IEC 62443 Zone & SR Elaborator
Get Started with This SkillOverview
Guided elaboration of IACS security documentation per IEC 62443: zone/conduit model, Security Level (SL) targets, Security Requirements (SR) for components and systems, and gap remediation. Verifies each zone has an SL target and SR/FR are allocated.
Getting Started
Add your source materials to the project workspace, then activate the IEC 62443 Zone & SR Elaborator skill. The agent will guide you through the process step by step.
Example Conversation
You: We’re documenting our OT network per IEC 62443. I have a first cut of zones; I need each zone to have an SL target and to allocate Security Requirements to components.
Agent: I’ll run
check_sl_sr_coverageon your zone document to see if each zone has an SL target and if SR/FR are referenced. Then we can assign SL 1–4 and map FR/SR from IEC 62443-3-3 to zones and key components.Agent: The tool found zone and conduit references but no explicit “SL target” or “Security Level” wording. It also warned that SR or FR should be allocated. I’ve added an “SL target” column to your zone table (suggested SL 2 for process control, SL 3 for safety-related) and a “SR/FR allocation” section with references to IEC 62443-3-3 (e.g. SR 1.1, 1.2 for identification and authentication).
You: Keep SL 2 for process and SL 3 for safety; add the FR references we already use.
Agent: Done. Re-run
check_sl_sr_coverageto confirm all zones have SL and SR/FR references.
Sample Output Excerpt
Excerpt from IACS security documentation: zones and SR allocation.
Zone and Security Level targets
| Zone | Description | SL target | Rationale |
|---|---|---|---|
| Z1 – Process control | DCS, PLCs, HMIs | SL 2 | Standard availability; no safety function in this zone. |
| Z2 – Safety systems | SIS, ESD | SL 3 | Safety-related; higher assurance. |
| Conduit C1 (Z1–Z2) | Protected link | SL 3 | Aligned with Z2. |
Security Requirements allocation (excerpt)
- Zone Z1: IEC 62443-3-3 SR 1.1, 1.2 (identification and authentication); SR 2.1 (use control). Foundation Requirements FR 1–2 allocated.
- Zone Z2: SR 1.1, 1.2, 2.1; SR 3.1 (system integrity). Component requirements per IEC 62443-4-2 for selected devices.
Built-in Validation Tools
The skill includes an extension tool that checks IACS security documentation for SL and SR coverage.
What the tool checks
| Check | check_sl_sr_coverage |
|---|---|
| Zone section | Detects zone, conduit, segment, 62443, IACS |
| SL target | Looks for SL 1–4, security level target, target SL |
| SR/FR | Looks for SR/FR references, security requirement, foundation requirement, 62443 |
| Findings | WARNING if zones lack SL target or SR/FR allocation; INFO when present |
| Recommendation | Each zone should have explicit SL; SR or FR allocated to zones/components |
Example validation output
======================================================================
IEC 62443 ZONE & SR COVERAGE REPORT
======================================================================
Document: docs/iacs-security-plan.md
--- FINDINGS ---
[WARNING] Each zone should have a Security Level (SL) target (SL 1–4). Document the target SL for each zone.
[INFO] SR/FR references found; verify allocation to zones and components is complete.
--- SUMMARY ---
Errors: 0
Warnings: 1
======================================================================
Run the tool on your zone/SR document or IACS security plan after drafting or updating.