IEC 62443 Security Levels Explained
If you are designing IoT and industrial products or systems or you are operating them, you probably have faced the need to limit your security budget to keep your product/systems/operations costs profitable. If every time you are uncomfortable taking such hard decisions, you will be pleased to know that there is a standard method that will guide you and give you peace of mind in taking such decisions.
This is where the security levels of IEC 62443 standard comes into play. It offers a comprehensive framework applicable to industrial cybersecurity and similar sectors. It covers all topics from governance and management systems to systems and components requirements. The standard bases its risk driven strategy on the definition of Security Levels, a way to quantify and standardize the definition process for security needs across different. It is a simple concept that just requires some reasoning to be applied effectively. Read to the end to understand why such a concept is so helpful to maximize the efficiency of your hard earned cybersecurity budget.
The IEC 62443 series is widely applicable not only across industrial controls operators and component suppliers and has gained approval in numerous countries and different sectors like medical devices and transportation. As it continues to evolve, it is becoming a cornerstone standard in the industry. Organizations are aligning their cybersecurity strategies around it and new standards use it as a foundation.
This article serves as a strategy guide, useful even for individuals with limited experience in embedded cybersecurity or industrial cybersecurity. We want to provide practical implementation guidance and examples.
However, it is essential to remember that the information presented here is intended as a general overview. To effectively secure industrial control systems, there is more to master than “just security levels”.
Is this Approach Good Enough for Me?
To answer, we can just point out that IEC 62443 is a robust framework designed to protect even critical systems (like nuclear plants, chemical plants, railways, etc). It introduces the concept of Security Levels (SLs). Each level, from SL0 to SL4 (although SL 0 that standard for “no security” is rarely used).
First things first. SLs are a tool that make you tailor you security strategy on your context and specific types of attackers and challenges.
But how does this framework apply to your systems, and what can you do today to protect your most valuable assets?
What Are Security Levels?
Security Levels (SLs) are structured to provide a clear path to securing industrial systems. SLs reflect a system’s ability to resist different levels of attack based on the skills, motivations, and resources of potential attackers. Understanding these levels helps organizations map their defenses to the threats they are most likely to face, creating an approach rooted in resilience and efficient use of resources. This table defines the four levels form the point of view of ICS (industrial control systems):
After analyzing your system or your product’s intended use (covered in part 3-2 of the standard), you will know what its parts (aka “Zones and Conduits” in IEC 62443 parlance) are. Now you can start thinking about what assets in your systems are valuable and exposed to what attackers categories. And this is exactly what security levels define, attacker categories
But then, how do we use such information? If for example you are aiming to protect against generic hackers or cybercriminals, you shall aim for Security Level 2 (SL2). The standard then guides you to avoid implementing excessive security for your case. However, it is essential to recognize that while SL2 incorporates key protections, no system is immune to all forms of attack.
Is this enough?
No, of course it is not enough to define a target SL! You obviously need to implement the security capabilities in your products or systems to achieve your security objectives.
Security Levels in IEC 62443: three interrelated concepts
When we talk about Security Levels in IEC 62443, we’re in fact referring to three interrelated concepts: Target Security Levels (SL-T), Capability Security Levels (SL-C), and Achieved Security Levels (SL-A).
Think of these as the “what we want,” “what we designed”, and “what we actually achieve after testing“.
Target Security Levels (SL-T)
Target Security Levels (SL-T) define the security goals we set for different parts of our (industrial) system. It’s us saying, “This part of our system is critical, so we need top-notch security here,” or “This area is less critical, so moderate security will suffice.” It’s all about assessing risks and deciding where we need to focus our efforts. Note that, if you are a component designer, you don’t define a target yourself, but you “inherit” your customers’ SL-T. SL-T can only be defined for a system in its operational context.
Capability Security Levels (SL-C)
Capability Security Levels (SL-C), on the other hand, are all about potential. They tell us what a particular component or subsystem is capable of in terms of security. It’s like looking at the specs of a new smartphone – you’re seeing what it can do, not necessarily what you’ll use it for. In the world of industrial control systems, knowing the SL-C of different components helps us choose the right tools for the job. When reasoning about cybersecurity “good enough” is the optimal solution. Using your budget on a component with an SL-C higher than the chosen SL-T, will just constrain the budget for other components.
Achieved Security Levels
Finally, we have Achieved Security Levels (SL-A), which is where the rubber meets the road. This is the actual level of security we’ve implemented and verified. It’s one thing to aim for top-tier security (SL-T) and have systems capable of providing it (SL-C), but it’s another thing entirely to actually implement and maintain that level of security in practice.
Your next question will probably be, but in practice, what requirements are the different SL-T bringing in?
Security Levels: Some Examples in Practice
Now, let’s dive a bit deeper into what these security levels actually mean in practice. As we said, the IEC 62443 standard defines four Security Levels (SLs). Think of these as a spectrum of security, ranging from basic protection to fort knox-level security.
SL-1: Basic Level
At the most basic level, SL-1, we’re dealing with security measures that protect against casual or coincidental violations. It’s like closing your front door – it’ll keep out opportunistic intruders (like your neighbor’s cat), but it won’t stop a determined burglar. In industrial terms, this might involve basic password policies and simple network segregation.
It’s the minimum level of security you’d expect in any industrial environment.
SL-2: Simple Resources
Moving up to SL-2, we start to see more robust measures.This level is about protecting against intentional violations using simple means with low resources, generic skills, and low motivation. It’s like closing and locking the door- now you’re actively opposing measures to simple burglars, but you know that skilled ones would open your locks nonetheless. In the industrial world, this might involve remote access and more rigorous (physical) network segregation.
SL-3 Specific Skills against sophisticated attacks
When we get to SL-3, things start to get serious. This level is designed to protect against intentional violations using sophisticated means with moderate resources, IACS-specific skills, and moderate motivation. It’s like installing a security system for your house and installing reinforced doors and windows, even if the burglars know how to open your locks, you are still able to detect and respond in time, unless Lupin is involved! In industrial systems, this could involve advanced intrusion detection systems, real-time threat intelligence, and multifactor authentication.
SL-4 Your Zone is a Fortress
At the highest level, SL-4 (SL-A 4), we’re in maximum security territory. This level is reserved for the most critical systems and is designed to protect against intentional violations using sophisticated means with extended resources, IACS-specific skills, and high motivation. It’s like turning your house into a fortress, with 24/7 surveillance, guard dogs, biometric access controls, and a team of security experts on standby. In industrial terms, this might involve air-gapped networks, automatic security response, continuous monitoring with AI-driven anomaly detection, and the most stringent physical and digital access controls.
Conclusion: A Framework for Resilience
Each layer of security, each level, contributes to a larger vision of resilience and stability but comes at a higher cost. By integrating these practices, you are not just securing today’s systems; you are building a foundation for future growth and innovation. Using security levels correctly you use today’s budget on today’s needs and you prepare to use tomorrow’s revenues on tomorrow’s cybersecurity needs.
The application of Security Levels and Defense in Depth is more than a compliance exercise—it’s a proactive approach to safeguarding security, across time, in a budget friendly way.
Looking to ensure compliance with IEC 62443 standards? Contact our experts today for guidance on securing your industrial control systems!
