Industrial IoT Cybersecurity Risk Checker (IEC 62443)

Assess ICS and OT system cyber risk against IEC 62443 security levels

Answer questions about your industrial control system authentication, network segmentation, remote access, patching cadence, and monitoring to assign a Security Level from SL-1 to SL-4 under IEC 62443 and identify gaps in the foundational requirements. For OT security engineers and plant managers. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What are IEC 62443 Security Levels?

IEC 62443 defines four Security Levels reflecting resistance to increasingly capable attackers. SL-1 protects against casual or coincidental violation, SL-2 against simple intentional attacks, SL-3 against sophisticated attacks using control-system-specific skills, and SL-4 against highly resourced, highly motivated attackers.

Industrial control systems were built for reliability, not for facing internet-era attackers, and a single weak path can expose an entire plant. This checker maps your authentication, segmentation, remote access, patching, and monitoring onto the IEC 62443 Security Levels and shows where you fall short of your target.

The four Security Levels

IEC 62443 defines Security Levels by the capability of the attacker each resists:

LevelAttacker profile
SL-1Casual or coincidental violation (e.g., accidental misconfiguration)
SL-2Intentional attacks with simple means, low motivation and resources
SL-3Sophisticated attacks using control-system-specific skills and moderate resources
SL-4Highly resourced, state-level or nation-state actors with extended motivation

Most industrial sites target SL-2, which defends against opportunistic ransomware and script-kiddie attacks. Critical infrastructure (water, power, oil and gas) typically targets SL-3 or above.

The seven foundational requirements

IEC 62443 organises its controls into seven foundational requirements (FRs):

  1. FR1 — Identification and authentication control (IAC): unique identities, strong authentication, and managed credentials for humans and devices.
  2. FR2 — Use control (UC): enforce least privilege so accounts can only do what they need to.
  3. FR3 — System integrity (SI): protect control systems from tampering through patch management and software validation.
  4. FR4 — Data confidentiality (DC): protect sensitive process data in transit and at rest.
  5. FR5 — Restricted data flow (RDF): zone and conduit model — segment the network so IT and OT zones do not mix freely.
  6. FR6 — Timely response to events (TRE): detect, log, and respond to security events before they become incidents.
  7. FR7 — Resource availability (RA): maintain availability of safety-critical systems against denial-of-service.

This checker assesses FR1, FR2, FR3, FR5, and FR6 — the most commonly deficient in the field.

Security is gated by its lowest-scoring control. If your authentication reaches SL-3 but your network is a flat IT/OT mix (SL-1 for FR5), an attacker who gains IT access can reach the OT network unimpeded — your achieved level is SL-1 overall. The tool reports the achieved level as the minimum across all assessed areas.

Worked example — the segmentation gap

Suppose your answers produce:

  • Authentication (FR1): SL-3
  • Use control (FR2): SL-2
  • System integrity / patching (FR3): SL-2
  • Network segmentation (FR5): SL-1 (flat IT/OT network)
  • Monitoring / incident response (FR6): SL-2

Achieved level: SL-1 — one gap caps the whole assessment. Introducing a demilitarized zone (DMZ) between IT and OT, with firewall conduits for specific allowed traffic (historian reads, patch server), typically moves FR5 to SL-2 quickly and raises the overall achieved level.

This is not formal certification

A self-assessment against these questions is a useful gap finder before engaging an IEC 62443 assessor. Formal conformance requires a documented risk assessment covering every zone and conduit in your specific plant, and assessment by qualified auditors against the full set of foundational requirements and system requirements. National regulators (NIS2 in the EU, NERC CIP for North American power utilities) may require formal third-party assessment for critical infrastructure sites.