ANSI/ISA-62443-3-2 : 2020

ANSI/ISA-62443-3‑2-2020, Security for Industrial Automation and Control Systems – Part 3‑2: Security Risk Assessment for System Design, defines requirements and provides guidance for performing cybersecurity risk assessments specifically for industrial automation and control systems (IACS) during system design. This standard emphasizes risk management tailored to the unique threats, vulnerabilities and consequences relevant to IACS, including safety-related assets, temporary devices, wireless connections and external network access. It establishes processes to identify the system under consideration (SUC), partition it into security zones and conduits based on risk, perform initial and detailed cyber risk assessments, determine target security levels (SL-T) for each zone or conduit and document security requirements in a cybersecurity requirements specification (CRS). It also provides definitions, workflows and examples of risk matrices to guide organizations in aligning security measures with tolerable risk levels and regulatory requirements, supporting clear communication and approval by asset owners.