Identify and authenticate all users (humans, software processes and devices) before they interact with the control system, so unauthorised access and interrogation are blocked.
SR summaries
SR 1.1: Human user identification and authentication
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.1)
Summary
The control system shall uniquely identify and authenticate human users. Higher SLs tighten multifactor and local/remote distinctions.
SR 1.2: Software process and device identification and authentication
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.2)
Summary
Software processes and devices shall be identified and authenticated before interacting with the control system, not only human operators.
SR 1.3: Account management
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.3)
Summary
Accounts shall be managed through their full lifecycle — creation, enablement, modification, disablement and removal — under authorised control.
SR 1.4: Identifier management
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.4)
Summary
Identifiers (usernames, device IDs, etc.) shall be managed so they remain unique, attributable and assigned under policy.
SR 1.5: Authenticator management
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.5)
Summary
Authenticators (passwords, tokens, keys, certificates) shall be issued, protected, rotated and revoked according to strength and lifecycle controls.
SR 1.6: Wireless access management
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.6)
Summary
Wireless access to the control system shall be authorised, authenticated and managed as a distinct path with tighter constraints as SL rises.
SR 1.7: Strength of password-based authentication
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.7)
Summary
Where passwords are used, strength, complexity, lifetime and protection requirements shall meet the claimed SL.
SR 1.8: Public key infrastructure (PKI) certificates
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.8)
Summary
Where PKI is used, certificates shall be managed (issuance, validation, revocation) appropriately for the control system context.
SR 1.9: Strength of public key authentication
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.9)
Summary
Public-key authentication shall meet strength expectations for algorithms, key protection and validation at the claimed SL.
SR 1.10: Authenticator feedback
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.10)
Summary
Authenticator feedback during login shall not reveal whether a username or password specifically failed, limiting reconnaissance.
SR 1.11: Unsuccessful login attempts
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.11)
Summary
Unsuccessful login attempts shall be limited and responded to (lockout/delay/alert) to reduce brute-force risk without unsafe process lockouts where exempted.
SR 1.12: System use notification
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.12)
Summary
Before granting access, the system shall present an approved use notification (banner/terms) appropriate to policy.
SR 1.13: Access via untrusted networks
Reference: ISA/IEC 62443-3-3, Clause 5 (SR 1.13)
Summary
Access originating from untrusted networks shall meet additional identification and authentication controls before reaching the control system.