← Home

IEC 62443-3-3 Clause 6 – Use Control

ISA/IEC 62443-3-3, Clause 6 defines Foundational Requirement FR 2 (UC) and the associated system requirements (SRs) and requirement enhancements (REs) used when claiming Security Level capability for this FR.

Enforce authorisation on what authenticated users may do with devices and information, so privileges stay limited to operational need.

Teaching note: Summaries paraphrase ISA/IEC 62443-3-3 for learning. They are not verbatim extracts — always use the published standard for normative wording, RE text and SL mappings (see Annex B).

Reference: ISA/IEC 62443-3-3, Clause 6
Related: Foundational Requirements overview | FR / SL Vector | Annex B mapping | Security Levels

FR pages: FR 1 | FR 2 | FR 3 | FR 4 | FR 5 | FR 6 | FR 7


Purpose

Enforce authorisation on what authenticated users may do with devices and information, so privileges stay limited to operational need.

Requirement enhancements under each SR raise the capability needed for higher SL-C(UC) claims. Exact RE text and which SL columns they populate are in the standard and Annex B.


System requirements in this FR


SR summaries

SR 2.1: Authorization enforcement

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.1)

Summary
On mapped authorisations, the control system shall enforce what each user, role or process is allowed to do (least privilege).

SR 2.2: Wireless use control

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.2)

Summary
Wireless usage shall be controlled so only authorised wireless functions/actions occur within policy.

SR 2.3: Use control for portable and mobile devices

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.3)

Summary
Portable and mobile devices used with the control system shall be subject to use-control policies (connection, capability, data handling).

SR 2.4: Mobile code

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.4)

Summary
Mobile code (scripts, macros, active content) shall be controlled — permitted, restricted or blocked according to risk and SL.

SR 2.5: Session lock

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.5)

Summary
Sessions shall lock after inactivity (or on demand) so unattended consoles do not remain fully enabled.

SR 2.6: Remote session termination

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.6)

Summary
Remote sessions shall be terminable by the system/operator so stalled or abandoned remote access ends cleanly.

SR 2.7: Concurrent session control

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.7)

Summary
Concurrent sessions per account/interface shall be limited where required by the claimed SL.

SR 2.8: Auditable events

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.8)

Summary
Security-relevant events shall be auditable; the event set grows with higher SLs.

SR 2.9: Audit storage capacity

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.9)

Summary
Audit storage capacity shall be allocated and managed so logs are not silently lost under normal load.

SR 2.10: Response to audit processing failures

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.10)

Summary
If audit processing fails, the control system shall respond (alert, failover, enter a defined degraded mode) per policy.

SR 2.11: Timestamps

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.11)

Summary
Audit records shall use reliable timestamps (time sync expectations increase with SL).

SR 2.12: Non-repudiation

Reference: ISA/IEC 62443-3-3, Clause 6 (SR 2.12)

Summary
Where required, actions shall be attributable such that a user cannot plausibly deny having performed them (non-repudiation).

Key takeaways