[OT Sec] Selection and Application of Security Levels (SL) for IACS Based on ISA/IEC 62443
Table of Contents
Detailed Analysis of Security Level (SL) Determination in ISA/IEC 62443
The selection of Security Levels (SL) for Industrial Automation and Control Systems (IACS) is clearly defined in the ISA/IEC 62443 series of standards. As IACS environments become more complex, it is not practical to apply a single security level across the entire system. Instead, security levels should be applied per zone and conduit, based on a layered architecture. Moreover, SL determination should not be based solely on the number of vulnerabilities but rather on a comprehensive risk assessment, including the attacker’s capability and system criticality.
This document presents a detailed approach to SL selection, criteria, and application scenarios, including the meaning and use cases for SL 0.
1. SL Determination Approach in IACS: Entire System vs. Zone/Conduit-Based Approach
When defining the SL for an IACS, it is recommended to use a zone and conduit-based model, rather than applying one uniform level to the entire system. This approach is based on the Zone & Conduit Model defined in ISA/IEC 62443-3-2.
1) Zone & Conduit Model (ISA/IEC 62443-3-2)
In this model, the IACS network is divided into Zones and Conduits, and a risk assessment is conducted for each zone to determine the Target Security Level (SL-T).
- Zone: A group of assets sharing similar security requirements
- Examples: MES systems, process control networks, Safety Instrumented Systems (SIS)
- Conduit: Communication pathways between zones
- Examples: Firewalled interfaces between IT and OT networks
Examples:
- IT network ↔ OT network: SL 3 or higher
- SCADA ↔ PLC network: SL 2–3
- Isolated safety systems: SL 4 may be applied
Each Zone and Conduit has a designated SL-T based on risk, and the system is not assigned a single SL for the entire architecture.
2) Component-Based SL Determination (ISA/IEC 62443-4-2)
ISA/IEC 62443-4-2 defines SL requirements for individual components such as PLCs, HMIs, and SCADA servers.
- SCADA Server → SL 3 (requires strong authentication and encryption)
- HMI → SL 2 (requires basic access control and logging)
- Basic PLC → SL 1 (minimal password protection)
To effectively set SLs, both zone-based (ISA/IEC 62443-3-2) and component-based (ISA/IEC 62443-4-2) models should be integrated.
2. Criteria and Methodology for SL Selection
SL determination is not based on the number of vulnerabilities alone. It is a multi-faceted process that incorporates several key factors:
1) Risk-Based SL Selection (ISA/IEC 62443-3-2)
Risk assessment is the core method for SL determination. Key considerations include:
- Asset Criticality:
- Evaluate the importance of the system in operational processes.
- Example: If a Safety System failure could lead to injury, a higher SL is required.
- Attack Surface:
- Systems connected to IT networks or the internet require a higher SL.
- Threat Scenarios:
- Potential insider threats, Zero-day attack risks, etc.
The outcome of this assessment determines the SL-T (Target Security Level). A gap analysis is then conducted by comparing SL-C (Achieved Security Level) with SL-T.
2) Attacker Capability-Based SL Selection (ISA/IEC 62443-3-3)
ISA/IEC 62443-3-3 categorizes SLs based on the attacker’s sophistication and capabilities:
| SL | Attacker Type | Attack Techniques |
|---|---|---|
| SL 1 | Basic internal attacker | Simple password cracking |
| SL 2 | Skilled insider | Network packet manipulation |
| SL 3 | External attacker | Vulnerability scanning, exploitation |
| SL 4 | Nation-state-level attacker | Advanced Persistent Threats (APT), zero-day |
Higher SLs require stronger security controls accordingly.
3) Industrial Regulations and Legal Requirements
Certain industries require higher SLs due to regulatory obligations:
- Power sector: IEC 62443 + NERC CIP → SL 3 minimum
- Petrochemical plants: SL 2–3 typically required
- Defense industry: NIST 800-82 → SL 4 may be mandated
3. Meaning and Application of SL 0
SL 0 indicates that no specific cybersecurity measures are required. It is applicable in special cases:
1) Physically Isolated Systems
- Standalone systems with no network connectivity
- Example: Simple mechanical devices used within a factory
2) Non-critical environments
- Laboratory test equipment with no external exposure
3) Legacy Systems
- Very old systems (e.g., 20+ year-old DCS) not designed with cybersecurity in mind
Even in SL 0 cases, physical security controls may still be necessary. However, most industrial environments require at least SL 1 or higher.
Conclusion
- Security levels in IACS should be determined per zone and component, not for the entire system.
- SL selection must be based on risk assessment, attacker capability, and industry regulations, not on the number of vulnerabilities.
- SL 0 means no cybersecurity controls, but its application is limited to very specific scenarios.
- Effective SL application requires tailoring the security architecture to the specific operational and threat environment of the industry.
![[OT보안] “산업제어시스템 사이버 보안의 핵심: Cyber-PHA 완전 가이드”](https://ota2z.com/wp-content/uploads/2025/08/ChatGPT-Image-2025년-8월-12일-오전-11_32_56-768x768.webp)
![[OT Sec] “A Single Smart Factory Hack Can Cost Billions… Why OT Security is Imperative Now”](https://ota2z.com/wp-content/uploads/2025/06/Gemini_Generated_Image_a6hw3za6hw3za6hw-768x768.webp)
![[OT 보안] “IACS 보안: 7가지 필수 전략으로 산업제어시스템 악성코드 보호와 패치 관리 완벽 가이드”](https://ota2z.com/wp-content/uploads/2025/08/ChatGPT-Image-2025년-8월-14일-오전-11_38_25-768x768.webp)
