The IEC 62443 Security Levels

In Functional Safety, the reliability level of a Safety Instrumented System is measured in SIL (Safety Integrity Levels). There are 4 Levels of SIL, whereby SIL 1 is the lowest and SIL 4 indicates a very reliable Safety Control System.

Sinche the Technical Committee developing the SIL standards is the same as the one developing IEC 62443 series, it should not be a surprise if they defined the level of security an Industrial Control and Automation Systems (IACS) can have, as SL or Security Levels.

As for SIL, also for SL there are four different levels (1, 2, 3 and 4), each with an increasing level of security. SL 0 is implicitly defined as no security requirements or security protection necessary.

- SL 1: Protection against casual or coincidental violation
- SL 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation
- SL 3: Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation
- SL 4: Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

The process begins by deciding how secure a system needs to be. This is called the Target Security Level (SL-T) and reflects the level of protection required to manage the identified risks.

Once this target is defined, the system is designed to meet that level of protection. During the design phase, the team checks whether the proposed system can actually reach the required security level. This usually happens through several design revisions, where the expected security of the system is reviewed and compared with the target.

To achieve the required security, suitable components and technologies are selected. If available components do not fully meet the required level, additional protective measures are added to compensate.

After the system is built and put into operation, its actual level of security is evaluated. This achieved security level is then compared with the original target to confirm that the system is adequately protected and that any remaining risks are understood and managed.

Target (SL-T), Achieved (SL-A) and the Capability (SL-C)

Tre diversi tipi di livelli di sicurezza

That is the reason why IEC 62443 defines 3 types of Security Levels: target, achieved and capability. These types, while they all are related, involve different aspects of the security lifecycle.

The target security level SL-Ts are the desired level of security for a particular IACS, zone or conduit. This is usually determined by performing a risk assessment on a system and determining that it needs a particular level of security to ensure its correct operation.
Achieved SLs (SL-As) are the actual level of security for a particular system. These are measured after a system design is available or when a system is in place. They are used to establish that a security system is meeting the goals that were originally set out in the SL-Ts.
The Capability security levels SL-Cs are the SLs that components or systems can provide when properly configured. These levels state that a particular component or system is capable of meeting the SL-Ts natively without additional compensating countermeasures when properly configured and integrated.

[IEC 62443-1-1: 2009] 5 Concepts – 5.11 Security levels

5.11.2 Types of security levels – 5.11.2.1 General

Three different types of security levels can be defined as follows:

SL(target) – target security level for a zone or conduit;

SL(achieved) – achieved security level of a zone or conduit;

SL(capability) – security level capability of countermeasures associated with a zone or conduit or inherent security level capability of devices or systems within a zone or conduit.

SL 0: No specific requirements or security protection necessary

SL 0 has multiple meanings depending on the situation in which it is applied. In defining SL-C it would mean that the component or system fails to meet some of the SL 1 requirements for that particular FR. This would most likely be for components or systems that would be part of a larger zone where other components or systems would provide compensating countermeasures. In defining SL-T for a particular zone it means that the asset owner has determined that the results of their risk analysis indicate that less than the full SL 1 specific requirements are necessary for that particular FR on that component or system. This would more likely happen for individual components within a system or zone that do not contribute in any way to the FR-specific requirements. In defining SL-A it would mean that the particular zone fails to meet some of the SL 1 requirements for that particular FR.

SL 1: Protection against casual or coincidental violation

Casual or coincidental violations of security are usually through the lax application of security policies. These can be caused by well-meaning employees just as easily as they can be by an outsider threat. Many of these violations will be security related and will be handled by enforcing policies and procedures.

A simple example would be an operator able to change a set point on the engineering station in the BPCS zone to a value outside certain conditions determined by the engineering staff. The system did not enforce the proper authentication and use control restrictions to disallow the change by the operator. Also using Figure A.1, another example would be a password being sent in clear text over the conduit between the BPCS zone and the DMZ zone, allowing a network engineer to view the password while troubleshooting the system. The system did not enforce proper data confidentiality to protect the password.

A third example would be an engineer that means to access the PLC in Industrial an Industrial Network, but he accesses the PLC in a different Network. The system did not enforce the proper restriction of data flow preventing the engineer from accessing the wrong system.

SL 2: Protection against intentional violation using simple means with low resources, generic skills and low motivation

Simple means do not require much knowledge on the part of the attacker. The attacker does not need detailed knowledge of security, the domain or the particular system under attack. These attack vectors are well known and there may be automated tools for aiding the attacker. They are also designed to attack a wide range of systems instead of targeting a specific system, so an attacker does not need a significant level of motivation or resources at hand.

An example would be a virus that infects the maintenance workstation in the Plant DMZ zone spreading to the BPCS engineering workstation since they both use the same general purpose operating system. Another example would be an attacker compromising a web server in the enterprise network by an exploit downloaded from the Internet for a publicly known vulnerability in the general purpose operating system of the web server. The attacker uses the web server as a pivot point in an attack against other systems in the enterprise network as well as the industrial network. A third example would be an operator that views a website on the HMI located in Industrial Network #1 which downloads a Trojan that opens a hole in the routers and firewalls to the Internet.

SL 3: Protection against intentional violation using sophisticated means with moderate resources, IACS specific skills and moderate motivation

Sophisticated means require advanced security knowledge, advanced domain knowledge, advanced knowledge of the target system or any combination of these. An attacker going after a SL 3 system will likely be using attack vectors that have been customized for the specific target system. The attacker may use exploits in operating systems that are not well known, weaknesses in industrial protocols, specific information about a particular target to violate the security of the system or other means that require greater motivation as well as skill and knowledge set than are required for SL 1 or 2.

An example of sophisticated means could be password or key cracking tools based on hash tables. These tools are available for download but applying them takes knowledge of the system (such as the hash of a password to crack). Another example would be an attacker that gains access to the FS-PLC through the serial conduit after gaining access to the control PLC through a vulnerability in the Ethernet controller. A third example would be an attacker that gains access to the data historian by using a bruteforce attack through the industrial/enterprise DMZ firewall initiated from the enterprise wireless network.

SL 4: Protection against intentional violation using sophisticated means with extended resources, IACS specific skills and high motivation

SL 3 and SL 4 are very similar in that they both involve sophisticated means used to violate the security requirements of the system. The difference comes from the attacker being even more motivated and having extended resources at their disposal. These may involve high performance computing resources, large numbers of computers or extended periods of time. An example of sophisticated means with extended resources would be using super computers or computer clusters to conduct brute-force password cracking using large hash tables.

Another example would be a botnet used to attack a system using multiple attack vectors at once. A third example would be an organized crime organization that has the motivation and resources to spend weeks attempting to analyze a system and develop custom “zero-day” exploits.