Instead of compressing a zone or control system into a single Security Level number, ISA/IEC 62443 can express a vector of seven values — one Security Level per Foundational Requirement (FR). Annex A of Part 3-3 discusses this vector approach; risk-assessment practice in Part 3-2 (Clause A.3.1 themes) uses the same idea when setting targets.
Reference: ISA/IEC 62443-3-3, Annex A (Discussion of the SL vector)
Related reference: ISA/IEC 62443-3-2, Clause A.3.1 (vector examples in training)
Related:
Foundational Requirements overview
|
Annex B mapping
|
Security Levels
Different FRs can legitimately need different strengths in the same zone. A BPCS area may demand strong restricted data flow and integrity while accepting a lower confidentiality target if little sensitive data leaves that zone. The vector keeps those differences visible instead of forcing a single “the zone is SL-3” slogan.
SL-?(domain) = { IAC , UC , SI , DC , RDF , TRE , RA }
Teaching examples (values illustrative of the style used in Annex A):
The chart compares three vectors on the same seven FR axes (0 at centre → 4 at the rim):
| Vector | IAC | UC | SI | DC | RDF | TRE | RA |
|---|---|---|---|---|---|---|---|
| SL-T (target) | 3 | 3 | 4 | 2 | 4 | 3 | 4 |
| SL-C (capability) | 2 | 2 | 3 | 1 | 2 | 1 | 2 |
| SL-A (achieved) | 0 | 1 | 0 | 1 | 1 | 0 | 1 |
Green is the risk-derived target; blue is what the current design/products can support; red is what is measured in place. Gaps drive compensating countermeasures, redesign or procurement — not a claim that the zone as a whole “is SL-3”.