Foundational Requirements (FR) and System Requirements (SR)
Dieses Thema enthält die folgenden Abschnitte:
- Foundational Requirements (FR)
- System Requirements (SR)
- Requirements Enhancements (RE)
- Example: FR4 with its SRs and REs
Foundational Requirements (FR)
The IEC 62443 standard defines seven foundational requirements (FR). These are basic requirements regarding the security of an ICS. They are addressed to all stakeholders of a plant and used throughout the standard.
- FR1: Identification and authentication control (IAC)
Protection by verifying the identity of any user before enabling communication - FR2: Use control (UC)
Protection against unauthorized actions by necessary privileges before performing - FR3: System integrity (SI)
Preventing modifications of information by unauthorized persons and systems - FR4: Data confidentiality (DC)
Preventing disclosure of information to unauthorized persons and systems - FR5: Restricted data flow (RDF)
Protection via zones and conduits to limit unnecessary data flow - FR6: Timely response to event (TRE)
Collecting, reporting, preserving automatically evidences to ensure timely corrective actions - FR7: Resource availability (RA)
Ability of device functionality in case of demand also during DoS attacks
System Requirements (SR)
For each FR, part 3-3 of the IEC 62443 standard defines several system requirements (SRs). Each SR describes concrete requirements for the plant and thus describes the respective FR in detail. The example below shows details for FR4.
To comply with the standard, you must map the relevant SRs to the subsystems and components of your automation system.
Requirements Enhancements (RE)
An SR can be supplemented by so-called requirement enhancements (REs) that have to be fulfilled for higher Security Levels.
Example: FR4 with its SRs and REs
According to "FR4 - Data confidentiality", communication channels and data repositories must be protected against unauthorized disclosure. Depending on the security level (SL 1 to 4), the disclosure must be prevented with the means, resources, skills and motivation as defined in the SL classification table.
The following three SRs are defined for FR4, some of them with REs:(The list also mentions which SR and RE must at least be fulfilled to achieve a particular security level (SL).)
- SR 4.1: Information confidentiality.
Protection of the confidentiality of information for which explicit read authorization is supported.
SR 4.1 (without any RE) must be fulfilled to achieve SL-C 1.- SR 4.1 RE 1: Protection of confidentiality at rest or in transit via untrusted networks.
SR 4.1 + RE 1 must be fulfilled to achieve SL-C 2 or 3. - SR 4.1 RE 2: Protection of confidentiality across zone boundaries
SR 4.1 + RE 1 + RE 2 must be fulfilled to achieve SL-C 4.
- SR 4.1 RE 1: Protection of confidentiality at rest or in transit via untrusted networks.
- SR 4.2: Information persistence.
Purging all information for which explicit read authorization is supported before taking them out of service.
To achieve SL-C 1, it is not necessary to fulfill SR 4.2.- SR 4.2 RE 1 – Purging of shared memory resources
SR 4.2 + RE 1 must be fulfilled to achieve SL-C 3 or 4.
- SR 4.2 RE 1 – Purging of shared memory resources
- SR 4.3: Use of cryptography
Use of state-of-the-art cryptographic tools for key establishment and management.
SR 4.3 must be fulfilled for any level SL-C 1 to 4.- No REs defined for this SR.