IEC 62443-3-3:2013 specifies System Security Requirements (SR) for IACS, organized by 7 Foundational Requirements (FR1-7). Each FR contains 1-4 SR per Security Level (SL1-4), totaling 100+ technical controls. Most-referenced document for system integrators and asset owners. Required for NIS2 EU 2022/2555 article 21 compliance and ISA Secure System Security Assurance (SSA) certification.
IEC 62443-3-3:2013 “System security requirements and security levels” is the most operationally critical document of the IEC 62443 family. While IEC 62443-1 establishes terminology and IEC 62443-2 covers policy/procedures, IEC 62443-3-3 specifies the actual technical controls that an Industrial Automation and Control System (IACS) must implement to achieve a target Security Level (SL1, SL2, SL3, or SL4). For system integrators (Capgemini, Atos, Siemens PSI, Yokogawa, Honeywell PMC, Aveva Select Partners), this is the day-to-day reference. For asset owners (manufacturers), it defines the contractual security baseline. This guide details the 7 Foundational Requirements, the SR catalog (100+ controls), implementation patterns, and mapping to NIS2 EU 2022/2555 Article 21.
The 7 Foundational Requirements (FR1-7)
IEC 62443-3-3 organizes all System Requirements into 7 Foundational Requirements:
| FR | Title | Number of SR | Key intent |
|---|---|---|---|
| FR1 | Identification and Authentication Control (IAC) | 13 SR | Authenticate humans + devices + software before access |
| FR2 | Use Control (UC) | 12 SR | Authorize actions per role / privilege (RBAC, ABAC) |
| FR3 | System Integrity (SI) | 9 SR | Detect/prevent unauthorized changes to firmware, OS, application, data |
| FR4 | Data Confidentiality (DC) | 3 SR | Encrypt data at rest, in transit, sensitive information protection |
| FR5 | Restricted Data Flow (RDF) | 4 SR | Network segmentation (zones & conduits), DMZ, application whitelisting |
| FR6 | Timely Response to Events (TRE) | 2 SR | Audit logs, monitoring, alerting, incident detection |
| FR7 | Resource Availability (RA) | 8 SR | Backup, recovery, DoS protection, failover, restore |
Total: 51 SR, each with 1-4 Requirement Enhancements (RE) per Security Level → ~100 implementable technical controls at SL2, increasing to ~150 at SL4.
System Requirement notation and reading the standard
SR notation follows the pattern SR FR.SubFR REn where:
- FR = Foundational Requirement number (1-7)
- SubFR = Sub-requirement number within the FR
- REn = Requirement Enhancement level (RE1, RE2, RE3)
Example: SR 1.1 RE1 = First sub-requirement of FR1 (Identification & Authentication Control), with Requirement Enhancement level 1. Reading the standard: SR 1.1 base = required at SL1 (and above). SR 1.1 RE1 = required additionally at SL2 (and above). SR 1.1 RE2 = required additionally at SL3 (and above). SR 1.1 RE3 = required additionally at SL4.
FR1 – Identification and Authentication Control (IAC) detail
FR1 contains 13 SR addressing how IACS authenticates users, devices, and software before granting access:
| SR | Title | Required from SL |
|---|---|---|
| SR 1.1 | Human user identification and authentication | SL1 |
| SR 1.1 RE1 | Unique identification and authentication | SL2 |
| SR 1.1 RE2 | Multifactor authentication for untrusted networks | SL3 |
| SR 1.1 RE3 | Multifactor authentication for all networks | SL4 |
| SR 1.2 | Software process and device identification and authentication | SL2 |
| SR 1.3 | Account management | SL1 |
| SR 1.4 | Identifier management | SL1 |
| SR 1.5 | Authenticator management | SL1 |
| SR 1.5 RE1 | Hardware security for authenticators | SL3 |
| SR 1.6 | Wireless access management | SL2 |
| SR 1.7 | Strength of password-based authentication | SL1 |
| SR 1.8 | Public key infrastructure (PKI) certificates | SL2 |
| SR 1.9 | Strength of public key authentication | SL2 |
| SR 1.10 | Authenticator feedback | SL2 |
| SR 1.11 | Unsuccessful login attempts | SL1 |
| SR 1.12 | System use notification | SL1 |
| SR 1.13 | Access via untrusted networks | SL3 |
Practical implementation FR1 at SL2: unique identification + MFA for engineering workstations + RBAC role definitions + PKI certificates for device authentication + audit trail of login attempts.
Download the white paper
Enter your email address to receive our White Paper
FR2 – Use Control (UC) detail
FR2 contains 12 SR addressing authorization of actions once authenticated:
| SR | Title | Required from SL |
|---|---|---|
| SR 2.1 | Authorization enforcement | SL1 |
| SR 2.1 RE1 | Authorization enforcement for all users | SL2 |
| SR 2.1 RE2 | Permission mapping to roles | SL3 |
| SR 2.2 | Wireless use control | SL2 |
| SR 2.3 | Use control for portable and mobile devices | SL2 |
| SR 2.4 | Mobile code | SL2 |
| SR 2.5 | Session lock | SL1 |
| SR 2.6 | Remote session termination | SL2 |
| SR 2.7 | Concurrent session control | SL3 |
| SR 2.8 | Auditable events | SL1 |
| SR 2.9 | Audit storage capacity | SL1 |
| SR 2.10 | Response to audit processing failures | SL1 |
| SR 2.11 | Timestamps | SL2 |
| SR 2.12 | Non-repudiation | SL3 |
FR3 – System Integrity (SI) and FR4 – Data Confidentiality (DC)
FR3 contains 9 SR for system integrity: communication integrity (SR 3.1), malicious code protection (SR 3.2), security functionality verification (SR 3.3), software and information integrity (SR 3.4), input validation (SR 3.5), deterministic output (SR 3.6), error handling (SR 3.7), session integrity (SR 3.8), protection of audit information (SR 3.9). Practical implementation at SL2 typically involves: TLS 1.3 for comms, antivirus + EDR on engineering workstations, signed firmware updates, application allowlisting, secure boot for embedded devices.
FR4 contains 3 SR for data confidentiality: information confidentiality (SR 4.1, encryption at rest + transit), information persistence (SR 4.2, secure erasure), cryptographic key management (SR 4.3, key lifecycle). Implementation at SL2: TLS 1.3 + AES-256 at rest + KMS solution (HashiCorp Vault, AWS KMS, Azure Key Vault).
FR5 – Restricted Data Flow (RDF) and FR6 – Timely Response to Events (TRE)
FR5 contains 4 SR for restricted data flow, mandating network segmentation per IEC 62443-3-2 zones & conduits model: network segmentation (SR 5.1), zone boundary protection (SR 5.2), general purpose person-to-person communication restrictions (SR 5.3), application partitioning (SR 5.4). Implementation: Purdue model levels L0-L3 + L3.5 DMZ + L4-L5 enterprise, with firewalls + IDS/IPS at conduit boundaries, application allowlisting on engineering workstations, dedicated jump hosts for remote access.
FR6 contains 2 SR for timely response: audit log accessibility (SR 6.1), continuous monitoring (SR 6.2). Implementation: SIEM aggregation (Splunk, IBM QRadar, Microsoft Sentinel, Elastic, Wazuh) + SOC OT (security operations center for OT) + UEBA (user and entity behavior analytics) + threat hunting.
FR7 – Resource Availability (RA) detail
FR7 contains 8 SR addressing system availability and DoS resilience: denial of service protection (SR 7.1), resource management (SR 7.2), control system backup (SR 7.3), control system recovery and reconstitution (SR 7.4), emergency power (SR 7.5), network and security configuration settings (SR 7.6), least functionality (SR 7.7), control system component inventory (SR 7.8). Implementation at SL2: tested backup procedures (daily + weekly + monthly), documented recovery RTO/RPO targets, UPS + generator for critical control systems, hardening baseline per CIS Benchmark / NIST SP 800-53, asset inventory continuously maintained.
Mapping IEC 62443-3-3 SR to NIS2 Article 21 obligations
NIS2 directive EU 2022/2555 Article 21 mandates 10 categories of cybersecurity measures. Each maps directly to IEC 62443-3-3 SR:
| NIS2 Article 21(2) | Mandate | IEC 62443-3-3 SR mapping |
|---|---|---|
| (a) | Risk analysis policies | SR 2.8 (auditable events), SR 6.1 (audit log access) |
| (b) | Incident handling | SR 6.1, SR 6.2 (continuous monitoring) |
| (c) | Business continuity | SR 7.3 (backup), SR 7.4 (recovery), SR 7.5 (emergency power) |
| (d) | Supply chain security | Maps to IEC 62443-2-4 + 62443-4-1 (component supplier reqs) |
| (e) | Secure acquisition | Maps to IEC 62443-4-2 (component certification) |
| (f) | Effectiveness assessment | SR 3.3 (security functionality verification) |
| (g) | Cyber hygiene | SR 1.x (FR1 IAC), SR 2.x (FR2 UC), SR 3.2 (malicious code) |
| (h) | Cryptography | SR 4.1 (information confidentiality), SR 4.3 (key management) |
| (i) | HR security | SR 1.3 (account management), SR 1.4 (identifier management) |
| (j) | MFA + encrypted communications | SR 1.1 RE2/RE3 (MFA), SR 3.1 (communication integrity) |
ISA Secure System Security Assurance (SSA) certification
ISA Secure SSA is the international certification scheme for systems claiming IEC 62443-3-3 compliance. Three certification levels: SSA-Level 1 (basic), SSA-Level 2 (default target for most manufacturing), SSA-Level 3 (critical infrastructure). Process: 9-18 months from application to certification by accredited lab (ExidaCEE, TÜV Süd, TÜV Rheinland, Bureau Veritas). Cost: €50-200k depending on system complexity. Annual surveillance audits required to maintain certification.
Most major industrial automation vendors hold SSA certification on flagship products: Siemens (SIMATIC PCS 7, SIMATIC S7-1500), Rockwell Automation (ControlLogix, FactoryTalk), ABB (System 800xA), Yokogawa (CENTUM VP), Honeywell (Experion PKS), Schneider Electric (EcoStruxure).
Implementation roadmap for IEC 62443-3-3 SL2 target
A realistic 12-18 month implementation roadmap for a mid-sized manufacturing site:
| Phase | Duration | Key activities (SR addressed) |
|---|---|---|
| 1. Gap assessment | 2-3 months | Asset inventory (SR 7.8), risk assessment per zone (62443-3-2), SL target validation |
| 2. Quick wins | 2-4 months | MFA deployment (SR 1.1 RE1), password policy (SR 1.5, SR 1.7), session lock (SR 2.5) |
| 3. Network segmentation | 3-6 months | Zones & conduits (SR 5.1), DMZ (SR 5.2), firewalls + IDS/IPS, jump hosts |
| 4. Monitoring + audit | 2-4 months | SIEM aggregation (SR 6.1), continuous monitoring (SR 6.2), auditable events (SR 2.8) |
| 5. Cryptography | 2-3 months | TLS 1.3 deployment (SR 4.1, SR 3.1), KMS rollout (SR 4.3), PKI (SR 1.8) |
| 6. Backup/recovery | 2-3 months | Backup procedures (SR 7.3), recovery testing (SR 7.4), DoS protection (SR 7.1) |
| 7. Continuous improvement | Ongoing | Vulnerability mgmt, patch mgmt, periodic audits, certification |
FAQ: IEC 62443-3-3 system security requirements
What is the difference between IEC 62443-3-2 and 62443-3-3?
IEC 62443-3-2 covers risk assessment + zones & conduits design (the “what to protect”). IEC 62443-3-3 covers technical system requirements (the “how to protect”). 3-2 is the methodology; 3-3 is the catalog of technical controls. Both required for complete IEC 62443 implementation.
How many System Requirements are there in IEC 62443-3-3?
IEC 62443-3-3:2013 defines 51 base System Requirements across 7 Foundational Requirements. With Requirement Enhancements (RE1, RE2, RE3) added for higher Security Levels, total implementable controls reach approximately 100 at SL2, 130 at SL3, 150 at SL4.
What is the difference between SL1, SL2, SL3, SL4 in practice?
SL1 = casual violation (curious employee). SL2 = intentional with simple means (default target for most manufacturing). SL3 = intentional with IACS-specific skills (critical manufacturing, pharma, F&B). SL4 = state-sponsored attacks (energy, defense, water). Each SL adds approximately 20-30% more controls than the previous.
Is IEC 62443-3-3 mandatory under NIS2?
NIS2 directive EU 2022/2555 is technology-agnostic but ENISA references IEC 62443 as primary mapping standard for industrial environments. NIS2 Article 21 obligations map directly to IEC 62443-3-3 SR (see mapping table above). In practice, EU industrial manufacturers achieving NIS2 compliance via IEC 62443-3-3 SL2 is the default approach.
How does IEC 62443-3-3 differ from IEC 62443-4-2?
IEC 62443-3-3 specifies system-level requirements (the integrated IACS). IEC 62443-4-2 specifies component-level Component Requirements (CR) for individual products (PLCs, HMIs, embedded devices). Component vendors certify per 4-2; system integrators certify per 3-3.
What is the cost of implementing IEC 62443-3-3 SL2?
For a mid-sized manufacturing site (300 IACS assets), typical investment €500k-1.5M total: 30% consulting/audit, 40% technology (segmentation, IDS, SIEM, MFA), 20% process/training, 10% certification. Multi-site groups achieve 30-50% economies of scale after first site.
What about IEC 62443-3-3 implementation for legacy systems?
Legacy systems (pre-IEC 62443, often 15-25 years old) frequently cannot meet all SR directly. Approach: implement compensating controls per IEC 62443-3-2 risk assessment — e.g., network segmentation isolates legacy zone, jump host enforces MFA externally, SIEM monitors legacy zone egress. Document compensating controls in System Security Assurance dossier.
What tools support IEC 62443-3-3 implementation?
SIEM: Splunk, IBM QRadar, Microsoft Sentinel, Elastic, Wazuh. IDS/IPS: Claroty, Nozomi Networks, Dragos, Tenable.ot, Forescout SilentDefense, Tripwire Industrial Visibility. Network segmentation: Fortinet FortiGate Rugged, Cisco Industrial Security, Palo Alto Industrial. SOAR: Splunk Phantom, Palo Alto XSOAR. KMS: HashiCorp Vault, AWS KMS, Azure Key Vault.
How does TeepTrak comply with IEC 62443-3-3?
TeepTrak Pulse architecture aligns with IEC 62443-3-3 SL2: FR1 (MFA, PKI for device auth), FR2 (RBAC, audit trail SR 2.8), FR3 (TLS 1.3 comms, signed firmware updates), FR4 (AES-256 encryption at rest, TLS 1.3 in transit), FR5 (zone-isolated cloud, no inbound to OT), FR6 (SIEM-ready audit logs), FR7 (multi-region backup, DoS protection AWS Shield). SSA certification audit planned 2026.
What is the timeline to achieve IEC 62443-3-3 SL2 compliance?
12-18 months typical for SL2 target on a mid-sized manufacturing site, structured as: gap assessment (2-3 months), quick wins (2-4 months), network segmentation (3-6 months), monitoring + audit (2-4 months), cryptography (2-3 months), backup/recovery (2-3 months), continuous improvement (ongoing). Multi-site groups: 30-50% time reduction on subsequent sites via template reuse.
Conclusion
IEC 62443-3-3:2013 is the operational backbone of industrial cybersecurity implementation in 2026, with 51 System Requirements and approximately 100-150 implementable controls depending on target Security Level. Default SL2 target for most manufacturing achievable in 12-18 months with €500k-1.5M investment, mapping directly to NIS2 Article 21 obligations. Certification via ISA Secure SSA available through accredited labs. Multi-site groups achieve significant economies of scale.
Next step: download the TeepTrak IEC 62443-3-3 SR catalog implementation whitepaper or request a free SL2 gap assessment on your IACS environment.
0 Comments