Aim for Security: Stay on Target

Alan Raveling, Senior Technologist | September 11, 2025

The ISA/IEC 62443 series of standards enable organizations to align their security efforts with business risks. The standard utilizes different categorizations of the security levels — Capability (SL-C), Target (SL-T), and Achieved (SL-A), to help identify system capabilities, gaps, and highlighting areas for security enhancement to address the evolving cyber-threat landscapes.

A key understanding is that not all systems require the highest level of security (SL-4); rather, the target security level is based on the unique purpose and acceptable amount of risk. Responding to evolving threats and technology requires re-evaluation of security posture as what may have been considered a sophisticated nation-state level effort three years ago has been streamlined and simplified to an attack that anyone with ill intent can perform today. The standards advocate for a balanced approach, weighing the necessity of security measures against their practicality and alignment with the organization's broader risk management strategy.

Understanding Security Levels in ISA/IEC Standards

Using ISA/IEC 62443 as a resource and guideline will help lay a foundation for enhancing the security maturity of your facility. It's a methodology for understanding present risk and ensuring software and devices meet cybersecurity expectations. It is important to have dedicated conversations regarding each of the categorizations of the security levels present in the devices and systems of your facility:

SL-C represents a system's potential security capabilities
SL-T is the organization's ideal security state
SL-A reflects the security level achieved at the time of evaluation

The distinction between SL-T and SL-A helps pinpoint which areas organizations need to focus on addressing cybersecurity gaps, possibly due to outdated technology or insufficient security features in existing equipment. A situation may also arise in which the capabilities of the existing components cannot technically meet the required security level target, which will drive additional action such as upgrading, replacing, or other means of compensating for the deficiency.

A blue outline drawing of a large question mark above two intersecting directional arrows pointing in opposite directions, symbolizing a choice between different options.

Zoning and Conduits: A Strategic Approach

As there will be many different systems present within a facility, it is important to create ‘zones’ consisting of devices, assets, or systems that work in conjunction to accomplish a task, process, or set of activities. Each zone, based upon its criticality and other factors, will have a security level target assigned. When analyzing the required set of communications between two zones, referred to as a ‘conduit’, the necessity and security of those communications can be reviewed and incorporated into the security level achieved evaluation.

When determining the appropriate security level to apply to a zone, it's essential to consider potential threats, avenues of attack, with consideration not only for intentional, but accidental actions as well. It is also important to understand the upstream and downstream consequences of a system or entire zone experiencing a cybersecurity event. While high-profile cyberattacks often make headlines, they may not represent the most common threats organizations encounter or need to prepare for in their defenses. Instead, organizations should assess the security incidents common within their industry, understanding that attackers vary greatly in their resources and objectives, and tailor their defense strategies accordingly.

Considering the Consequences of a Cyberattack

In the event of a cybersecurity incident, its impact on your organization can appear in several critical areas.

Operations: A breach could lead to significant downtime, affecting everything from a single facility to the entire organization's network, with the duration of this downtime varying widely.
Financial: The repercussions extend beyond lost revenue to potential legal and regulatory challenges, not to mention the possibility of a public relations crisis that could change public trust in your brand.
Health, Safety, and Environmental (HSE): High impact, high visibility outcomes such as injuries to personnel, building or equipment damage, or environmental impacts stemming from a compromised system.

Determining the right security level involves assessing these potential impacts and classifying them as low, medium, or high risk, guided by the frameworks provided in the tables in the 62443-3-2 standard. A general guideline and good starting point is to align lower risk levels with lower security levels, ensuring that high-risk scenarios aren't underestimated with lower security levels and vice versa. The goal is to adopt a security posture that effectively reduces these risks to a manageable level in the face of potential cyber threats.

A blue outline image of an electrical plug connected to a circular line that forms part of a plant with two leaves, symbolizing clean energy or eco-friendly electrical power.

The Significance of Security Levels: A Biodiesel Example

Let's put these concepts into a practical perspective with an example: consider a biodiesel production facility. This facility handles hazardous processes and chemicals, but many areas have relatively low-risk activities. First, divide equipment and devices into zones and create communication conduits. These zones might include areas for receiving raw materials, the biodiesel production process, safety systems, and loading finished goods, with each zone carrying varying risk levels. For instance, a minor spill in the raw material area (assigned SL-1) is considered lower risk compared to a critical failure in the processing area's safety systems (which might be assigned SL-3 or SL-4) due to the potential for severe consequences like fires.

To ensure each zone's security measures are up to par, the organization evaluates the current security state (SL-A) against the potential (SL-C) and works to address any discrepancies, possibly through upgrading equipment or enhancing safety protocols. This may involve upgrading components, implementing compensating measures, or reassessing target security levels.

Defining target security levels for zones isn't a one-time task; it requires periodic assessment to adapt to evolving threats, consequences, and technological changes. Effective collaboration among stakeholders is essential to align security efforts with the facility's operational needs, making security an integral part of project planning rather than an afterthought. ISA/IEC 62443 security levels empower organizations to implement a tailored security strategy that addresses the specific risks of each zone, avoiding a blanket approach that may not cover all vulnerabilities adequately.

Alan Raveling serves as a Senior Technologist at Interstates, where he evaluates and leverages technologies to enhance workforce efficiency and capability. His passion lies in guiding clients through the complexities of enhancing capability and security in a rapidly changing landscape. With almost 20 years of experience, Alan has supported companies of all sizes in their digitization and cybersecurity efforts.

Where Else is This Topic Discussed?

Learn more about this topic with Alan in Automation World here.
This article was initially published on Industrial Cybersecurity Pulse. It was then published on the Interstates Blog on April 3, 2024, and was last updated on September 11, 2025.
This topic is included in the Interstates LinkedIn Newsletter Converging Clarity, which focuses on Operational Technology.

September 8, 2025

Day in the Life of a Manufacturing Supervisor

Have you ever been curious about a career in manufacturing? Dive into a day in the life of Sean Wolf, a Manufacturing Supervisor at our Sioux Center Prefab location! Learn about his growth, exciting innovations, and advice to clients and people in the field.

September 22, 2025

EATS 2025

Visit EATS (The Equipment, Automation, and Technology Show), where thousands of food and beverage professionals gather to learn the latest innovations in food and beverage technology. This premier event is a great opportunity to network with peers, explore cutting-edge solutions, and discover what's shaping the future of the industry.

Your Next MES and Process Control System

Are You Compliant with NFPA 70B?

Need a Simpler Start to Cybersecurity?

Improving Your CPG Operations with a Systems Integrator

New Life to an Old Mill in Iowa

Country Maid Invests in PLEX Production Monitoring

Electrical Project for New Milk Bottling Facility

Delivering Quality Data Center Work Fast & Safely

Rockwell Automation's System Integrator Partner of the Year

Being a Leading Industrial Electrical Solutions Provider

What's It Like to Work at Interstates?

Your Foundational OT Cybersecurity Solution

The Real Meaning of Balance in Leadership

What to Do About Electrical Grid Changes