Security Level
The IEC 62443 measure of how capable an adversary the system is sized to repel — SL 1 stops typos, SL 4 stops nation-states. Expressed as a vector across the seven Foundational Requirements.
Also: SL, SL-T, SL-C, SL-A, Security Level Target, Security Level Capability, Security Level Achieved
A Security Level is the IEC 62443 measure of how capable an adversary a zone, conduit, or component is sized to repel. It is the answer to the question “protect against whom?” expressed on a four-point scale, evaluated per Foundational Requirement.
The four levels
| SL | Adversary the controls must repel |
|---|---|
| SL 1 | Casual or coincidental violation — typos, wrong-button presses, the operator who doesn’t know they’re doing harm. |
| SL 2 | Intentional violation using simple means with low resources, generic skills, low motivation. The opportunistic insider, the script-kiddie. |
| SL 3 | Intentional violation using sophisticated means with moderate resources, IACS-specific skills, moderate motivation. The skilled hacktivist, the targeted criminal. |
| SL 4 | Intentional violation using sophisticated means with extended resources, IACS-specific skills, high motivation. The nation-state. |
Each step up costs disproportionately more to deliver. Most substation OT designs in GB transmission and distribution land at SL 2 across the board with SL 3 selectively on conduits where a forged frame trips primary plant.
SL-T, SL-C, SL-A — three different things
The single letters matter:
- SL-T — Target. What the design says you need. Set during risk assessment under 62443-3-2, per zone and per conduit.
- SL-C — Capability. What a component or system can deliver out of the box, certified against 62443-4-2 (components) or 62443-3-3 (systems). The vendor’s claim.
- SL-A — Achieved. What is actually in place once configuration, integration, and operational practice are taken into account. Always ≤ SL-C, often < SL-C because the deployable feature was switched off for compatibility reasons.
The gap between SL-T and SL-A is the residual risk register. Compensating controls live in that gap.
The SL is a vector, not a scalar
A real Security Level is expressed as a seven-element vector — one number per Foundational Requirement:
SL-T(Z-PROC) = { 2, 2, 3, 1, 2, 2, 2 }
IAC UC SI DC RDF TRE RAReading: the process-bus zone must repel SL-2 adversaries against Identification & Authentication Control, SL-3 against System Integrity, SL-1 against Data Confidentiality (the SV stream isn’t sensitive — only forge-resistance matters), and so on.
Most procurement language collapses this to a single scalar (“we need SL 2”) which is technically meaningless but operationally common. The vector is what 62443-3-3 actually mandates.
The seven Foundational Requirements
Every SL claim is evaluated against these seven:
| FR | Name | What it covers |
|---|---|---|
| FR1 | Identification & Authentication Control (IAC) | Knowing which user, device, or process is acting. |
| FR2 | Use Control (UC) | Enforcing what an authenticated principal is allowed to do. |
| FR3 | System Integrity (SI) | Detecting and preventing unauthorised modification of data, code, configuration. |
| FR4 | Data Confidentiality (DC) | Preventing disclosure of data in transit and at rest. |
| FR5 | Restricted Data Flow (RDF) | Enforcing the zone-and-conduit model on the wire — only documented conduits exist. |
| FR6 | Timely Response to Events (TRE) | Detection, logging, and response capability. |
| FR7 | Resource Availability (RA) | Resilience against resource-exhaustion and denial-of-service. |
For the substation-and-control-centre context, FR3 and FR5 are usually the dominant constraints; FR4 is selectively applied (operator session traffic yes, SV stream no); FR7 is often deferred to the network design rather than the application.
Where the SL maps to mechanism
The SL number is a requirement; it doesn’t tell you how. The “how” comes from elsewhere:
- For DNP3 and IEC 60870-5-104 conduits — IEC 62351-5 Secure Authentication closes the FR3 / FR4 gap.
- For GOOSE and SV — IEC 62351-6 embedded HMAC closes the FR3 gap.
- For MMS station-bus traffic — IEC 62351-3 (TLS) plus IEC 62351-4 close the FR1 / FR3 / FR4 gap.
- For RBAC under FR2 — IEC 62351-8 supplies the role vocabulary.
The 62443 SL number says what protection is required; the 62351 family says what mechanism delivers it on the wire. The two standards are designed to be read together.