Industrial control systems were built for reliability, not for facing internet-era attackers, and a single weak path can expose an entire plant. This checker maps your authentication, segmentation, remote access, patching, and monitoring onto the IEC 62443 Security Levels and shows where you fall short of your target.
The four Security Levels
IEC 62443 defines Security Levels by the capability of the attacker each resists:
| Level | Attacker profile |
|---|---|
| SL-1 | Casual or coincidental violation (e.g., accidental misconfiguration) |
| SL-2 | Intentional attacks with simple means, low motivation and resources |
| SL-3 | Sophisticated attacks using control-system-specific skills and moderate resources |
| SL-4 | Highly resourced, state-level or nation-state actors with extended motivation |
Most industrial sites target SL-2, which defends against opportunistic ransomware and script-kiddie attacks. Critical infrastructure (water, power, oil and gas) typically targets SL-3 or above.
The seven foundational requirements
IEC 62443 organises its controls into seven foundational requirements (FRs):
- FR1 — Identification and authentication control (IAC): unique identities, strong authentication, and managed credentials for humans and devices.
- FR2 — Use control (UC): enforce least privilege so accounts can only do what they need to.
- FR3 — System integrity (SI): protect control systems from tampering through patch management and software validation.
- FR4 — Data confidentiality (DC): protect sensitive process data in transit and at rest.
- FR5 — Restricted data flow (RDF): zone and conduit model — segment the network so IT and OT zones do not mix freely.
- FR6 — Timely response to events (TRE): detect, log, and respond to security events before they become incidents.
- FR7 — Resource availability (RA): maintain availability of safety-critical systems against denial-of-service.
This checker assesses FR1, FR2, FR3, FR5, and FR6 — the most commonly deficient in the field.
Why the weakest link determines your level
Security is gated by its lowest-scoring control. If your authentication reaches SL-3 but your network is a flat IT/OT mix (SL-1 for FR5), an attacker who gains IT access can reach the OT network unimpeded — your achieved level is SL-1 overall. The tool reports the achieved level as the minimum across all assessed areas.
Worked example — the segmentation gap
Suppose your answers produce:
- Authentication (FR1): SL-3
- Use control (FR2): SL-2
- System integrity / patching (FR3): SL-2
- Network segmentation (FR5): SL-1 (flat IT/OT network)
- Monitoring / incident response (FR6): SL-2
Achieved level: SL-1 — one gap caps the whole assessment. Introducing a demilitarized zone (DMZ) between IT and OT, with firewall conduits for specific allowed traffic (historian reads, patch server), typically moves FR5 to SL-2 quickly and raises the overall achieved level.
This is not formal certification
A self-assessment against these questions is a useful gap finder before engaging an IEC 62443 assessor. Formal conformance requires a documented risk assessment covering every zone and conduit in your specific plant, and assessment by qualified auditors against the full set of foundational requirements and system requirements. National regulators (NIS2 in the EU, NERC CIP for North American power utilities) may require formal third-party assessment for critical infrastructure sites.