The Effective ICS Cybersecurity Using the IEC 62443 Standard whitepaper, published by SANS Institute (originally November 2020, updated December 2023), explains how the IEC 62443 standard guides industrial control system (ICS) owners, integrators, and manufacturers in designing and implementing a cybersecurity program. The paper covers the standard's security level model, zone and conduit segmentation approach, and the seven foundational requirements used to structure ICS defenses, alongside an analysis of how Fortinet's product line maps to those requirements.
Key findings:
- IEC 62443 defines four security levels (SL 1 through SL 4), ranging from protection against casual or coincidental violation at SL 1 to protection against highly resourced, highly motivated attackers at SL 4
- Remediation of ICS cybersecurity findings identified during an assessment typically takes one to three years to complete, often outlasting the relevance of the original assessment
- IEC 62443-3-3 organizes ICS security into seven foundational requirements: identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability
- An organization's achieved security level (SL-A) is calculated as a function of at least eight factors, including countermeasure capability, the SL of communicating zones, conduit type, attacker expertise, and time
- A segmented security approach, where different zones operate at different target SLs, is described as more cost-effective and easier to maintain than a monolithic approach that brings every zone to SL 4
- The standard's cybersecurity management system (CSMS) addresses risk through three parallel approaches: security policy and awareness, security countermeasures, and implementation
- IEC 62443's security maturity model defines five phases: concept, functional analysis, implementation, operations, and recycle and disposal
- The Purdue Reference Model, still used as IEC 62443's reference architecture, traces back to a 1989 ISA publication on computer-integrated manufacturing
- Untrusted conduits are identified specifically when either communicating party operates at a different security level than the reference zone, not simply based on network location
- At the time of writing, Fortinet had mapped 84 out-of-the-box detection rules to MITRE ATT&CK for ICS techniques within its FortiSIEM and FortiEDR products
The paper's central argument is that effective ICS cybersecurity depends on treating risk as dynamic rather than solving it with a one-time, sequential roadmap. Segmenting an ICS into zones and conduits with individually assigned security levels lets organizations focus resources on the areas of highest consequence, rather than applying uniform, maximum-strength controls everywhere. That segmentation has to be paired with periodic reassessment, since a zone's achieved security level depends on time-sensitive factors like attacker capability and countermeasure degradation, not a static, one-time certification.
This is a SANS Analyst Program whitepaper written for ICS asset owners, system integrators, and security teams responsible for designing or auditing an ICS cybersecurity program, and is sponsored by Fortinet.