Sorting by


Method of High Level Risk Analysis from IEC 62443.

62443 Risk Analysis

The implementation of IEC 62443 begins with a risk analysis. High level risk analysis is a step wise method that can be done easily by follwoing the flow as mentioned below.

Consists of 7 steps explained below from ZCR1 to ZCR 7

Here ZCR stands for Zones & Conduit Requirement.

  • ZCR1: identify the SuC (System under Consideration); 
  • ZCR2: carry out a high-level risk analysis; 
  • ZCR3: partition into zones and conduits; 
  • ZCR 4: if the overall risk level exceeds the tolerable level; 
  • ZCR5: carry out a risk analysis of each zone; 
  • ZCR6: document the requirements for cybersecurity; 
  • ZCR7: obtain approval from the owner of the asset. 


This process begins with the identification of the system under consideration. The result of this is a list of assets and can be represented by an architecture diagram. 


Carrying out a global risk analysis of the SuC. The objective is to identify the worst case, as well as the risk generated by a malfunction of the IACS. The level of risk is assessed with a risk matrix and allows us to situate it in relation to what is tolerated by the organization. 


Step consists of partitioning the SuC into zones and conduits.The objective being to prepare the detailed analysis. We are therefore aiming to obtain a given level of security for the zone.   

  • Separate the IT zone from the OT zone(s); 
  • Define specific zones for the SIS; 
  • Define specific zones for temporarily connected equipment; 
  • Define zones for wireless networks; 
  • Separate the zones connected via external networks. 


Step is to determine if the overall risk level exceeds the tolerable level. 


If overall risk is greater than tolerable risk, a detailed analysis of each zone is performed. The result of this analysis is, for each zone and conduit, an SL-T target security level, defined according to the risk level of the zone or conduit in question. 


Writing the specifications for cybersecurity requirements. These contain: 

  • a description of the SuC, of its function and the process or equipment; 
  • a description of the physical and logical environment;
  • a description of the threats and sources of threats identified; 
  • mandatory, technical and organizational security measures; 
  • the acceptable level of risk; 
  • where applicable, the regulatory obligations to which the installation must comply. 


Consists of obtaining approval of the risk analysis by the persons in charge of IACS responsible for the security, integrity and reliability of the process controlled by the SuC. 

Leave a Reply

Your email address will not be published. Required fields are marked *