The purpose of this paper is to recommend that industrial control system components using the widely accepted security standard ISA/IEC 62443-4-2, target conformance to a minimum of security level 2 (SL2), as defined in that standard. The analysis presented here makes the case that SL2 capabilities are necessary for adequate security in this domain, even though the standard also defines a security level 1 (SL1) with fewer requirements. This paper has been developed by the ISA Security Compliance Institute (ISCI), an organization
that represents asset owners, product suppliers and certification bodies. ISCI created the ISASecure certification program, an international commercial-offthe-shelf (COTS) product cybersecurity certification program based on the ISA/IEC 62443 standard. The intended audience for this paper is asset owners, product suppliers, system integrators and others in the industrial control system
community who provide advice or determine security requirements for off-theshelf products or for individual control system installations.
The reason for this recommendation is that the definition for SL1 prescribes capabilities to protect components from coincidental or casual access, misuse or manipulation of the component. In particular, SL1 capabilities do not address intentional attacks. SL2 adds additional security capabilities generally recognized to help mitigate well known attack scenarios.
Views: 4
