{"id":94242,"date":"2026-05-18T09:39:53","date_gmt":"2026-05-18T09:39:53","guid":{"rendered":"https:\/\/teeptrak.com\/iec-62443-3-3-system-requirements-2026\/"},"modified":"2026-05-18T09:39:55","modified_gmt":"2026-05-18T09:39:55","slug":"iec-62443-3-3-system-requirements-2026","status":"publish","type":"post","link":"https:\/\/teeptrak.com\/en\/iec-62443-3-3-system-requirements-2026\/","title":{"rendered":"IEC 62443-3-3 system security requirements (2026): SR1-7, FR mapping, SL implementation guide"},"content":{"rendered":"
\nTL;DR \u2014 IEC 62443-3-3 in 60 words<\/strong>
\nIEC 62443-3-3:2013 specifies System Security Requirements (SR) for IACS, organized by 7 Foundational Requirements (FR1-7). Each FR contains 1-4 SR per Security Level (SL1-4), totaling 100+ technical controls. Most-referenced document for system integrators and asset owners. Required for NIS2 EU 2022\/2555 article 21 compliance and ISA Secure System Security Assurance (SSA) certification.\n<\/div>\n

IEC 62443-3-3:2013<\/strong> “System security requirements and security levels” is the most operationally critical document of the IEC 62443 family. While IEC 62443-1 establishes terminology and IEC 62443-2 covers policy\/procedures, IEC 62443-3-3 specifies the actual technical controls<\/strong> that an Industrial Automation and Control System (IACS) must implement to achieve a target Security Level (SL1, SL2, SL3, or SL4). For system integrators (Capgemini, Atos, Siemens PSI, Yokogawa, Honeywell PMC, Aveva Select Partners), this is the day-to-day reference. For asset owners (manufacturers), it defines the contractual security baseline. This guide details the 7 Foundational Requirements, the SR catalog (100+ controls), implementation patterns, and mapping to NIS2 EU 2022\/2555 Article 21.<\/p>\n

The 7 Foundational Requirements (FR1-7)<\/h2>\n

IEC 62443-3-3 organizes all System Requirements into 7 Foundational Requirements:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n
FR<\/th>\nTitle<\/th>\nNumber of SR<\/th>\nKey intent<\/th>\n<\/tr>\n<\/thead>\n
FR1<\/strong><\/td>\nIdentification and Authentication Control (IAC)<\/td>\n13 SR<\/td>\nAuthenticate humans + devices + software before access<\/td>\n<\/tr>\n
FR2<\/strong><\/td>\nUse Control (UC)<\/td>\n12 SR<\/td>\nAuthorize actions per role \/ privilege (RBAC, ABAC)<\/td>\n<\/tr>\n
FR3<\/strong><\/td>\nSystem Integrity (SI)<\/td>\n9 SR<\/td>\nDetect\/prevent unauthorized changes to firmware, OS, application, data<\/td>\n<\/tr>\n
FR4<\/strong><\/td>\nData Confidentiality (DC)<\/td>\n3 SR<\/td>\nEncrypt data at rest, in transit, sensitive information protection<\/td>\n<\/tr>\n
FR5<\/strong><\/td>\nRestricted Data Flow (RDF)<\/td>\n4 SR<\/td>\nNetwork segmentation (zones & conduits), DMZ, application whitelisting<\/td>\n<\/tr>\n
FR6<\/strong><\/td>\nTimely Response to Events (TRE)<\/td>\n2 SR<\/td>\nAudit logs, monitoring, alerting, incident detection<\/td>\n<\/tr>\n
FR7<\/strong><\/td>\nResource Availability (RA)<\/td>\n8 SR<\/td>\nBackup, recovery, DoS protection, failover, restore<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Total: 51 SR, each with 1-4 Requirement Enhancements (RE) per Security Level \u2192 ~100 implementable technical controls at SL2, increasing to ~150 at SL4.<\/p>\n

System Requirement notation and reading the standard<\/h2>\n

SR notation follows the pattern SR FR.SubFR REn<\/strong> where:<\/p>\n

    \n
  • FR<\/strong> = Foundational Requirement number (1-7)<\/li>\n
  • SubFR<\/strong> = Sub-requirement number within the FR<\/li>\n
  • REn<\/strong> = Requirement Enhancement level (RE1, RE2, RE3)<\/li>\n<\/ul>\n

    Example: SR 1.1 RE1<\/strong> = First sub-requirement of FR1 (Identification & Authentication Control), with Requirement Enhancement level 1. Reading the standard: SR 1.1 base = required at SL1 (and above). SR 1.1 RE1 = required additionally at SL2 (and above). SR 1.1 RE2 = required additionally at SL3 (and above). SR 1.1 RE3 = required additionally at SL4.<\/p>\n

    FR1 – Identification and Authentication Control (IAC) detail<\/h2>\n

    FR1 contains 13 SR addressing how IACS authenticates users, devices, and software before granting access:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    SR<\/th>\nTitle<\/th>\nRequired from SL<\/th>\n<\/tr>\n<\/thead>\n
    SR 1.1<\/td>\nHuman user identification and authentication<\/td>\nSL1<\/td>\n<\/tr>\n
    SR 1.1 RE1<\/td>\nUnique identification and authentication<\/td>\nSL2<\/td>\n<\/tr>\n
    SR 1.1 RE2<\/td>\nMultifactor authentication for untrusted networks<\/td>\nSL3<\/td>\n<\/tr>\n
    SR 1.1 RE3<\/td>\nMultifactor authentication for all networks<\/td>\nSL4<\/td>\n<\/tr>\n
    SR 1.2<\/td>\nSoftware process and device identification and authentication<\/td>\nSL2<\/td>\n<\/tr>\n
    SR 1.3<\/td>\nAccount management<\/td>\nSL1<\/td>\n<\/tr>\n
    SR 1.4<\/td>\nIdentifier management<\/td>\nSL1<\/td>\n<\/tr>\n
    SR 1.5<\/td>\nAuthenticator management<\/td>\nSL1<\/td>\n<\/tr>\n
    SR 1.5 RE1<\/td>\nHardware security for authenticators<\/td>\nSL3<\/td>\n<\/tr>\n
    SR 1.6<\/td>\nWireless access management<\/td>\nSL2<\/td>\n<\/tr>\n
    SR 1.7<\/td>\nStrength of password-based authentication<\/td>\nSL1<\/td>\n<\/tr>\n
    SR 1.8<\/td>\nPublic key infrastructure (PKI) certificates<\/td>\nSL2<\/td>\n<\/tr>\n
    SR 1.9<\/td>\nStrength of public key authentication<\/td>\nSL2<\/td>\n<\/tr>\n
    SR 1.10<\/td>\nAuthenticator feedback<\/td>\nSL2<\/td>\n<\/tr>\n
    SR 1.11<\/td>\nUnsuccessful login attempts<\/td>\nSL1<\/td>\n<\/tr>\n
    SR 1.12<\/td>\nSystem use notification<\/td>\nSL1<\/td>\n<\/tr>\n
    SR 1.13<\/td>\nAccess via untrusted networks<\/td>\nSL3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    Practical implementation FR1 at SL2: unique identification + MFA for engineering workstations + RBAC role definitions + PKI certificates for device authentication + audit trail of login attempts.<\/p>\n

    \n

    Download the white paper<\/h3>

    Enter your email address to receive our White Paper<\/p> \n

    \n
    <\/div> \n
    \n