← Home

IEC 62443-3-3 Clause 9 – Restricted Data Flow

ISA/IEC 62443-3-3, Clause 9 defines Foundational Requirement FR 5 (RDF) and the associated system requirements (SRs) and requirement enhancements (REs) used when claiming Security Level capability for this FR.

Segment the control system and restrict communication flows so information cannot freely move to unauthorised destinations.

Teaching note: Summaries paraphrase ISA/IEC 62443-3-3 for learning. They are not verbatim extracts — always use the published standard for normative wording, RE text and SL mappings (see Annex B).

Reference: ISA/IEC 62443-3-3, Clause 9
Related: Foundational Requirements overview | FR / SL Vector | Annex B mapping | Security Levels

FR pages: FR 1 | FR 2 | FR 3 | FR 4 | FR 5 | FR 6 | FR 7


Purpose

Segment the control system and restrict communication flows so information cannot freely move to unauthorised destinations.

Requirement enhancements under each SR raise the capability needed for higher SL-C(RDF) claims. Exact RE text and which SL columns they populate are in the standard and Annex B.


System requirements in this FR


SR summaries

SR 5.1: Network segmentation

Reference: ISA/IEC 62443-3-3, Clause 9 (SR 5.1)

Summary
The control system shall support network segmentation consistent with zones/conduits for the SuC.

SR 5.2: Zone boundary protection

Reference: ISA/IEC 62443-3-3, Clause 9 (SR 5.2)

Summary
Zone boundaries shall be protected (filter, monitor, deny by default as SL rises) so traffic crossing conduits is controlled.

SR 5.3: General purpose person-to-person communication restrictions

Reference: ISA/IEC 62443-3-3, Clause 9 (SR 5.3)

Summary
General-purpose person-to-person services (email, IM, etc.) shall be restricted or isolated from critical control functions.

SR 5.4: Application partitioning

Reference: ISA/IEC 62443-3-3, Clause 9 (SR 5.4)

Summary
Applications shall be partitionable so critical control functions are separated from less critical services.

Key takeaways