ISA/IEC 62443 Standard
The ISA/IEC 62443 standard provides a comprehensive ecosystem of cybersecurity requirements for different actors involved in the life cycle of an electrical distribution or industrial control system. This involves a specific focus on the people, processes, and technology required by these systems.
ISA/IEC 62443 Security Levels
This includes the concept of security assurance levels. The specification defines a series of requirements designed to bring system security to one of the four defined levels. A summary of each level coupled with a characterization of the type of attacker the security level is designed to address is presented in the table below:
Security Levels of ISA/IEC 62443
| Security Level | Target | Skills | Motivation | Means | Resources |
|---|---|---|---|---|---|
| SL1 | Casual or coincidental violations | No Attack Skills | Mistakes | Non-intentional | Individual |
| SL2 | Cybercrime, Hacker | Generic | Low | Simple | Low (Isolated Individual) |
| SL3 | Hacktivist, Terrorist | ICS Specific | Moderate | Sophisticated (Attack) | Moderate (Hacker Group) |
| SL4 | Nation State | ICS Specific | High | Sophisticated (Campaign) | Extended (Multi-disciplinary Teams) |
Risk-Based Approach
ISA/IEC 62443 follows a risk-based approach and can be aligned with the methodology used for functional safety based on IEC 61508. Security assurance levels should be selected based on a risk assessment of the infrastructure and operations, as seen in the example risk matrix below:
Example of Risk Matrix
| IMPACT | LIKELIHOOD | ||||
|---|---|---|---|---|---|
| Remote | Unlikely | Possible | Likely | Certain | |
| Trivial | SL-0 | SL-1 | SL-1 | SL-1 | SL-1 |
| Minor | SL-1 | SL-1 | SL-2 | SL-2 | SL-2 |
| Moderate | SL-1 | SL-2 | SL-2 | SL-3 | SL-3 |
| Major | SL-1 | SL-2 | SL-3 | SL-4 | SL-4 |
| Critical | SL-1 | SL-2 | SL-3 | SL-4 | SL-4 |