Understanding Security Levels and how IEC 62443 applies cybersecurity controls
proportionate to risk within Industrial Automation and Control Systems (IACS).
Overview
IEC 62443 defines Security Levels (SLs) to specify the degree of
cybersecurity protection required for an Industrial Automation and Control System (IACS).
Security Levels provide a consistent method for defining cybersecurity objectives based
upon the results of a cybersecurity risk assessment.
Rather than applying identical security controls across every system, IEC 62443 recommends
assigning an appropriate Security Level according to:
The likelihood of a cyber attack.
The potential consequences of a successful attack.
The criticality of the assets being protected.
The capabilities and resources of potential threat actors.
Security Levels are cumulative, meaning each successive level builds upon the previous
one by introducing progressively stronger cybersecurity controls.
Security Levels are typically assigned to Security Zones and
Conduits, allowing different parts of an industrial system to receive
protection appropriate to their operational and business risk.
Refer to: ISA/IEC 62443-3-3, Clause 4.2 Refer to: ISA/IEC 62443-3-2 (Security Level Target Determination)
Learning Objectives
Understand the purpose of IEC 62443 Security Levels.
Recognise the differences between Security Levels 0 to 4.
Understand how Security Levels are determined through cybersecurity risk assessment.
Identify the types of threat actors addressed by each Security Level.
Understand how Security Levels support defence-in-depth and risk-based cybersecurity.
Summary Diagram
Figure – Overview of IEC 62443 Security Levels (SL 0 to SL 4) and the corresponding threat capabilities.
Security Level 0 (SL 0)
No Specific Cybersecurity Requirements
SL 0 represents systems where no specific cybersecurity protection is required.
These systems are not expected to resist intentional cyber attacks and may rely
solely on physical security or operational controls.
Although safety systems may still exist, cybersecurity controls are either absent
or considered unnecessary because of the system's limited exposure or the low
consequence of compromise.
Typical Examples
Isolated laboratory equipment.
Stand-alone test systems.
Non-critical demonstration systems.
Security Level 1 (SL 1)
Protection Against Casual or Accidental Violation
SL 1 provides protection against casual or accidental cybersecurity incidents.
Threat actors are expected to have little knowledge of Industrial Automation and
Control Systems and minimal motivation or capability to intentionally compromise
the system.
Typical Security Measures
Basic user authentication.
Password protection.
User account management.
Basic access control.
Security awareness practices.
Typical Applications
Small industrial systems.
Low-risk process areas.
Stand-alone operational systems.
Security Level 2 (SL 2)
Protection Against Intentional Violation Using Simple Means
SL 2 protects against attackers who intentionally target the system using readily
available tools and simple attack techniques.
Threat actors possess general technical knowledge but limited resources and
limited Industrial Control System expertise.
Typical Security Measures
Role-based access control.
Improved authentication.
Network segmentation.
Security logging.
Account management.
Device hardening.
Basic security monitoring.
Typical Applications
Manufacturing facilities.
Industrial production systems.
Utility support systems.
Security Level 3 (SL 3)
Protection Against Intentional Violation Using Sophisticated Means
SL 3 is designed to resist attackers with significant technical knowledge,
moderate resources and specific expertise in Industrial Automation and Control
Systems.
These attackers are capable of developing customised attacks, exploiting system
weaknesses and bypassing basic cybersecurity controls.
Typical Security Measures
Defence-in-depth architecture.
Strong authentication.
Secure remote access.
Secure communications.
Robust network segmentation.
Comprehensive security logging.
Security monitoring.
Regular vulnerability and risk assessments.
Typical Applications
Critical manufacturing facilities.
Water treatment plants.
Mining operations.
Oil and gas facilities.
Electrical substations.
Security Level 4 (SL 4)
Protection Against Intentional Violation Using Sophisticated Means with Extended Resources
SL 4 provides the highest level of cybersecurity defined by IEC 62443.
It is intended to protect against highly sophisticated threat actors possessing
extensive resources, advanced technical capabilities and detailed knowledge of
the target system.
Typical Threat Actors
State-sponsored threat actors.
Highly organised cybercriminal groups.
Advanced Persistent Threats (APTs).
Typical Security Measures
Highly segmented architectures.
Extensive system hardening.
Continuous security monitoring.
Secure-by-design engineering.
Strict access management.
Comprehensive incident response capabilities.
Typical Applications
National critical infrastructure.
Defence systems.
Nuclear facilities.
Strategic energy infrastructure.
Public safety systems.
Security Level Summary
Security Level
Protection Against
Typical Threat Actor
SL 0
No specific cybersecurity protection.
No intentional threat considered.
SL 1
Casual or accidental violation.
Unintentional users or casual attackers.
SL 2
Intentional attacks using simple means.
Low-skilled attackers using common tools.
SL 3
Intentional attacks using sophisticated means.
Skilled attackers with moderate resources and ICS knowledge.
SL 4
Sophisticated attacks using extended resources.
Highly capable, well-funded attackers with extensive resources.
Key Principles
Security Levels are determined through cybersecurity risk assessment, not selected arbitrarily.
Different Security Zones within the same facility may have different Security Level targets.
Security Levels define the required level of protection against different classes of threat actors rather than prescribing specific security technologies.
The objective is to implement cybersecurity controls that are proportionate to operational risk while maintaining system availability and safety.
Refer to: ISA/IEC 62443-3-2 (Security Risk Assessment and System Design) Refer to: ISA/IEC 62443-3-3, Clause 4 (System Security Requirements and Security Levels)
Key Takeaways
IEC 62443 defines five Security Levels (SL 0 to SL 4) to specify the required degree of cybersecurity protection.
Security Levels are assigned based on cybersecurity risk, asset criticality and threat capability.
Each Security Level builds upon the previous level by introducing stronger cybersecurity controls.
Security Levels are typically applied to Security Zones and Conduits within an Industrial Automation and Control System.
The goal is to implement cybersecurity controls that are proportionate to risk while maintaining system safety, reliability and availability.
Standards References
ISA/IEC 62443-3-2 – Security Risk Assessment and System Design (Security Level Target Determination).
ISA/IEC 62443-3-3, Clause 4.2 – Security Levels.
ISA/IEC 62443-3-3, Clause 4 – System Security Requirements and Security Levels.