Module 2: Security-level allocation(3/3)
Gap analysis: SL-C vs SL-T
title: "Gap analysis: SL-C vs SL-T" duration: "40 min"
What is a gap analysis?
You now have SL-T (target) for each zone — what you need. The gap analysis compares SL-T against SL-C (capability) — what the current system can actually deliver.
Formula
Gap = SL-T − SL-C (per FR)
Any FR where SL-C < SL-T is a gap that requires remediation.
How to measure SL-C
SL-C is measured by testing each System Requirement (SR) from IEC 62443-3-3 against the current system configuration:
- List all SRs required at the zone's SL-T for each FR.
- Test each SR — does the current system meet it? Pass/fail.
- The SL-C for each FR is the highest SL at which all required SRs pass.
Worked example
Zone 1, FR 1 (IAC), SL-T = 2:
Required SRs: SR 1.1 (base), SR 1.1 RE 1 (unique identification).
Test: PLCs accept connections from any source without authentication. SR 1.1 (base) = FAIL.
SL-C for FR 1 = SL 0.
Gap: SL-T 2 − SL-C 0 = 2 levels.
The gap analysis table
| Zone | FR | SL-T | SL-C | Gap | Root cause | Remediation |
|---|---|---|---|---|---|---|
| Zone 1 | FR 1 (IAC) | 2 | 0 | 2 | Modbus/S7comm have no auth | Protocol-aware FW with source ACL |
| Zone 1 | FR 5 (RDF) | 3 | 1 | 2 | Flat VLAN, no DPI | Deploy protocol-aware firewall |
| Zone 1 | FR 6 (TRE) | 2 | 0 | 2 | No monitoring | Deploy ICS network monitor |
| Zone 2 | FR 1 (IAC) | 3 | 1 | 2 | TriStation has basic auth only | Upgrade firmware for MFA |
| Zone 2 | FR 5 (RDF) | 3 | 2 | 1 | Firewall exists but not unidirectional | Install data diode |
| Zone 3 | FR 3 (SI) | 2 | 1 | 1 | AV installed but no whitelisting | Deploy AppLocker |
| Zone 4 | FR 2 (UC) | 2 | 1 | 1 | Shared service accounts | Implement unique accounts + RBAC |
Prioritising gaps
Not all gaps are equal. Prioritise by:
1. Risk impact
Gaps in zones with higher consequence scores get priority. A gap in the SIS zone (Zone 2) is more urgent than the same gap in the enterprise zone (Zone 5).
2. Gap magnitude
A gap of 2 or more levels indicates a fundamental control is missing. A gap of 1 level usually means an existing control needs enhancement.
3. Cost-effectiveness
Some gaps are cheap to close. Deploying AppLocker on existing Windows HMIs costs almost nothing. Installing a data diode costs $50K–$150K. Prioritise quick wins.
Key takeaway
The 80/20 rule
In most assessments, 20% of the gaps account for 80% of the risk. Identify these — they are almost always related to FR 1 (authentication) and FR 5 (network segmentation).
Prioritisation matrix
| Priority | Criteria | Action timeline |
|---|---|---|
| P1 — Critical | Gap ≥ 2 in a zone with Critical/High risk | Remediate within 30 days |
| P2 — High | Gap ≥ 2 in a Medium-risk zone, or gap = 1 in a High-risk zone | Remediate within 90 days |
| P3 — Medium | Gap = 1 in a Medium-risk zone | Remediate within 180 days |
| P4 — Low | Gap = 1 in a Low-risk zone | Remediate at next planned outage |
Remediation options
For each gap, you have three options:
- Implement the missing control — the preferred option. Close the gap directly.
- Implement a compensating control — when the native control is not feasible (e.g. the protocol doesn't support authentication). The compensating control must provide equivalent risk reduction.
- Accept the residual risk — when remediation is grossly disproportionate. Requires formal management approval and documentation in the risk register.
Compensating controls for common OT gaps
| Gap | Native control (not feasible) | Compensating control |
|---|---|---|
| FR 1: Modbus has no auth | Add authentication to Modbus | Protocol-aware FW allowing only specific source IPs |
| FR 3: PLC has no AV | Install AV on PLC | Application whitelisting on the engineering WS + PLC change detection |
| FR 4: S7comm is cleartext | Encrypt S7comm | Dedicated VLAN with no other traffic; physical access control |
| FR 7: Legacy PLC has no DoS protection | Firmware upgrade for rate limiting | QoS policy on upstream switch; dedicated VLAN |
Feeding results into the risk register
Each gap becomes a row in the risk register with:
- Gap ID — linked to the zone and FR.
- Priority — P1 through P4.
- Remediation plan — what will be done.
- Owner — who is responsible.
- Target date — when it will be closed.
- Verification method — how you will confirm the gap is closed.
Key Takeaways
- Gap analysis compares SL-T (what you need) against SL-C (what you have) per FR per zone.
- Any FR where SL-C < SL-T is a gap requiring remediation.
- Prioritise by risk impact, gap magnitude, and cost-effectiveness.
- The most common gaps are in FR 1 (authentication) and FR 5 (network segmentation).
- When native controls are infeasible, implement compensating controls with equivalent risk reduction.
Knowledge Check
3 questions — test your understanding before moving on.
Q1.What does a gap analysis compare?
- The cost of two different firewall vendors.
- SL-T (what you need) against SL-C (what the current system can deliver), per FR per zone.
- The number of devices in each zone.
- The severity of different CVEs.
A gap analysis compares the target Security Level (SL-T) against the current capability (SL-C) for each Foundational Requirement in each zone. Any FR where SL-C < SL-T is a gap requiring remediation.
Q2.Which two Foundational Requirements most commonly have the largest gaps in OT environments?
- FR 4 (Data Confidentiality) and FR 7 (Resource Availability).
- FR 1 (Identification & Authentication) and FR 5 (Restricted Data Flow / Network Segmentation).
- FR 3 (System Integrity) and FR 6 (Timely Response).
- FR 2 (Use Control) and FR 4 (Data Confidentiality).
FR 1 and FR 5 are the most common gaps because most ICS protocols have no authentication (FR 1 gap) and many brownfield plants have flat networks without zone segmentation (FR 5 gap). These two FRs typically account for 80% of the risk.
Q3.When a native security control is not feasible (e.g. Modbus cannot support authentication), what should you implement?
- Nothing — accept the vulnerability as inherent.
- A compensating control that provides equivalent risk reduction, such as a protocol-aware firewall with source-IP ACL.
- A complete replacement of all affected devices.
- An insurance policy to cover the potential loss.
When native controls are infeasible, IEC 62443 requires compensating controls that provide equivalent risk reduction. For Modbus authentication gaps, a protocol-aware firewall restricting access to specific source IPs and blocking write function codes is a standard compensating control.