The draft standard, ISA-62443-3-2, requires that a cybersecurity risk assessment be performed for industrial automation and control systems to determine target security levels. The standard provides a basis for specifying security countermeasures by aligning risk-ranked vulnerabilities with security capabilities in ISA-62443-3-3.