The implementation of IEC 62443 begins with a risk analysis. High level risk analysis is a step wise method that can be done easily by follwoing the flow as mentioned below.
Consists of 7 steps explained below from ZCR1 to ZCR 7
Here ZCR stands for Zones & Conduit Requirement.
- ZCR1: identify the SuC (System under Consideration);
- ZCR2: carry out a high-level risk analysis;
- ZCR3: partition into zones and conduits;
- ZCR 4: if the overall risk level exceeds the tolerable level;
- ZCR5: carry out a risk analysis of each zone;
- ZCR6: document the requirements for cybersecurity;
- ZCR7: obtain approval from the owner of the asset.
ZCR 1
This process begins with the identification of the system under consideration. The result of this is a list of assets and can be represented by an architecture diagram.
ZCR 2
Carrying out a global risk analysis of the SuC. The objective is to identify the worst case, as well as the risk generated by a malfunction of the IACS. The level of risk is assessed with a risk matrix and allows us to situate it in relation to what is tolerated by the organization.
ZCR 3
Step consists of partitioning the SuC into zones and conduits.The objective being to prepare the detailed analysis. We are therefore aiming to obtain a given level of security for the zone.
- Separate the IT zone from the OT zone(s);
- Define specific zones for the SIS;
- Define specific zones for temporarily connected equipment;
- Define zones for wireless networks;
- Separate the zones connected via external networks.
ZCR 4
Step is to determine if the overall risk level exceeds the tolerable level.
ZCR 5
If overall risk is greater than tolerable risk, a detailed analysis of each zone is performed. The result of this analysis is, for each zone and conduit, an SL-T target security level, defined according to the risk level of the zone or conduit in question.
ZCR 6
Writing the specifications for cybersecurity requirements. These contain:
- a description of the SuC, of its function and the process or equipment;
- a description of the physical and logical environment;
- a description of the threats and sources of threats identified;
- mandatory, technical and organizational security measures;
- the acceptable level of risk;
- where applicable, the regulatory obligations to which the installation must comply.
ZCR 7
Consists of obtaining approval of the risk analysis by the persons in charge of IACS responsible for the security, integrity and reliability of the process controlled by the SuC.
