Method of High Level Risk Analysis from IEC 62443

The implementation of IEC 62443 begins with a risk analysis. High level risk analysis is a step wise method that can be done easily by following the flow as mentioned below.

7-Step Process (ZCR1 to ZCR7)

Here ZCR stands for Zones & Conduit Requirement.

ZCR 1: Identify the System under Consideration (SuC)

This process begins with the identification of the system under consideration. The result of this is a list of assets and can be represented by an architecture diagram.

ZCR 2: Carry Out a High-Level Risk Analysis

Carrying out a global risk analysis of the SuC. The objective is to identify the worst case, as well as the risk generated by a malfunction of the IACS. The level of risk is assessed with a risk matrix and allows us to situate it in relation to what is tolerated by the organization.

ZCR 3: Partition into Zones and Conduits

This step consists of partitioning the SuC into zones and conduits. The objective being to prepare the detailed analysis. We are therefore aiming to obtain a given level of security for the zone.

Key considerations:

• Separate the IT zone from the OT zone(s)
• Define specific zones for the SIS
• Define specific zones for temporarily connected equipment
• Define zones for wireless networks
• Separate the zones connected via external networks

ZCR 4: Determine Risk Tolerance

This step is to determine if the overall risk level exceeds the tolerable level.

ZCR 5: Detailed Zone Analysis

If overall risk is greater than tolerable risk, a detailed analysis of each zone is performed. The result of this analysis is, for each zone and conduit, an SL-T target security level, defined according to the risk level of the zone or conduit in question.

ZCR 6: Document Cybersecurity Requirements

Writing the specifications for cybersecurity requirements. These contain:

• A description of the SuC, of its function and the process or equipment
• A description of the physical and logical environment
• A description of the threats and sources of threats identified
• Mandatory, technical and organizational security measures
• The acceptable level of risk
• Where applicable, the regulatory obligations to which the installation must comply

ZCR 7: Obtain Approval

This consists of obtaining approval of the risk analysis by the persons in charge of IACS responsible for the security, integrity and reliability of the process controlled by the SuC.

Conclusion

Following this methodical 7-step approach ensures a comprehensive and systematic risk analysis for ICS environments, leading to well-defined security requirements and proper stakeholder approval.