Security levels 

Security levels according to IEC 62443-3-3

To categorize the severity of potential threads, protection classes are available for the various data classes a zone stores/processes or a conduit transmits. This is the basis for the required level of protection of an entire zone or conduit.
In response to these protection need levels, the IEC 62443-3-3 standard defines Security Levels (SL). Furthermore, the standard maps SLs to system requirements by mentioning specific protection measures the system shall provide at each level.

The standard defines the SLs as level of confidence which indicates whether an industrial automation system is free of security vulnerabilities and operates in the intended manner. Thus, the SL can be considered as a qualitative degree of security. This way, an SL provides information by a single number about the severity of the threat scenario. 

Note: By means of their SL, zones and conduits can be compared to each other with respect to their security capability.

The SL could be compared to the Safety Integration Level (SIL) in the field of safety engineering. The main difference between safety and security engineering is that the safety SIL can be calculated based on measurable system/component failures, malfunction or outages as well as on calculated probabilities of human misconduct during setup, operation, or maintenance. In terms of security, the threat reasons and incidents may be manifold: from operator carelessness to mistaken data tampering to malicious attacks by various means or via different channels. Therefore, the determination of the SL is more complex.

What does an SL refer to?

An SL relates to a zone or a conduit which was identified in your plant/ICS. Or put the other way around: the SL indicates the threat level of a zone/conduit, that has been assigned during the threat and risk analysis. Depending on the SL of a zone/conduit, the components involved must be selected.

Defined SLs

The following table describes the SLs defined in the standard (as they might be understood with practical examples):

SL Profile Description
SL1
  • Who?: Operators, maintainers or any Internet user
  • Means: n/a
  • Resources: n/a
  • Skills: n/a
  • Motivation: none - rather carelessness/misuse
Accidental/(co)incidental violation/manipulation

 

  • "Accidental", for example, by a plant operator or maintenance personnel due to disregard of regulations or guidelines when handling facilities or data.
  • "(Co)incidental" by an external threat with the aim to misconfigure your system or the unauthorized disclosure of information.
SL2
  • Who?: Individuals and companies with generic security knowledge
  • Means: simple
  • Resources: limited/common
  • Skills: basic/common
  • Motivation: low
Intentional but low-motivated violation using simple means:
  • Attacks with low motivation.
  • Attacks may be executed by any Internet user with generic skills who does not have specific knowledge to attack systems.
  • Attackers without detailed knowledge about your plant.
  • Attacks relating to this SL are often executed using automated tools.
  • Attacks often targeted to a wide range of plants instead of specifically one (your) system.
SL3
  • Who?: Experts (incl. companies) who develop and use targeted attack means/scenarios for the purpose of profit
  • Means: sophisticated
  • Resources: moderate
  • Skills: plant-specific
  • Motivation: moderate
Intentional and moderate-motivated attacks with sophisticated means:
  • Attackers have expert security knowledge (high level hackers),
  • and/or advanced knowledge about your field of industry, your plants, weak interfaces or vulnerabilities in the hardware/software/protocols involved.
  • Attacks using tools specifically adapted to your plant as target.
  • Attackers with a higher degree of criminal energy than mentioned for SL2.
SL4
  • Who?: Government organizations targeting specific targets, regardless of the costs incurred in doing so.
  • Means: highly sophisticated and aggressive
  • Resources: extended
  • Skills: plant-specific
  • Motivation: high
Intentional and aggressive attacks with highly sophisticated means:
  • Attackers have security knowledge of an expert group,
  • and/or expert knowledge about your field of industry, your plants, weak interfaces or vulnerabilities in the hardware/software/protocols involved.
  • Attacks using tools specifically adapted to your plant as target combined with high performance equipment.
  • Attackers with a higher degree of criminal energy as mentioned for SL3.

 

Ongoing security considerations

Security vulnerabilities can arise not only during the development of a plant or ICS. They can also result, e.g. by applied patches or changed guidelines during the plant's life cycle of after changes in the environment or new elements have been added to the plant.
Example: The change of a regulation for the user accounts management leads to security vulnerabilities. Additionally, when the inappropriate new account management is implemented, old user accounts are not deleted.

Therefore, the changing threat situation must be continuously monitored and analyzed. New attack methods as well as the overcoming of existing security mechanisms (e.g., an encryption technique) must lead to a corresponding defense reaction, i.e., the appropriate further development and optimization of security measures.

Types of SLs

Security levels do not only show the level of confidence in a zone or conduit. They can also be used to select the devices and components to implement technical security measures. Ideally, the SL-C (C = capability) of the selected components corresponds to the SL-T (T = target) to be achieved in the zone/conduit to be protected.

To be able to map the view on SLs from the different roles (plant owner, operator, system integrator, device supplier), three different types are distinguished.

  • Target SLs (SL-T): Target security level according to the requirements resulting from the threat-risk-assessment you have performed.
  • Achieved SLs (SL-A): Actual security level resulting from the operational and technical measures that are already implemented and applied.
  • Capability SLs (SL-C): Security levels, each component/device to be involved in your ICS can provide.

 

 


•  Web browser recommendation: Chrome, Firefox 78 or newer, Edge 88 or newer, or Safari • 
• Published/reviewed: 2023-01-13 • Revision 005 •