← Home

IEC 62443-3-3 Annex B – Mapping of SRs and REs to FR SL Levels 1–4

ISA/IEC 62443-3-3 Annex B (informative) shows which system requirements (SRs) and requirement enhancements (REs) are expected for each FR when claiming capability Security Levels SL-C(FR, control system) = 1…4.

Teaching note: Tables below paraphrase Table B.1 for learning (SR/RE titles and the SL columns they populate). Always verify against the published standard — checkmark placement and exact RE wording in the PDF are authoritative. Missing a required SR/RE for a claimed SL normally drops that FR’s SL-C to a lower value (often 0 if even SL 1 base is incomplete).

Reference: ISA/IEC 62443-3-3, Annex B, Table B.1
Related: Foundational Requirements overview | FR / SL Vector | Security Levels


B.1 Overview – how to read the mapping

For a chosen FR, every check that falls under the target SL-C must be supported. Example teaching points from Annex B:

A full zone posture is still expressed as a seven-element vector — see FR / SL Vector.


B.2 Teaching form of Table B.1

✓ means the SR or RE is required from that SL upward for the FR’s SL-C claim.

FR 1 – Identification and Authentication Control (IAC)

Detail page: IEC 62443-3-3 FR 1

SR / RE (teaching label)SL 1SL 2SL 3SL 4
SR 1.1 Human user identification and authentication (base)
SR 1.1 RE(1) Unique identification and authentication
SR 1.1 RE(2) Multifactor authentication for untrusted networks
SR 1.1 RE(3) Multifactor authentication for all networks
SR 1.2 Software process and device identification and authentication (base)
SR 1.2 RE(1) Unique identification and authentication
SR 1.3 Account management (base)
SR 1.3 RE(1) Unified account management
SR 1.4 Identifier management
SR 1.5 Authenticator management (base)
SR 1.5 RE(1) Hardware security for software process identity credentials
SR 1.6 Wireless access management (base)
SR 1.6 RE(1) Unique identification and authentication
SR 1.7 Strength of password-based authentication (base)
SR 1.7 RE(1) Password generation and lifetime restrictions for human users
SR 1.7 RE(2) Password lifetime restrictions for all users
SR 1.8 Public key infrastructure certificates
SR 1.9 Strength of public key authentication (base)
SR 1.9 RE(1) Hardware security for public key authentication
SR 1.10 Authenticator feedback
SR 1.11 Unsuccessful login attempts
SR 1.12 System use notification
SR 1.13 Access via untrusted networks (base)
SR 1.13 RE(1) Explicit access request approval

FR 2 – Use Control (UC)

Detail page: IEC 62443-3-3 FR 2

SR / RE (teaching label)SL 1SL 2SL 3SL 4
SR 2.1 Authorization enforcement (base)
SR 2.1 RE(1) Authorization enforcement for all users
SR 2.1 RE(2) Permission mapping to roles
SR 2.1 RE(3) Supervisor override
SR 2.1 RE(4) Dual approval
SR 2.2 Wireless use control (base)
SR 2.2 RE(1) Identify and report unauthorized wireless devices
SR 2.3 Use control for portable and mobile devices (base)
SR 2.3 RE(1) Enforcement of security status of portable and mobile devices
SR 2.4 Mobile code (base)
SR 2.4 RE(1) Mobile code integrity check
SR 2.5 Session lock
SR 2.6 Remote session termination
SR 2.7 Concurrent session control
SR 2.8 Auditable events (base)
SR 2.8 RE(1) Centrally managed, system-wide audit trail
SR 2.9 Audit storage capacity (base)
SR 2.9 RE(1) Warn when audit record storage capacity threshold reached
SR 2.10 Response to audit processing failures
SR 2.11 Timestamps (base)
SR 2.11 RE(1) Internal time synchronization
SR 2.11 RE(2) Protection of time source integrity
SR 2.12 Non-repudiation (base)
SR 2.12 RE(1) Non-repudiation for all users

FR 3 – System Integrity (SI)

Detail page: IEC 62443-3-3 FR 3

SR / RE (teaching label)SL 1SL 2SL 3SL 4
SR 3.1 Communication integrity (base)
SR 3.1 RE(1) Cryptographic integrity protection
SR 3.2 Malicious code protection (base)
SR 3.2 RE(1) Malicious code protection on entry and exit points
SR 3.2 RE(2) Central management and reporting for malicious code protection
SR 3.3 Security functionality verification (base)
SR 3.3 RE(1) Automated mechanisms for security functionality verification
SR 3.3 RE(2) Security functionality verification during normal operation
SR 3.4 Software and information integrity (base)
SR 3.4 RE(1) Automated notification about integrity violations
SR 3.5 Input validation
SR 3.6 Deterministic output
SR 3.7 Error handling
SR 3.8 Session integrity (base)
SR 3.8 RE(1) Invalidation of session IDs after session termination
SR 3.8 RE(2) Unique session ID generation
SR 3.8 RE(3) Randomness of session IDs
SR 3.9 Protection of audit information (base)
SR 3.9 RE(1) Audit records on write-once media

FR 4 – Data Confidentiality (DC)

Detail page: IEC 62443-3-3 FR 4

SR / RE (teaching label)SL 1SL 2SL 3SL 4
SR 4.1 Information confidentiality (base)
SR 4.1 RE(1) Protection of confidentiality at rest or in transit via untrusted networks
SR 4.1 RE(2) Protection of confidentiality across zone boundaries
SR 4.2 Information persistence (base)
SR 4.2 RE(1) Purging of shared memory resources
SR 4.3 Use of cryptography

FR 5 – Restricted Data Flow (RDF)

Detail page: IEC 62443-3-3 FR 5

SR / RE (teaching label)SL 1SL 2SL 3SL 4
SR 5.1 Network segmentation (base)
SR 5.1 RE(1) Physical network segmentation
SR 5.1 RE(2) Independence from non-control system networks
SR 5.1 RE(3) Logical and physical isolation of critical networks
SR 5.2 Zone boundary protection (base)
SR 5.2 RE(1) Deny by default, allow by exception
SR 5.2 RE(2) Island mode
SR 5.2 RE(3) Fail close
SR 5.3 General purpose person-to-person communication restrictions (base)
SR 5.3 RE(1) Prohibit all general purpose person-to-person communications
SR 5.4 Application partitioning

FR 6 – Timely Response to Events (TRE)

Detail page: IEC 62443-3-3 FR 6

SR / RE (teaching label)SL 1SL 2SL 3SL 4
SR 6.1 Audit log accessibility (base)
SR 6.1 RE(1) Programmatic access to audit logs
SR 6.2 Continuous monitoring

FR 7 – Resource Availability (RA)

Detail page: IEC 62443-3-3 FR 7

SR / RE (teaching label)SL 1SL 2SL 3SL 4
SR 7.1 Denial of service protection (base)
SR 7.1 RE(1) Manage communication loads
SR 7.1 RE(2) Limit DoS effects to other systems or networks
SR 7.2 Resource management
SR 7.3 Control system backup (base)
SR 7.3 RE(1) Backup verification
SR 7.3 RE(2) Backup automation
SR 7.4 Control system recovery and reconstitution
SR 7.5 Emergency power
SR 7.6 Network and security configuration settings (base)
SR 7.6 RE(1) Machine-readable reporting of current security settings
SR 7.7 Least functionality
SR 7.8 Control system component inventory

Key takeaways