Target SL 2 for most OT networks
SL 2 protects against motivated individuals. Most industrial networks target SL 2. Safety systems and critical infrastructure target SL 3.
14.4 IEC 62443 Security Framework
The previous sections covered specific attack types and defenses. IEC 62443 provides the overarching framework that ties them together — a structured approach to assessing risk, defining security requirements, and verifying compliance across the entire industrial automation and control system.
Why IEC 62443 Exists
Section titled “Why IEC 62443 Exists”Before IEC 62443, every vendor and asset owner approached OT security differently. Some applied IT security frameworks that did not account for availability requirements. Others had no framework at all. IEC 62443 created a common language and a structured methodology that works for asset owners, system integrators, and product suppliers.
Key term:
- IACS (Industrial Automation and Control System) — the collective term for all systems used to monitor and control industrial processes, including PLCs, DCS, SCADA, HMIs, and the networks connecting them
Security Levels
Section titled “Security Levels”IEC 62443 defines four Security Levels (SL) based on the threat actor and the resources they would need to mount a successful attack:
| Level | Threat Actor | Description |
|---|---|---|
| SL 1 | Casual violation | Untrained users, accidental misuse |
| SL 2 | Intentional violation | Motivated individuals with basic skills |
| SL 3 | Sophisticated attacks | Skilled attackers with resources |
| SL 4 | State-sponsored attacks | Nation-state actors with significant resources |
Most industrial networks target SL 2. Critical infrastructure (power grids, water treatment) targets SL 3.
Zones and Conduits
Section titled “Zones and Conduits”IEC 62443-3-2 defines Security Zones and Conduits. A zone is a group of assets with the same security requirements and threat exposure. A conduit is a communication path between zones, controlled by firewalls or data diodes.
This maps directly to the Purdue Model: each Purdue level is a security zone, and the connections between levels are conduits.
Applying the Framework
Section titled “Applying the Framework”- Identify zones — group assets by function and threat exposure
- Determine required SL — based on consequence of compromise and likely threat actor
- Design conduits — define what protocols are allowed, in which direction, with what controls
- Implement controls — firewalls, VLANs, access control, monitoring
- Verify — test that controls work as designed
- Document — record the zone/conduit model for audit and maintenance
IEC 62443-4-2 — Component Requirements
Section titled “IEC 62443-4-2 — Component Requirements”Hirschmann switches certified to IEC 62443-4-2 SL 2 provide:
| Requirement | HiOS Feature |
|---|---|
| Unique identification | Each switch has a unique identity |
| Authenticator management | Password policies, certificate support |
| Use control | Role-based access (admin, operator, read-only) |
| Audit log | All configuration changes and access attempts logged |
| Communication integrity | HTTPS, SSH, SNMPv3 |
| Session lock | Automatic timeout after inactivity |
Key Takeaways
Section titled “Key Takeaways”Zones and conduits map to VLANs and firewalls
Each zone is a VLAN or network segment. Each conduit is a firewall rule set. The IEC 62443 model translates directly into network configuration.
What Comes Next
Section titled “What Comes Next”The IEC 62443 framework defines what to protect and how. The next section covers practical hardening — the specific configuration steps that implement the framework on Hirschmann switches and PLCs.
References
Section titled “References”- IEC 62443-3-3:2013 — System security requirements and security levels
- IEC 62443-4-2:2019 — Technical security requirements for IACS components
- IEC 62443-3-2:2020 — Security risk assessment for system design