Why Security Levels and Maturity Levels Are Often Confused in IEC 62443

Security Levels: Who Are You Protecting Against?

In IEC 62443, security levels are not abstract scores or labels. They are a way to describe the kind of attacker your system or component is expected to resist.

Security levels are defined and enforced through technical requirements, mainly in:

• IEC 62443-3-3 (system security requirements and security levels)

• IEC 62443-4-2 (technical security requirements for components)

These two documents translate the abstract concept of a “security level” into concrete, testable requirements. The higher the security level, the more specific and demanding those requirements become. Moving from Security Level 1 to Security Level 3 or 4 is not a matter of ticking a box; it requires additional capabilities, stronger controls, and more restrictive design decisions at both system and component level.

Security levels based on the means, resources, skills, and motivation of the threat actor. In other words, security levels help answer a very concrete question: who do we expect to defend against, and how capable is that attacker?

Capability, Target, and Achieved Security Levels

IEC 62443 distinguishes between three different uses of security levels, which is where confusion often starts.

• Capability Security Level: This describes what a component or system can provide by design, when properly configured, without additional compensating controls.

• Target Security Level: This is the desired security level for an automation solution, obtained from the risk assessment and documented in the cybersecurity requirements specification.

• Achieved Security Level: This is the security level that is actually reached once the solution is integrated, commissioned, and operating.

These distinctions matter because security levels adirectly influence product selection, system architecture, and the amount of additional countermeasures required during integration.

Maturity Levels: This Is About Processes, Not Products

Maturity levels in IEC 62443 apply only to processes and documentation, not to systems or components.

They describe how well an organization performs a given process, not how secure a product is.

The standard defines four maturity levels:

• Maturity Level 1 – Initial
  Processes exist, but they are informal or ad hoc.

• Maturity Level 2 – Managed
  Processes are documented, but not necessarily repeatable.

• Maturity Level 3 – Defined
  Processes are documented, repeatable, and consistently followed.

• Maturity Level 4 – Improving
  Processes are measured and subject to continuous improvement.

What matters most in practice is understanding that maturity levels answer a very different question than security levels: how reliably does the organization execute its security-related activities?

Choosing a Maturity Level for IEC 62443-4-1

When an organization decides to get certified against IEC 62443-4-1 (Secure Product Development Lifecycle), one of the first decisions it must make is which maturity level it is targeting for its process.

In practice:

• Maturity Level 2 is the minimum realistic entry point.
  At this level, the secure development process is documented and defined. This is the minimum maturity level typically expected when certifying a development process for the first time.

• Maturity Level 3 becomes achievable once the organization starts developing and certifying multiple products using the same process.
  At that point, it becomes possible to demonstrate that the process is repeatable and consistently applied, not just documented.

This progression is important. Most organizations do not start at Maturity Level 3, and that is normal. They document the process first, get it certified at Maturity Level 2, and then naturally evolve toward higher maturity as evidence accumulates through real product development.

A Practical Note on Getting Started

One of the main challenges with IEC 62443-4-1 is not understanding the requirements, but turning them into a structured, auditable process.

This is exactly where our predefined, structured process document becomes useful. A well-designed process template aligned with IEC 62443-4-1 can serve as a solid starting point for organizations aiming to achieve Maturity Level 2, providing a documented baseline that can be adapted to the company’s existing development practices and later used to demonstrate repeatability.

Wrapping up!!

• Security levels define what technical protections are required, mainly through IEC 62443-3-3 and 4-2.

• Maturity levels define how well your organization executes the processes that produce those protections, through IEC 62443-4-1.

They are different concepts, but they meet in real projects. Strong security levels without mature processes are fragile. Mature processes without clear security targets are ineffective. IEC 62443 only really works when both are treated seriously and in the right order.