← Home

IEC 62443-3-3 Clause 5 – Identification and Authentication Control

ISA/IEC 62443-3-3, Clause 5 defines Foundational Requirement FR 1 (IAC) and the associated system requirements (SRs) and requirement enhancements (REs) used when claiming Security Level capability for this FR.

Identify and authenticate all users (humans, software processes and devices) before they interact with the control system, so unauthorised access and interrogation are blocked.

Teaching note: Summaries paraphrase ISA/IEC 62443-3-3 for learning. They are not verbatim extracts — always use the published standard for normative wording, RE text and SL mappings (see Annex B).

Reference: ISA/IEC 62443-3-3, Clause 5
Related: Foundational Requirements overview | FR / SL Vector | Annex B mapping | Security Levels

FR pages: FR 1 | FR 2 | FR 3 | FR 4 | FR 5 | FR 6 | FR 7


Purpose

Identify and authenticate all users (humans, software processes and devices) before they interact with the control system, so unauthorised access and interrogation are blocked.

Requirement enhancements under each SR raise the capability needed for higher SL-C(IAC) claims. Exact RE text and which SL columns they populate are in the standard and Annex B.


System requirements in this FR


SR summaries

SR 1.1: Human user identification and authentication

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.1)

Summary
The control system shall uniquely identify and authenticate human users. Higher SLs tighten multifactor and local/remote distinctions.

SR 1.2: Software process and device identification and authentication

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.2)

Summary
Software processes and devices shall be identified and authenticated before interacting with the control system, not only human operators.

SR 1.3: Account management

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.3)

Summary
Accounts shall be managed through their full lifecycle — creation, enablement, modification, disablement and removal — under authorised control.

SR 1.4: Identifier management

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.4)

Summary
Identifiers (usernames, device IDs, etc.) shall be managed so they remain unique, attributable and assigned under policy.

SR 1.5: Authenticator management

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.5)

Summary
Authenticators (passwords, tokens, keys, certificates) shall be issued, protected, rotated and revoked according to strength and lifecycle controls.

SR 1.6: Wireless access management

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.6)

Summary
Wireless access to the control system shall be authorised, authenticated and managed as a distinct path with tighter constraints as SL rises.

SR 1.7: Strength of password-based authentication

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.7)

Summary
Where passwords are used, strength, complexity, lifetime and protection requirements shall meet the claimed SL.

SR 1.8: Public key infrastructure (PKI) certificates

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.8)

Summary
Where PKI is used, certificates shall be managed (issuance, validation, revocation) appropriately for the control system context.

SR 1.9: Strength of public key authentication

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.9)

Summary
Public-key authentication shall meet strength expectations for algorithms, key protection and validation at the claimed SL.

SR 1.10: Authenticator feedback

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.10)

Summary
Authenticator feedback during login shall not reveal whether a username or password specifically failed, limiting reconnaissance.

SR 1.11: Unsuccessful login attempts

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.11)

Summary
Unsuccessful login attempts shall be limited and responded to (lockout/delay/alert) to reduce brute-force risk without unsafe process lockouts where exempted.

SR 1.12: System use notification

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.12)

Summary
Before granting access, the system shall present an approved use notification (banner/terms) appropriate to policy.

SR 1.13: Access via untrusted networks

Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.13)

Summary
Access originating from untrusted networks shall meet additional identification and authentication controls before reaching the control system.

Key takeaways