IEC 62443 defines four security levels for the security of industrial automation and control systems (IACS):
- Security Level 0: No special requirement or protection is required.
- Security Level 1: Protection against unintentional or accidental misuse.
- Security Level 2: Protection against intentional misuse by simple means with few resources, general skills, and low motivation.
- Security Level 3: Protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge, and moderate motivation.
- Security Level 4: Protection against intentional misuse using sophisticated means with extensive resources, IACS-specific knowledge, and high motivation.
These levels are mentioned and defined in detail in IEC 62443 3-3.
These security levels in IEC 6243 provide a framework for organizations to assess the security of their IACS. By understanding the security levels of their IACS, organizations can identify areas where they need to improve their security posture.
It is important to note that the security levels in IEC 6243 are not absolute. The level of security required for an IACS will vary depending on the specific risks that the IACS faces.
Here is a more detailed explanation of each security level:
Security Level 0: No special requirement or protection required.
At this level, there is no need for any specific security measures. This level is appropriate for IACS that are not connected to any external networks or that do not contain any sensitive data.
Security Level 1: Protection against unintentional or accidental misuse.
At this level, basic security measures are required to protect against unintentional or accidental misuse. These measures may include things like password protection, access control, and configuration management.
Security Level 2: Protection against intentional misuse by simple means with few resources, general skills and low motivation.
At this level, more comprehensive security measures are required to protect against intentional misuse by attackers with limited resources and skills. These measures may include things like intrusion detection, vulnerability scanning, and security awareness training.
Security Level 3: Protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge and moderate motivation.
At this level, the highest level of security is required to protect against intentional misuse by attackers with moderate resources, IACS-specific knowledge, and moderate motivation. These measures may include things like security architecture reviews, penetration testing, and security incident response planning.
Security Level 4: Protection against intentional misuse using sophisticated means with extensive resources, IACS-specific knowledge and high motivation.
At this level, the highest level of security is required to protect against intentional misuse by attackers with extensive resources, IACS-specific knowledge, and high motivation. These measures may include things like physical security, data encryption, and security consulting.