← Home

IEC 62443-4-2 Clause 6 – Use Control

ISA/IEC 62443-4-2, Clause 6 defines Foundational Requirement FR 2 (UC) and the associated component requirements (CRs) and requirement enhancements (REs) used when claiming Security Level capability for this FR on a component.

Enforce authorisation so authenticated users can only perform actions they are permitted to perform.

Teaching note: Summaries paraphrase ISA/IEC 62443-4-2 for learning. They are not verbatim extracts — always use the published standard for normative wording, RE text and SL mappings (see Annex B). Component-type specifics also appear under Clauses 12–15.

Reference: ISA/IEC 62443-4-2, Clause 6
Related: Part 4-2 overview | Common Component Security Constraints | IEC 62443-3-3 FR 2 | Annex B mapping

Component requirement pages: Cl. 5 | Cl. 6 | Cl. 7 | Cl. 8 | Cl. 9 | Cl. 10 | Cl. 11


Purpose

Enforce authorisation so authenticated users can only perform actions they are permitted to perform.

Requirement enhancements under each CR raise the capability needed for higher SL-C(UC) claims. Exact RE text and which SL columns they populate are in the standard and Annex B.


Component requirements in this FR


CR summaries

CR 2.1: Authorization enforcement

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
Components must provide an authorization enforcement mechanism for all identified and authenticated users based on their assigned responsibilities.

CR 2.2: Wireless use control

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
If a component supports usage through wireless interfaces it must provide the capability to integrate into the system that supports usage authorization, monitoring and restrictions according to commonly accepted industry practices.

CR 2.3: Use control for portable and mobile devices

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
There is no component level requirement associated with ISA-62443-3-3 SR 2.3.

CR 2.4: Mobile code

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
The use control requirements for mobile code are component-specific and can be located as requirements for each specific component type in Clauses 12 through 15.

CR 2.5: Session lock

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
If a component provides a human user interface, whether accessed locally or via a network, the component must provide the capability to protect against further access by initiating a session lock after a configurable time period of inactivity or by manual initiation by the user (human, software process or device); and for the session lock to remain in effect until the human user who owns the session, or another autho…

CR 2.6: Remote session termination

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
If a component supports remote sessions, the component must provide the capability to terminate a remote session either automatically after a configurable time period of inactivity, manually by a local authority, or manually by the user (human, software process or device) who initiated the session.

CR 2.7: Concurrent session control

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
Components must provide the capability to limit the number of concurrent sessions per interface for any given user (human, software process or device).

CR 2.8: Auditable events

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
Components must provide the capability to generate audit records relevant to security for the following categories: access control; request errors; control system events; backup and restore event; configuration changes; and audit log events. Individual audit records must include: timestamp; source (originating device, software process or human user account); category; type; event ID; and event result.

CR 2.9: Audit storage capacity

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
Components must provide the capability to allocate audit record storage capacity according to commonly recognized recommendations for log management; and provide mechanisms to protect against a failure of the component when it reaches or exceeds the audit storage capacity.

CR 2.10: Response to audit processing failures

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
Components must provide the capability to protect against the loss of essential services and functions in the event of an audit processing failure; and provide the capability to support appropriate actions in response to an audit processing failure according to commonly accepted industry practices and recommendations.

CR 2.11: Timestamps

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
Components must provide the capability to create timestamps (including date and time) for use in audit records.

CR 2.12: Non-repudiation

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
If a component provides a human user interface, the component must provide the capability to determine whether a given human user took a particular action. Control elements that are not able to support such capability must be listed in component documents.

CR 2.13: Use of physical diagnostic and test interfaces

Reference: ISA/IEC 62443-4-2, Clause 6

Summary
The use of physical diagnostic and test interfaces requirements are component-specific and can be located as requirements for each specific component type in Clauses 12 through 15.

Key takeaways