Question 1

What are the IEC 62443 security levels?

Accepted Answer

IEC 62443 defines five security levels (SL 0–4) that represent a zone or component's ability to resist attacks of increasing sophistication. SL 0 has no specific requirements. SL 1 protects against unintentional or accidental violations. SL 2 protects against deliberate attacks using simple, generic means. SL 3 protects against sophisticated, IACS-aware adversaries. SL 4 protects against nation-state level actors with extended resources and deep system knowledge.

Question 2

What is IEC 62443 Security Level 2 (SL 2)?

Accepted Answer

Security Level 2 (SL 2) in IEC 62443 protects against deliberate attacks using simple, generic means — low-resource adversaries with IT skills but limited IACS-specific knowledge. SL 2 is the most common target for general industrial environments and critical infrastructure. Meeting SL 2 under IEC 62443-3-3 requires multi-factor authentication for human-system interfaces, encrypted communications, audit logging, session management controls, and physical access protections, among other requirements.

Question 3

What is the difference between target security level, achieved security level, and capability security level?

Accepted Answer

IEC 62443 defines three uses of security levels. The target security level (SL-T) is what an asset owner determines a zone must achieve, set through risk assessment under IEC 62443-3-2. The achieved security level (SL-A) is what the deployed system actually delivers, determined by the weakest component or configuration across the zone. The capability security level (CAP SL) is the level a product can support as claimed by its manufacturer under IEC 62443-4-2. System integrators must ensure SL-A meets or exceeds SL-T using components with appropriate CAP SLs.

Question 4

How is a target security level determined under IEC 62443?

Accepted Answer

Target security levels are determined through a formal security risk assessment per IEC 62443-3-2. The process involves identifying IACS assets and functions, partitioning the system into security zones and conduits, identifying threat actors and attack vectors for each zone, assessing the potential consequence of a successful attack, and assigning an SL-T that is proportionate to the risk. Higher consequence zones — particularly those with safety or production-critical functions — typically warrant SL 2 or SL 3.

Question 5

What are the seven foundational requirement categories in IEC 62443-3-3?

Accepted Answer

IEC 62443-3-3 organises the 51 system security requirements into seven foundational requirement (FR) categories: FR 1 Identification and Authentication Control (IAC), FR 2 Use Control (UC), FR 3 System Integrity (SI), FR 4 Data Confidentiality (DC), FR 5 Restricted Data Flow (RDF), FR 6 Timely Response to Events (TRE), and FR 7 Resource Availability (RA). Each requirement scales across security levels SL 1–4, with SL 4 representing the most stringent controls.

Question 6

What are the six phases of the IACS security lifecycle in IEC 62443?

Accepted Answer

IEC 62443 structures OT security around six continuous lifecycle phases: (1) Risk Assessment — identifying assets, defining zones, and setting target security levels per IEC 62443-3-2; (2) Policy and Governance — establishing the CSMS per IEC 62443-2-1; (3) Design and Procurement — selecting components by CAP SL and qualifying suppliers against IEC 62443-2-4; (4) Implementation — deploying countermeasures, hardening configurations, and enforcing access controls; (5) Verification and Validation — security acceptance testing against defined requirements; and (6) Operations and Maintenance — continuous monitoring, patch management per IEC 62443-2-3, incident response, and periodic risk reviews.

Question 7

What is patch management under IEC 62443-2-3?

Accepted Answer

IEC TR 62443-2-3 is an informative Technical Report that addresses patch management in IACS environments where planned downtime is rare and uncontrolled updates could disrupt production or compromise safety. It defines roles and responsibilities for both asset owners and product vendors, covers processes for assessing patch applicability and urgency, and provides guidance for systems that cannot be taken offline for patching. While informative, it provides the practical framework most asset owners use to structure their patch programmes.

Security Levels & Lifecycle

Security Levels (SL 0–4)

No Requirements

Casual / Coincidental

Intentional / Simple

Intentional / Sophisticated

State-Sponsored

Target, Achieved, and Capability Security Levels

IACS Security Lifecycle

Risk Assessment

Policy & Governance

Design & Procurement

Implementation

Verification & Validation

Operations & Maintenance