Home / Blog / Security level according to IEC 62443-3-3 in Industrial Control Systems

Security level according to IEC 62443-3-3 in Industrial Control Systems

Posted on 03/10/2022, by INCIBE
Security level according to IEC 62443-3-3 in control systems

The main objective of the IEC 62443 standard is to provide a framework to facilitate the identification of current and future vulnerabilities in control systems and industrial automation environments, an aim that is pursued by adding to the IT requirements security extensions that guarantee availability in industrial control systems (ICS). Thus, a minimum set of requirements is defined in order to achieve, progressively and through continuous improvement, a reliable security level.

The target audience for this standard is as follows:

  • Industrial control system integrators: to configure measures on the network to suit the target security level.
  • Product manufacturers: to implement measures in their products (PLC, switches, etc.) so that they adapt to different security criteria.
  • Service providers: equipment installation and maintenance.

When designing and implementing integrated security architecture, a system-level analysis and an analysis of the development of requirements are required. That work must be done by system integrators and product manufacturers together.

For an organisation to be in alignment with standard IEC 62443-3-3, it is advisable for it to have in advance a high level of maturity when it comes to security. This means that the organisation will need to follow these steps:

  • Have a segmented network architecture, written procedures for all operations, a suitable inventory of OT assets and employees having training and awareness about cybersecurity.
  • Perform an organisation-wide risk analysis, in order to define the criticality of the systems that make up the company.
  • Then, for each system, the zones and conduits shall be determined and, in turn, a target security level (SL-T, Target Security Level) shall be set for each-.
  • Subsequently, the SL-A, Achieved Security Level, which indicates the current security level presented by the company, shall be assessed in each zone and conduit.
  • If the SL-A is equal to the SL-T, no additional measures should be taken. If, on the contrary, the SL-A is less than the SL-T, then it will be necessary to calculate the SL-C, Capability Security Level. The SL-C is described as the security level that a system could achieve with a proper configuration.
  • At this point, a check will be made of whether, with the proper configuration of all the system’s components, the SL-T set can be achieved or whether additional compensatory measures need to be taken, such as purchasing new equipment or modifying the network architecture.

For critical processes, standard IEC 62443-3-3 puts the SL-Ts at security levels 2, 3 and 4. Even so, it will be the organisation itself that decides, based on the risk analysis, what security levels it wants to be implemented in each zona and conduit. Security levels are characterised according to the following criteria:

  • Security level 0: does not require security specifications or protections.
  • Security level 1: requires protection against unintended incidents.
  • Security level 2: requires protection against intentional incidents, perpetrated with simple means, few resources, basic knowledge and low motivation.
  • Security level 3: requires protection against intentional incidents, perpetrated with advanced means, sufficient resources, average knowledge and medium motivation.
  • Security level 4: requires protection against intentional incidents, perpetrated with very advanced means, major resources, advanced knowledge and high motivation.

Once all the SL-Ts have been defined, and knowing the SL-Cs, an action plan is prepared to achieve the objectives. The organisation will have to rely on the system integrators to make the necessary changes, who will determine what series of measures, whether automatic or configuration, will have to be included in each area and communication channel to adapt to the SL-T.

On the other hand, this standard is certifiable. This means that manufacturers can certify complete systems, that is, a set of components with the configurations already established. For example, a SCADA from a particular manufacturer forms a system with all the components that make it up, and the manufacturer could choose to certify the SCADA to provide security value to its product and its customers. For the moment there are only two certified systems.

Security requirements in IEC 62443-3-3

The document that includes standard IEC 62443-3-3 defines a hierarchical structure of requirements, made up of three types of requirements: the fundamental requirements (FRs), the system requirements (SRs) and the improvement requirements (IRs). Each fundamental requirement contains different system requirements and these in turn have enhancement requirements. This standard is intended to cover all situations that may occur during the life cycle of a system, from its implementation to its removal from the network.

The different groups of fundamental requirements (FRs) are:

  • Identification and Authentication Control (IAC).
  • Usage Control (UC).
  • System Integrity (SI).
  • Data Confidentiality (DC).
  • Restriction on Data Flow (RDF).
  • Event Response Time (ERT).
  • Availability of Resources (AR).

The security levels are described in vector form. The vector can be indicated in full for a device, that is, with the 7 values of the requirements, or partially, by specifying the specific requirements that are assessed; it shall then appear as follows:

  • SL-X ([FR], domain) = {IAC, UC, SI, DC, RDF, ERT, AR}
    • Where X shall refer to the security level being assessed (A, C, T).
    • FR shall be optional and shall host the FR values that are represented. Their absence indicates that they are all assessed.

An assessment is made of each fundamental requirement by zone and conduit, and scores between 0 and 4 given according to what is detected. For example, for an Engineering Station (ES) the following security levels have been established:

SL-A (ES): {0,3,2,1,0,1,1}

SL-C (ES): {1,3,2,2,2,1,2}

SL-T (ES): {2,3,3,3,2,1,2}

A good practice is to apply the highest level set out in SL-T to unify the entire system at the same level. Thus, the SL-T would be as follows: SL-T (ES): {3,3,3,3,3,3,3}

Requirements SL1 SL2 SL3 SL4
FR 1 - Identification and authentication control
SR 1.1 - User identification and control of users
IR (1) Unique identification  
IR (2) Multi-factor authentication in untested networks    
IR (3) Multi-factor authentication across all networks      

- Example of some SRs and IRs required at each security level for the FR IAC. Source: Own preparation based on the controls in IEC63443-3-3 -

The image shows an example of what requirements must be taken into account to be able to adapt to each security level. If the process has been identified as level one in the FR IAC (Identification and authentication control), for the SR Identification and control of users, it shall not be necessary to fulfil the IRs identified by the standard, only the basic part of the control. If the identification is higher, it will be necessary to comply with different RMs to achieve the SL-T.

Improvements related to fundamental requirements

Standard IEC 62443-3-3 is a standard based on continuous improvement as threats evolve and new attack vectors emerge. This means that once the action plan has been carried out, it will be necessary to make checks on the changes made, re-assess the SL-As and compare them with the SL-Ts. Just as threats evolve, security solutions also improve and become more sophisticated, such that they must be taken into account after each comparison among the SL-As and the SL-Ts.

To increase a system’s security level, it will not suffice to fulfil the system requirement (SR) but rather, to achieve a high SL-A, the improvement requirements (IRs) must be fulfilled.

Appendix B of standard IEC 62443-3-3, the SRs and their respective IRs that must be taken into account are specified depending on the SL-T. As may be seen in the tables that appear therein, to achieve an SL-T four, all the IRs must necessarily be applied, since the more IRs that are applied, the greater the SL-A that can be achieved.


By following this article, you can achieve an adequate security level, capable of providing proper operation of the industrial control systems during the entire life cycle, including situations such as the response to incidents to be able to mitigate the consequences as far as possible.

Specifically, the purpose of the standard IEC 62443-3-3 is to reach the SL-Cs of each conduit and zone. The system integrators use the standard to be able to check the capabilities of the devices installed in the organisation and thus to be able to determine the modifications necessary to adapt to the SL-Ts.