system integrators, cybersecurity engineers, risk assessors, procurement and compliance teams, and auditors use the standard to define and verify security requirements during system design.

Q: Is it current or superseded?

A: IEC 62443-3-2 was published on 24 June 2020 (Edition 1.0) and is published/stable with a stability date through 2027. As of 25 February 2026 it is current and not superseded.

Q: Is it part of a series?

A: Yes. It is one part of the IEC 62443 series addressing cybersecurity for industrial automation and control systems; other parts address terminology, program requirements, system requirements (3-3), and product/component lifecycle and technical requirements (4-1, 4-2), among others.

Q: What are the key keywords?

A: System Under Consideration (SUC), zones and conduits, risk assessment, target security level (SL‑T), industrial control systems, security requirements, IEC 62443.