ISA/IEC 62443 defines zones and conduits as a core architectural concept for managing cybersecurity risk in IACS environments. During risk assessment, zones must be clearly separated based on risk, function, and criticality, not convenience.

Step 1: Definition of zones in ISA/IEC 62443

A zone is a grouping of assets that share similar security requirements and risk profiles. Business systems, safety-critical control systems, and wireless systems inherently have different threat exposures and consequences of compromise.

Step 2: Risk-based separation principle

ISA/IEC 62443-3-2 requires that risk assessments identify differences in impact and threat likelihood. Safety-critical zones typically require higher Security Levels due to potential impacts on human safety and the environment. Business zones, by contrast, tolerate different risk levels.

Step 3: Purpose of separation

Clear separation ensures that security requirements can be applied appropriately to each zone. It also limits the propagation of attacks from lower-criticality zones (such as business or wireless networks) into higher-criticality zones.

Step 4: Why other options are incorrect

Combining all zones ignores risk differentiation and violates the core zone concept.

Ignoring physical location is incorrect; while zones are logical, physical access and connectivity still matter in risk assessment.

Treating temporary connections as permanent safety assets distorts the risk model and security requirements.

Step 5: Outcome of proper zone management

By establishing clear separation based on criticality, asset owners can correctly assign Security Levels, define conduits, and apply appropriate technical and procedural controls.

Therefore, ISA/IEC 62443 requires clear separation between zones based on criticality during risk assessment.