Foundational Requirements
The seven categories that IEC 62443 evaluates a Security Level claim against — IAC, UC, SI, DC, RDF, TRE, RA. The vector that turns a single SL number into something operationally meaningful.
Also: FR, FRs, 62443 FRs, Foundational Requirement
The Foundational Requirements are the seven categories that IEC 62443 evaluates every Security Level claim against. They are the structure that turns “SL 2” — by itself a meaningless scalar — into a seven-element vector that says, per category, what level of adversary the design is sized to repel.
The seven
| FR | Name | The question it answers |
|---|---|---|
| FR1 | Identification & Authentication Control (IAC) | Who or what is acting? |
| FR2 | Use Control (UC) | Are they allowed to do this? |
| FR3 | System Integrity (SI) | Has the data, code, or configuration been tampered with? |
| FR4 | Data Confidentiality (DC) | Can an observer read what shouldn’t be visible? |
| FR5 | Restricted Data Flow (RDF) | Are only the documented conduits in use? |
| FR6 | Timely Response to Events (TRE) | Can we detect, log, and respond? |
| FR7 | Resource Availability (RA) | Will the system survive a resource-exhaustion attempt? |
Each FR decomposes into System Requirements (SRs) in 62443-3-3, which decompose further into Requirement Enhancements (REs) for the higher Security Levels. The SR/RE structure is what auditors actually score against.
Why the vector matters in substation work
A scalar SL ignores that different FRs cost wildly different amounts to deliver in OT.
- FR3 (System Integrity) on a process bus is hard — the per-frame latency budget rules out anything except embedded HMAC (IEC 62351-6 GMAC).
- FR4 (Data Confidentiality) on a Sampled Values stream is unnecessary — the data isn’t sensitive. Forcing SL-2 on FR4 here costs CPU and buys nothing.
- FR5 (Restricted Data Flow) is the FR that the zone-and-conduit exercise itself addresses. Drawing the diagram is most of the FR5 work.
- FR7 (Resource Availability) typically gets pushed to the network layer (PRP, dual-homed switches, redundant uplinks) rather than the application layer.
A grown-up SL-T statement reads as a vector that’s been thought about per FR — {2, 2, 3, 1, 2, 2, 2} for a process-bus zone — not “SL 2” stamped uniformly across everything.
Mapping FRs to UK regulatory outcomes
The NCSC Cyber Assessment Framework outcomes used in UK NIS regulation map onto FRs reasonably cleanly:
- CAF B2 (Identity and access control) → FR1, FR2.
- CAF B4 (System security) → FR3.
- CAF C1 (Security monitoring) → FR6.
- CAF B3 (Data security) → FR4.
This is one of the reasons UK utilities cite 62443 as their control catalogue: the FR structure is a clean cross-walk to what the regulator asks for under CAF, even though the regulator doesn’t mandate 62443 by name.