← Home

IEC 62443 Foundational Requirements (FR1–FR7)

The seven Foundational Requirements (FRs) form the basis of all security requirements within ISA/IEC 62443-3-3. Each FR addresses a different aspect of cybersecurity and contributes to the overall Security Level (SL) of a zone or conduit.

Rather than assigning a single security level to an entire system or zone, IEC 62443 allows each Foundational Requirement to have its own Security Level, producing an SL Vector. This provides much greater flexibility when designing security controls.

Important: Security Levels are assigned per Security Zone (or Conduit) and per Foundational Requirement — not as a single overall rating for the zone. A zone is therefore not simply described as "SL-T 2"; instead, it carries an SL Vector where each FR may have a different Target Security Level. For example, a production zone might require SL-T 4 for Restricted Data Flow (FR5) and System Integrity (FR3), but only SL-T 2 for Data Confidentiality (FR4) if sensitive data exposure is limited. This per-FR, per-zone approach is the central purpose of the Foundational Requirements framework and the SL Vector concept.

Example SL Vector for a single zone:
SL-T = {IAC UC SI DC RDF TRE RA}
        3   3  2  1  3   2  3

Each value in the vector represents the Target Security Level required for that Foundational Requirement within that specific zone. Different zones within the same facility will typically have different SL Vectors reflecting their individual operational risk, asset criticality and exposure.

IEC 62443 Foundational Requirements
Figure – Overview of the seven IEC 62443 Foundational Requirements (FR1–FR7) and their relationship to Security Level vectors.

Learning Objectives

Refer to: ISA/IEC 62443-3-3
Refer to: ISA/IEC 62443-3-2 Annex A
Refer to: ISA Training IC33 Section 11


FR1 – Identification and Authentication Control (IAC)

Purpose

Ensure that only authorised users, devices, applications and processes can identify themselves and gain access to the system. This is the first line of defence against unauthorised access.

Objectives

Typical Requirements

Industrial Examples


FR2 – Use Control (UC)

Purpose

Ensure authenticated users only perform actions they are authorised to perform. Authentication determines who you are; Use Control determines what you can do.

Objectives

Typical Requirements

Industrial Examples

Operator

Engineer

Maintenance


FR3 – System Integrity (SI)

Purpose

Ensure software, firmware, hardware and communications remain accurate, complete and unaltered. Protect systems from unauthorised modification.

Objectives

Typical Requirements

Industrial Examples


FR4 – Data Confidentiality (DC)

Purpose

Ensure sensitive information cannot be viewed by unauthorised individuals. Focuses on protecting information from disclosure.

Objectives

Typical Requirements

Industrial Examples


FR5 – Restricted Data Flow (RDF)

Purpose

Control where information is allowed to travel. Limit communications to only those necessary for operation.

Objectives

Typical Requirements

Industrial Examples

Only allow:

Block:


FR6 – Timely Response to Events (TRE)

Purpose

Detect, report and respond to cybersecurity incidents quickly. Minimise the impact of attacks.

Objectives

Typical Requirements

Industrial Examples


FR7 – Resource Availability (RA)

Purpose

Ensure systems continue operating even during failures or cyber attacks. Availability is often the highest priority within industrial systems.

Objectives

Typical Requirements

Industrial Examples


Relationship Between the Seven FRs

FR Name Primary Security Goal
FR1 Identification & Authentication Control (IAC) Verify identity
FR2 Use Control (UC) Authorise actions
FR3 System Integrity (SI) Prevent unauthorised modification
FR4 Data Confidentiality (DC) Prevent unauthorised disclosure
FR5 Restricted Data Flow (RDF) Control communications
FR6 Timely Response to Events (TRE) Detect and respond to incidents
FR7 Resource Availability (RA) Maintain operational availability

Foundational Requirements and Security Levels

IEC 62443 does not require every Foundational Requirement within a zone to have the same Security Level. Instead, each FR within a given Security Zone or Conduit can have its own Target Security Level (SL-T), Achieved Security Level (SL-A), and Capability Security Level (SL-C), creating an SL Vector.

Per-Zone, Per-FR Security Levels: When assessing or designing cybersecurity for a zone, do not reduce the zone to a single Security Level (e.g. "this zone is SL-T 2"). IEC 62443 expects each zone to be defined by an SL Vector — a set of seven Security Level values, one for each Foundational Requirement. The SL-T for Identification and Authentication (FR1) may differ from the SL-T for Resource Availability (FR7) within the same zone, reflecting the specific risks and operational priorities of that area. This is the fundamental relationship between Foundational Requirements and Security Levels: FRs define what must be protected; the SL Vector defines how strongly each aspect must be protected for that particular zone.

This per-FR, per-zone approach provides a more accurate representation of the security posture and allows security controls to be tailored to operational risk rather than applying uniform controls across all security objectives.

Example SL Vector for one Security Zone:

FR SL-T
IAC 3
UC 3
SI 4
DC 2
RDF 4
TRE 3
RA 4

Refer to: ISA/IEC 62443-3-2 (Security Level Target Determination)
Refer to: ISA/IEC 62443-3-3, Clause 4 (System Security Requirements and Security Levels)


Key Takeaways


Standards References