ISA/IEC 62443-3-3 Annex B (informative) shows which system requirements (SRs) and requirement enhancements (REs) are expected for each FR when claiming capability Security Levels SL-C(FR, control system) = 1…4.
Reference: ISA/IEC 62443-3-3, Annex B, Table B.1
Related:
Foundational Requirements overview
|
FR / SL Vector
|
Security Levels
For a chosen FR, every check that falls under the target SL-C must be supported. Example teaching points from Annex B:
A full zone posture is still expressed as a seven-element vector — see FR / SL Vector.
✓ means the SR or RE is required from that SL upward for the FR’s SL-C claim.
Detail page: IEC 62443-3-3 FR 1
| SR / RE (teaching label) | SL 1 | SL 2 | SL 3 | SL 4 |
|---|---|---|---|---|
| SR 1.1 Human user identification and authentication (base) | ✓ | ✓ | ✓ | ✓ |
| SR 1.1 RE(1) Unique identification and authentication | ✓ | ✓ | ✓ | |
| SR 1.1 RE(2) Multifactor authentication for untrusted networks | ✓ | ✓ | ||
| SR 1.1 RE(3) Multifactor authentication for all networks | ✓ | |||
| SR 1.2 Software process and device identification and authentication (base) | ✓ | ✓ | ✓ | |
| SR 1.2 RE(1) Unique identification and authentication | ✓ | ✓ | ||
| SR 1.3 Account management (base) | ✓ | ✓ | ✓ | ✓ |
| SR 1.3 RE(1) Unified account management | ✓ | ✓ | ||
| SR 1.4 Identifier management | ✓ | ✓ | ✓ | ✓ |
| SR 1.5 Authenticator management (base) | ✓ | ✓ | ✓ | ✓ |
| SR 1.5 RE(1) Hardware security for software process identity credentials | ✓ | ✓ | ||
| SR 1.6 Wireless access management (base) | ✓ | ✓ | ✓ | ✓ |
| SR 1.6 RE(1) Unique identification and authentication | ✓ | ✓ | ✓ | |
| SR 1.7 Strength of password-based authentication (base) | ✓ | ✓ | ✓ | ✓ |
| SR 1.7 RE(1) Password generation and lifetime restrictions for human users | ✓ | ✓ | ||
| SR 1.7 RE(2) Password lifetime restrictions for all users | ✓ | |||
| SR 1.8 Public key infrastructure certificates | ✓ | ✓ | ✓ | |
| SR 1.9 Strength of public key authentication (base) | ✓ | ✓ | ✓ | |
| SR 1.9 RE(1) Hardware security for public key authentication | ✓ | ✓ | ||
| SR 1.10 Authenticator feedback | ✓ | ✓ | ✓ | ✓ |
| SR 1.11 Unsuccessful login attempts | ✓ | ✓ | ✓ | ✓ |
| SR 1.12 System use notification | ✓ | ✓ | ✓ | ✓ |
| SR 1.13 Access via untrusted networks (base) | ✓ | ✓ | ✓ | ✓ |
| SR 1.13 RE(1) Explicit access request approval | ✓ | ✓ | ✓ |
Detail page: IEC 62443-3-3 FR 2
| SR / RE (teaching label) | SL 1 | SL 2 | SL 3 | SL 4 |
|---|---|---|---|---|
| SR 2.1 Authorization enforcement (base) | ✓ | ✓ | ✓ | ✓ |
| SR 2.1 RE(1) Authorization enforcement for all users | ✓ | ✓ | ✓ | |
| SR 2.1 RE(2) Permission mapping to roles | ✓ | ✓ | ✓ | |
| SR 2.1 RE(3) Supervisor override | ✓ | ✓ | ||
| SR 2.1 RE(4) Dual approval | ✓ | |||
| SR 2.2 Wireless use control (base) | ✓ | ✓ | ✓ | ✓ |
| SR 2.2 RE(1) Identify and report unauthorized wireless devices | ✓ | ✓ | ||
| SR 2.3 Use control for portable and mobile devices (base) | ✓ | ✓ | ✓ | ✓ |
| SR 2.3 RE(1) Enforcement of security status of portable and mobile devices | ✓ | ✓ | ||
| SR 2.4 Mobile code (base) | ✓ | ✓ | ✓ | ✓ |
| SR 2.4 RE(1) Mobile code integrity check | ✓ | ✓ | ||
| SR 2.5 Session lock | ✓ | ✓ | ✓ | ✓ |
| SR 2.6 Remote session termination | ✓ | ✓ | ✓ | |
| SR 2.7 Concurrent session control | ✓ | ✓ | ||
| SR 2.8 Auditable events (base) | ✓ | ✓ | ✓ | ✓ |
| SR 2.8 RE(1) Centrally managed, system-wide audit trail | ✓ | ✓ | ||
| SR 2.9 Audit storage capacity (base) | ✓ | ✓ | ✓ | ✓ |
| SR 2.9 RE(1) Warn when audit record storage capacity threshold reached | ✓ | ✓ | ||
| SR 2.10 Response to audit processing failures | ✓ | ✓ | ✓ | ✓ |
| SR 2.11 Timestamps (base) | ✓ | ✓ | ✓ | |
| SR 2.11 RE(1) Internal time synchronization | ✓ | ✓ | ||
| SR 2.11 RE(2) Protection of time source integrity | ✓ | |||
| SR 2.12 Non-repudiation (base) | ✓ | ✓ | ||
| SR 2.12 RE(1) Non-repudiation for all users | ✓ |
Detail page: IEC 62443-3-3 FR 3
| SR / RE (teaching label) | SL 1 | SL 2 | SL 3 | SL 4 |
|---|---|---|---|---|
| SR 3.1 Communication integrity (base) | ✓ | ✓ | ✓ | ✓ |
| SR 3.1 RE(1) Cryptographic integrity protection | ✓ | ✓ | ||
| SR 3.2 Malicious code protection (base) | ✓ | ✓ | ✓ | ✓ |
| SR 3.2 RE(1) Malicious code protection on entry and exit points | ✓ | ✓ | ✓ | |
| SR 3.2 RE(2) Central management and reporting for malicious code protection | ✓ | ✓ | ||
| SR 3.3 Security functionality verification (base) | ✓ | ✓ | ✓ | ✓ |
| SR 3.3 RE(1) Automated mechanisms for security functionality verification | ✓ | ✓ | ||
| SR 3.3 RE(2) Security functionality verification during normal operation | ✓ | |||
| SR 3.4 Software and information integrity (base) | ✓ | ✓ | ✓ | |
| SR 3.4 RE(1) Automated notification about integrity violations | ✓ | ✓ | ||
| SR 3.5 Input validation | ✓ | ✓ | ✓ | ✓ |
| SR 3.6 Deterministic output | ✓ | ✓ | ✓ | ✓ |
| SR 3.7 Error handling | ✓ | ✓ | ✓ | |
| SR 3.8 Session integrity (base) | ✓ | ✓ | ✓ | |
| SR 3.8 RE(1) Invalidation of session IDs after session termination | ✓ | ✓ | ||
| SR 3.8 RE(2) Unique session ID generation | ✓ | ✓ | ||
| SR 3.8 RE(3) Randomness of session IDs | ✓ | |||
| SR 3.9 Protection of audit information (base) | ✓ | ✓ | ✓ | |
| SR 3.9 RE(1) Audit records on write-once media | ✓ |
Detail page: IEC 62443-3-3 FR 4
| SR / RE (teaching label) | SL 1 | SL 2 | SL 3 | SL 4 |
|---|---|---|---|---|
| SR 4.1 Information confidentiality (base) | ✓ | ✓ | ✓ | ✓ |
| SR 4.1 RE(1) Protection of confidentiality at rest or in transit via untrusted networks | ✓ | ✓ | ✓ | |
| SR 4.1 RE(2) Protection of confidentiality across zone boundaries | ✓ | |||
| SR 4.2 Information persistence (base) | ✓ | ✓ | ✓ | |
| SR 4.2 RE(1) Purging of shared memory resources | ✓ | ✓ | ||
| SR 4.3 Use of cryptography | ✓ | ✓ | ✓ | ✓ |
Detail page: IEC 62443-3-3 FR 5
| SR / RE (teaching label) | SL 1 | SL 2 | SL 3 | SL 4 |
|---|---|---|---|---|
| SR 5.1 Network segmentation (base) | ✓ | ✓ | ✓ | ✓ |
| SR 5.1 RE(1) Physical network segmentation | ✓ | ✓ | ✓ | |
| SR 5.1 RE(2) Independence from non-control system networks | ✓ | ✓ | ||
| SR 5.1 RE(3) Logical and physical isolation of critical networks | ✓ | |||
| SR 5.2 Zone boundary protection (base) | ✓ | ✓ | ✓ | ✓ |
| SR 5.2 RE(1) Deny by default, allow by exception | ✓ | ✓ | ✓ | |
| SR 5.2 RE(2) Island mode | ✓ | ✓ | ||
| SR 5.2 RE(3) Fail close | ✓ | ✓ | ||
| SR 5.3 General purpose person-to-person communication restrictions (base) | ✓ | ✓ | ✓ | ✓ |
| SR 5.3 RE(1) Prohibit all general purpose person-to-person communications | ✓ | ✓ | ||
| SR 5.4 Application partitioning | ✓ | ✓ | ✓ | ✓ |
Detail page: IEC 62443-3-3 FR 6
| SR / RE (teaching label) | SL 1 | SL 2 | SL 3 | SL 4 |
|---|---|---|---|---|
| SR 6.1 Audit log accessibility (base) | ✓ | ✓ | ✓ | ✓ |
| SR 6.1 RE(1) Programmatic access to audit logs | ✓ | ✓ | ||
| SR 6.2 Continuous monitoring | ✓ | ✓ | ✓ |
Detail page: IEC 62443-3-3 FR 7
| SR / RE (teaching label) | SL 1 | SL 2 | SL 3 | SL 4 |
|---|---|---|---|---|
| SR 7.1 Denial of service protection (base) | ✓ | ✓ | ✓ | ✓ |
| SR 7.1 RE(1) Manage communication loads | ✓ | ✓ | ✓ | |
| SR 7.1 RE(2) Limit DoS effects to other systems or networks | ✓ | ✓ | ||
| SR 7.2 Resource management | ✓ | ✓ | ✓ | ✓ |
| SR 7.3 Control system backup (base) | ✓ | ✓ | ✓ | ✓ |
| SR 7.3 RE(1) Backup verification | ✓ | ✓ | ✓ | |
| SR 7.3 RE(2) Backup automation | ✓ | ✓ | ||
| SR 7.4 Control system recovery and reconstitution | ✓ | ✓ | ✓ | ✓ |
| SR 7.5 Emergency power | ✓ | ✓ | ✓ | ✓ |
| SR 7.6 Network and security configuration settings (base) | ✓ | ✓ | ✓ | ✓ |
| SR 7.6 RE(1) Machine-readable reporting of current security settings | ✓ | ✓ | ||
| SR 7.7 Least functionality | ✓ | ✓ | ✓ | ✓ |
| SR 7.8 Control system component inventory | ✓ | ✓ | ✓ |