← Home

IEC 62443 Security Levels (SL)

Understanding Security Levels and how IEC 62443 applies cybersecurity controls proportionate to risk within Industrial Automation and Control Systems (IACS).


Overview

IEC 62443 defines Security Levels (SLs) to specify the degree of cybersecurity protection required for an Industrial Automation and Control System (IACS). Security Levels provide a consistent method for defining cybersecurity objectives based upon the results of a cybersecurity risk assessment.

Rather than applying identical security controls across every system, IEC 62443 recommends assigning an appropriate Security Level according to:

Security Levels are cumulative, meaning each successive level builds upon the previous one by introducing progressively stronger cybersecurity controls.

Security Levels are typically assigned to Security Zones and Conduits, allowing different parts of an industrial system to receive protection appropriate to their operational and business risk.

Refer to: ISA/IEC 62443-3-3, Clause 4.2
Refer to: ISA/IEC 62443-3-2 (Security Level Target Determination)


Learning Objectives


Summary Diagram

IEC 62443 Security Levels
Figure – Overview of IEC 62443 Security Levels (SL 0 to SL 4) and the corresponding threat capabilities.

Security Level 0 (SL 0)

No Specific Cybersecurity Requirements

SL 0 represents systems where no specific cybersecurity protection is required.

These systems are not expected to resist intentional cyber attacks and may rely solely on physical security or operational controls.

Although safety systems may still exist, cybersecurity controls are either absent or considered unnecessary because of the system's limited exposure or the low consequence of compromise.

Typical Examples


Security Level 1 (SL 1)

Protection Against Casual or Accidental Violation

SL 1 provides protection against casual or accidental cybersecurity incidents.

Threat actors are expected to have little knowledge of Industrial Automation and Control Systems and minimal motivation or capability to intentionally compromise the system.

Typical Security Measures

Typical Applications


Security Level 2 (SL 2)

Protection Against Intentional Violation Using Simple Means

SL 2 protects against attackers who intentionally target the system using readily available tools and simple attack techniques.

Threat actors possess general technical knowledge but limited resources and limited Industrial Control System expertise.

Typical Security Measures

Typical Applications


Security Level 3 (SL 3)

Protection Against Intentional Violation Using Sophisticated Means

SL 3 is designed to resist attackers with significant technical knowledge, moderate resources and specific expertise in Industrial Automation and Control Systems.

These attackers are capable of developing customised attacks, exploiting system weaknesses and bypassing basic cybersecurity controls.

Typical Security Measures

Typical Applications


Security Level 4 (SL 4)

Protection Against Intentional Violation Using Sophisticated Means with Extended Resources

SL 4 provides the highest level of cybersecurity defined by IEC 62443.

It is intended to protect against highly sophisticated threat actors possessing extensive resources, advanced technical capabilities and detailed knowledge of the target system.

Typical Threat Actors

Typical Security Measures

Typical Applications


Security Level Summary

Security Level Protection Against Typical Threat Actor
SL 0 No specific cybersecurity protection. No intentional threat considered.
SL 1 Casual or accidental violation. Unintentional users or casual attackers.
SL 2 Intentional attacks using simple means. Low-skilled attackers using common tools.
SL 3 Intentional attacks using sophisticated means. Skilled attackers with moderate resources and ICS knowledge.
SL 4 Sophisticated attacks using extended resources. Highly capable, well-funded attackers with extensive resources.

Key Principles

Refer to: ISA/IEC 62443-3-2 (Security Risk Assessment and System Design)
Refer to: ISA/IEC 62443-3-3, Clause 4 (System Security Requirements and Security Levels)


Key Takeaways


Standards References