Security Level (SL)

Security Level (SL) commonly refers to a defined, measurable degree of cybersecurity protection required or achieved by a system, device, network zone, or process. In industrial and manufacturing environments, it is usually expressed as an ordinal scale (for example SL0 to SL4) that describes how resistant an asset or zone is to specific types of cyber threats.

Core meaning in industrial and OT environments

In operational technology (OT) and industrial control system contexts, a Security Level is typically used to describe:

• The strength of technical and procedural protections applied to an asset or zone
• The type of attacker or threat the protections are intended to withstand (for example casual misuse vs. highly skilled, well-resourced attackers)
• A target or achieved state used in risk assessments, security design, and validation activities

Standards and guidance documents often define Security Level scales with descriptions such as:

• SL0: No specific security requirements beyond basic functionality
• SL1: Protection against casual or coincidental violation
• SL2: Protection against intentional violation using simple means
• SL3: Protection against intentional violation using sophisticated means
• SL4: Protection against intentional violation using sophisticated means and resources

The exact wording varies by standard, but the intent is to have a consistent way to express how robust a system’s security controls are expected to be.

How Security Levels are used operationally

In manufacturing and other regulated operations, Security Levels may be used to:

• Classify network zones or conduits, such as separating office IT, MES, and safety-critical control networks and assigning each an SL target.
• Specify security requirements for systems like PLCs, HMIs, data historians, MES, and ERP interfaces (for example “the control network must achieve SL2”).
• Guide design and selection of controls, including authentication, authorization, encryption, logging, and physical protections needed to reach the target SL.
• Support risk assessments, by linking threat scenarios and consequence assessments to an appropriate SL target.
• Provide a basis for verification, where tests, reviews, or assessments check whether implemented controls are consistent with the stated Security Level.

Security Levels can apply to individual components (for example a firewall or controller) or to a system or zone as a whole. In practice, many organizations use SLs at the zone/conduit level for clarity.

Relationship to standards

Several industrial cybersecurity standards and frameworks use the concept of Security Levels or very similar graded scales. While names and exact definitions differ, they share the idea of mapping:
threat capability → required protection strength → assigned Security Level.

Examples include standards focused on industrial automation, control systems, and their integration with higher-level systems such as MES, historians, and enterprise IT. These standards typically define:

• Target SLs for different use cases or risk scenarios
• Capabilities or requirements associated with each SL for controls like identification, authentication, use control, system integrity, and data confidentiality

Organizations then map their system architecture (field devices, controllers, OT networks, DMZs, MES, cloud connectors) to those target Security Levels as part of a structured cybersecurity program.

What Security Level (SL) does and does not include

Typically includes:

• An ordinal scale (for example 0 to 4) describing strength of cybersecurity protections
• Assumptions about the skills, motivation, and resources of potential attackers
• A set of control expectations linked to each level

Typically does not include:

• A guarantee of safety or compliance outcomes
• A direct measurement of residual risk or likelihood of incident
• A detailed implementation design for specific products or vendors

Common confusion

• Security Level vs. Safety Integrity Level (SIL): SIL is used in functional safety to describe the reliability required of safety functions. Security Level is used for cybersecurity protection strength. They address different risk dimensions, even though both use tiered levels.
• Security Level vs. network classification labels: Labels such as “trusted”, “untrusted”, “DMZ”, or corporate sensitivity labels are descriptive categories. A Security Level is usually a more formal, standards-aligned scale tied to threat capabilities and defined control sets.
• Security Level vs. maturity level: Security Levels describe the strength of protections for a system or zone, while security maturity models assess how developed an organization’s overall security processes and governance are.

Context in manufacturing and regulated operations

In regulated manufacturing environments, Security Levels are often referenced when defining security requirements for systems that handle production control, batch records, quality data, traceability, and other critical information flows. Assigning and documenting SL targets can help align engineering, IT, OT, and quality teams when designing architectures, selecting controls, and planning assessments for MES, SCADA, and plant-floor networks.