Knowledge/Fundamentals/3.3

Module 3: IEC 62443 series structure(3/4)

3-2 and 3-3: risk assessment and system requirements

40 min4 min readRef: IEC 62443-3-x

title: "3-2 and 3-3: risk assessment and system requirements" duration: "40 min"

Group 3: the system layer

Group 3 documents address the technical architecture of the IACS. Where Group 2 is about organisation and process, Group 3 is about zones, conduits, risk scores, and the specific security requirements that systems must meet.

This lesson introduces the two most operationally important documents in the entire series.

IEC 62443-3-2: Security risk assessment for system design

Status: Published (2020)

This is the risk-assessment methodology that drives every security decision in an IEC 62443 programme. The Risk Assessment specialist track (the next course after Foundations) covers it in full depth; here we introduce the structure.

The 3-2 process

Diagram

Step by step

StepInputOutput
1. Define SUCPlant drawings, asset inventory, network diagramsScope boundary — what is in and out of the assessment
2. High-level risk assessmentThreat landscape, business-impact analysisInitial risk ranking; identification of worst-case scenarios
3. PartitionNetwork topology, data flows, process dependenciesZone & conduit diagram
4. Detailed risk assessmentThreats per zone, vulnerabilities, consequences, likelihoodRisk scores per zone
5. Assign SL-TRisk scores, tolerable risk thresholdSL-T vector for each zone
6. DocumentAll of the aboveFormal risk register
7. ReassessChange triggers (new threat, new asset, process modification)Updated risk register

The zone & conduit diagram

This is the single most important artefact of a 3-2 assessment. It shows:

  • Every zone, labelled with its SL-T.
  • Every conduit between zones, labelled with permitted protocols, direction, and enforcement mechanism.
  • The Purdue level of each zone.

Worked example

A well-drawn zone & conduit diagram lets a new engineer walk into the plant, look at one page, and understand: where the security boundaries are, what traffic is allowed, and what level of protection each zone requires.

IEC 62443-3-3: System security requirements and security levels

Status: Published (2013; Edition 2.0 expected)

This is the technical requirements catalogue — the document that tells you exactly what a system must do at each Security Level.

Structure

3-3 organises its requirements as:

  • 7 Foundational Requirements (FRs) — the same seven from 1-1.
  • System Requirements (SRs) — specific, testable requirements under each FR.
  • Requirement Enhancements (REs) — additional requirements that apply at higher SLs.

How SRs map to SLs

Each SR has a base level and optional enhancements:

SRDescriptionSL 1SL 2SL 3SL 4
SR 1.1Human user identification & authenticationRequiredRequiredRequiredRequired
SR 1.1 RE 1Unique identificationRequiredRequiredRequired
SR 1.1 RE 2Multifactor authenticationRequiredRequired
SR 1.1 RE 3Hardware-backed credential storageRequired

Key takeaway

Reading the table

To meet SL 2 for FR 1, your system must implement SR 1.1 (base) plus SR 1.1 RE 1. To meet SL 3, add RE 2. To meet SL 4, add RE 3. Each SL is a strict superset of the one below.

Key SRs you'll encounter repeatedly

  • SR 1.1 — Human user identification & authentication.
  • SR 2.1 — Authorisation enforcement (role-based access).
  • SR 3.2 — Malicious code protection (application whitelisting preferred over AV in OT).
  • SR 3.4 — Software and information integrity (PLC change detection).
  • SR 5.1 — Network segmentation (zone enforcement).
  • SR 6.1 — Audit log accessibility (continuous monitoring).
  • SR 7.1 — Denial-of-service protection (QoS, rate limiting).

How 3-2 and 3-3 work together

Diagram

  1. 3-2 produces SL-T for each zone.
  2. 3-3 tells you which SRs you must implement to reach that SL-T.
  3. You build / configure the system to meet those SRs.
  4. You measure the actual SL-A (per 1-3 metrics).
  5. Any gap between SL-T and SL-A is residual risk — document it, compensate for it, or accept it.

Analogy

3-2 is the building code inspection that says "this wall must be fire-rated for 2 hours." 3-3 is the catalogue of fire-rated materials and construction methods that achieve a 2-hour rating. The architect picks from the catalogue; the inspector verifies the result.

Key Takeaways

  1. 3-2 defines the risk-assessment methodology: scope → partition → assess → assign SL-T → document.
  2. The zone & conduit diagram is the key output of a 3-2 assessment.
  3. 3-3 provides the technical requirements catalogue organised by FR, SR, and SL.
  4. Each SL is a strict superset of the one below — meeting SL 3 means meeting all of SL 2 plus additional enhancements.
  5. The gap between SL-T (what you need) and SL-A (what you have) is your residual risk.

Knowledge Check

3 questions — test your understanding before moving on.

  1. Q1.What is the most important output artefact of an IEC 62443-3-2 risk assessment?

    • A vulnerability scan report.
    • A zone and conduit diagram showing every zone with its SL-T and every conduit with permitted protocols.
    • A list of all devices on the network.
    • A penetration test report.

    The zone and conduit diagram is the single most important artefact of a 3-2 assessment. It shows every zone labelled with its SL-T, every conduit between zones with permitted protocols, direction, and enforcement mechanism, and the Purdue level of each zone.

  2. Q2.In IEC 62443-3-3, how does a system meet SL 3 for a given Foundational Requirement?

    • By implementing any three System Requirements from that FR.
    • By implementing all SRs required at SL 1 and SL 2, plus the SL 3 requirement enhancements.
    • By passing a penetration test conducted by a certified assessor.
    • By deploying a firewall at every zone boundary.

    Each SL is a strict superset of the one below. To meet SL 3 for an FR, the system must implement all base SRs (SL 1), plus SL 2 enhancements, plus SL 3 enhancements. Missing any single requirement at a lower level drops the achieved SL for that FR.

  3. Q3.What does the gap between SL-T and SL-A represent?

    • The budget shortfall for security controls.
    • The time needed to achieve compliance.
    • Residual risk — the difference between what security level you need and what you have actually achieved.
    • The number of additional devices needed.

    The gap between SL-T (target, from risk assessment) and SL-A (achieved, from measurement) is residual risk. This gap must be documented, and for each gap the organisation must either remediate (implement missing controls) or formally accept the risk with compensating measures.