Security levels
Security levels according to IEC 62443-3-3
To categorize the severity of potential threads, protection classes are available for the various data classes a zone stores/processes or a conduit transmits. This is the basis for the required level of protection of an entire zone or conduit.
In response to these protection need levels, the IEC 62443-3-3 standard defines Security Levels (SL). Furthermore, the standard maps SLs to system requirements by mentioning specific protection measures the system shall provide at each level.
The standard defines the SLs as level of confidence which indicates whether an industrial automation system is free of security vulnerabilities and operates in the intended manner. Thus, the SL can be considered as a qualitative degree of security. This way, an SL provides information by a single number about the severity of the threat scenario.
The SL could be compared to the Safety Integration Level (SIL) in the field of safety engineering. The main difference between safety and security engineering is that the safety SIL can be calculated based on measurable system/component failures, malfunction or outages as well as on calculated probabilities of human misconduct during setup, operation, or maintenance. In terms of security, the threat reasons and incidents may be manifold: from operator carelessness to mistaken data tampering to malicious attacks by various means or via different channels. Therefore, the determination of the SL is more complex.
What does an SL refer to?
An SL relates to a zone or a conduit which was identified in your plant/ICS. Or put the other way around: the SL indicates the threat level of a zone/conduit, that has been assigned during the threat and risk analysis. Depending on the SL of a zone/conduit, the components involved must be selected.
Defined SLs
The following table describes the SLs defined in the standard (as they might be understood with practical examples):
SL | Profile | Description |
SL1 |
|
Accidental/(co)incidental violation/manipulation
|
SL2 |
|
Intentional but low-motivated violation using simple means:
|
SL3 |
|
Intentional and moderate-motivated attacks with sophisticated means:
|
SL4 |
|
Intentional and aggressive attacks with highly sophisticated means:
|
Ongoing security considerations
Security vulnerabilities can arise not only during the development of a plant or ICS. They can also result, e.g. by applied patches or changed guidelines during the plant's life cycle of after changes in the environment or new elements have been added to the plant.
Example: The change of a regulation for the user accounts management leads to security vulnerabilities. Additionally, when the inappropriate new account management is implemented, old user accounts are not deleted.
Therefore, the changing threat situation must be continuously monitored and analyzed. New attack methods as well as the overcoming of existing security mechanisms (e.g., an encryption technique) must lead to a corresponding defense reaction, i.e., the appropriate further development and optimization of security measures.
Types of SLs
Security levels do not only show the level of confidence in a zone or conduit. They can also be used to select the devices and components to implement technical security measures. Ideally, the SL-C (C = capability) of the selected components corresponds to the SL-T (T = target) to be achieved in the zone/conduit to be protected.
To be able to map the view on SLs from the different roles (plant owner, operator, system integrator, device supplier), three different types are distinguished.
- Target SLs (SL-T): Target security level according to the requirements resulting from the threat-risk-assessment you have performed.
- Achieved SLs (SL-A): Actual security level resulting from the operational and technical measures that are already implemented and applied.
- Capability SLs (SL-C): Security levels, each component/device to be involved in your ICS can provide.