← Home

IEC 62443-3-3 Clause 7 – System Integrity

ISA/IEC 62443-3-3, Clause 7 defines Foundational Requirement FR 3 (SI) and the associated system requirements (SRs) and requirement enhancements (REs) used when claiming Security Level capability for this FR.

Protect the integrity of the control system and selected communications so unauthorised modification of data, software or configuration is prevented or detected.

Teaching note: Summaries paraphrase ISA/IEC 62443-3-3 for learning. They are not verbatim extracts — always use the published standard for normative wording, RE text and SL mappings (see Annex B).

Reference: ISA/IEC 62443-3-3, Clause 7
Related: Foundational Requirements overview | FR / SL Vector | Annex B mapping | Security Levels

FR pages: FR 1 | FR 2 | FR 3 | FR 4 | FR 5 | FR 6 | FR 7


Purpose

Protect the integrity of the control system and selected communications so unauthorised modification of data, software or configuration is prevented or detected.

Requirement enhancements under each SR raise the capability needed for higher SL-C(SI) claims. Exact RE text and which SL columns they populate are in the standard and Annex B.


System requirements in this FR


SR summaries

SR 3.1: Communication integrity

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.1)

Summary
Communications shall protect integrity (detect/prevent unauthorised modification) on selected channels; cryptography strength scales with SL.

SR 3.2: Malicious code protection

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.2)

Summary
Malicious code protection shall be employed and kept effective for control-system components within operational constraints.

SR 3.3: Security functionality verification

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.3)

Summary
Security functions shall be verifiable — the owner/integrator can check that security mechanisms still operate as intended.

SR 3.4: Software and information integrity

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.4)

Summary
Software and information integrity shall be protected (detect unauthorised changes to binaries, configs, recipes, etc.).

SR 3.5: Input validation

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.5)

Summary
Inputs shall be validated so malformed or malicious data cannot drive unsafe or undefined behaviour.

SR 3.6: Deterministic output

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.6)

Summary
On anomalies, outputs shall go to predetermined states that preserve essential/safe behaviour where applicable.

SR 3.7: Error handling

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.7)

Summary
Error handling shall fail safely without exposing sensitive detail useful to an attacker.

SR 3.8: Session integrity

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.8)

Summary
Sessions shall resist hijacking/forgery so integrity of an established session is maintained.

SR 3.9: Protection of audit information

Reference: ISA/IEC 62443-3-3, Clause 7 (SR 3.9)

Summary
Audit information itself shall be protected from unauthorised access or alteration.

Key takeaways