Foundational requirements (FR) and system requirements (SR) 

Foundational requirements (FR)

The IEC 62443 standard defines seven foundational requirements (FR). These are basic requirements regarding the security of an ICS. They are addressed to all stakeholders of a plant and used throughout the standard.

  • FR1: Identification and authentication control (IAC)
    Protection by verifying the identity of any user before enabling communication
  • FR2: Use control (UC)
    Protection against unauthorized actions by necessary privileges before performing
  • FR3: System integrity (SI)
    Preventing modifications of information by unauthorized persons and systems
  • FR4: Data confidentiality (DC)
    Preventing disclosure of information to unauthorized persons and systems
  • FR5: Restricted data flow (RDF)
    Protection via zones and conduits to limit unnecessary data flow
  • FR6: Timely response to event (TRE)
    Collecting, reporting, preserving automatically evidences to ensure timely corrective actions
  • FR7: Resource availability (RA)
    Ability of device functionality in case of demand also during DoS attacks 

System requirements (SR)

For each FR, part 3-3 of the IEC 62443 standard defines several system requirements (SRs). Each SR describes concrete requirements for the plant and thus describes the respective FR in detail. The example below shows details for FR4.

To comply with the standard, you must map the relevant SRs to the subsystems and components of your automation system.

Requirement enhancements (RE)

An SR can be supplemented by so-called requirement enhancements (REs) that have to be fulfilled for higher Security levels.

Example: FR4 with its SRs and REs

According to "FR4 - Data confidentiality", communication channels and data repositories must be protected against unauthorized disclosure. Depending on the security level (SL 1 to 4), the disclosure must be prevented with the means, resources, skills and motivation as defined in the SL classification table.

The following three SRs are defined for FR4, some of them with REs:
(The list also mentions which SR and RE must at least be fulfilled to achieve a particular security level (SL).)

  • SR 4.1: Information confidentiality.
    Protection of the confidentiality of information for which explicit read authorization is supported.
    SR 4.1 (without any RE) must be fulfilled to achieve SL-C 1.
    • SR 4.1 RE 1: Protection of confidentiality at rest or in transit via untrusted networks.
      SR 4.1 + RE 1 must be fulfilled to achieve SL-C 2 or 3.
    • SR 4.1 RE 2: Protection of confidentiality across zone boundaries
      SR 4.1 + RE 1 + RE 2 must be fulfilled to achieve SL-C 4.
  • SR 4.2: Information persistence.
    Purging all information for which explicit read authorization is supported before taking them out of service.
    To achieve SL-C 1, it is not necessary to fulfill SR 4.2.
    • SR 4.2 RE 1 – Purging of shared memory resources
      SR 4.2 + RE 1 must be fulfilled to achieve SL-C 3 or 4.
  • SR 4.3: Use of cryptography
    Use of state-of-the-art cryptographic tools for key establishment and management.
    SR 4.3 must be fulfilled for any level SL-C 1 to 4.
    • No REs defined for this SR.

 

 

•  Web browser recommendation: Chrome/Edge 88 or newer, Firefox ESR 90 or neweror Safari  • 
• Published/reviewed: 2023-11-02 • Revision 011 •