The SL Vectors

How do we put all this together? The SL Vectors are a key aspect of that!

Safety Instrumented systems have long used Safety Integrity Levels (SILs) to express the level of risk reduction required to protect people and the environment. SILs provide a single, quantitative measure based on the probability of dangerous failures, which can be estimated using well-established reliability models. This makes safety risk assessment complex but largely predictable and measurable.

Security systems, however, operate in a much broader and less predictable context. In addition to protecting health and safety, they must also safeguard operations, intellectual property, and organizational resilience. Security incidents are not typically caused by random failures but by human actions—whether accidental or intentional—making them far more difficult to model quantitatively. As a result, cybersecurity cannot be reduced to a single numerical value in the same way as functional safety and instead relies on layered, risk-based approaches.

Security levels provide a qualitative approach to addressing security for a zone. As a qualitative method, security level definition has applicability for comparing and managing the security of zones within an organization. As more data becomes available and the mathematical representations of risk, threats, and security incidents are developed, this concept will move to a quantitative approach for selection and verification of Security Levels (SL). It will have applicability to both end user companies, and vendors of IACS and security products. It will be used to select IACS devices and countermeasures to be used within a zone and to identify and compare security of zones in different organizations across industry segments.

In the first phase of development, the IEC 62443 series of standards tends to use qualitative SLs, using terms such as “low”, “medium”, and “high”. The asset owner will be required to come up with their own definition of what those classifications mean for their particular application. The long-term goal for the IEC 62443 series is to move as many of the security levels and requirements to quantitative descriptions, requirements and metrics as possible to establish repeatable applications of the standard across multiple companies and industries.

When designing a new system (green field) or revising the security of an existing system (brown field), the first step is to break the system into different zones and define conduits connecting these zones where necessary. Details on how to accomplish this are given in IEC 62443‑3‑2. Once a zone model of the system is established each zone and conduit is assigned a target SL, based on a consequence analysis, which describes the desired security for the respective zone or conduit. During this initial zone and conduit analysis, it is not necessary to have completed a detailed system design. It is sufficient to describe the functionality that should be provided by assets in a zone and the connections between zones in order to meet the security objectives.

Instead of compressing SLs down to a single number, it is possible to use a vector of SLs that uses the seven FRs above instead of a single protection factor. This vector of SLs allows definable separations between SLs for the different FRs using language. This language can be based on the additional consequences associated with security systems or different attacks against the security objectives addressed by the FRs. The language used in the SL definitions can contain practical explanations of how one system is more secure than another without having to relate everything to HSE consequences.

A vector can be used to describe the security requirements for a zone, conduit, component or system better than a single number. This vector may contain either a specific SL requirement or a zero value for each of the foundational requirements.

EXAMPLE 1 → SL-T (BPCS Zone) = { 2 2 0 1 3 1 3 }

EXAMPLE 2 → SL-C (SIS Engineering Workstation) = { 3 3 2 3 0 0 1 }

EXAMPLE 3 → SL-C (RA, FS-PLC) = 4