The Foundation Requirements (FR)

In Functional Safety, to reach a certain level of SIL, concepts like Random and Systematic Failures play a fundamental role.

In IACS Security (or OT Security) a high protection is reached thanks to a number of “tools” or “techniques” called Foundation Requirements (FR). Each FR describes a characteristics or “Protection” the IACS should have.

The IEC 62442 defines 7 Foundation Requirements (FRs) and they form the core structure for both system and component security requirements. Each Foundation Requirement addresses a different aspect of cybersecurity and together they form a comprehensive defense-in-depth framework.

1. FR 1 – Identification and Authentication Control (IAC). It ensures users and devices are properly identified and authenticated.
2. FR 2 – Use Control (UC). It ensures that authenticated users can only perform permitted actions.
3. FR 3 – System Integrity (SI). It protects the system from unauthorized modification or malicious code.
4. FR 4 – Data Confidentiality (DC). It protects sensitive data from unauthorized disclosure.
5. FR 5 – Restricted Data Flow (RDF). It controls and limits communication between zones and conduits.
6. FR 6 – Timely Response to Events (TRE). It ensures the system can detect, report, and respond to security events.
7. FR 7 – Resource Availability (RA). It ensures the system continues operating even under adverse conditions (e.g., DoS attacks).

Hereafter, they are described more in depth.

Purpose: Ensure that all users, devices, and software entities are properly identified and authenticated before accessing the system.

Description: This requirement ensures that only authorized entities can access system resources. It includes mechanisms such as usernames and passwords, certificates, tokens, or other authentication methods. Authentication must be appropriate to the risk level and may apply to humans, devices, or applications.

Strong identification and authentication prevent unauthorized access and impersonation, which are often the first steps in cyberattacks.

Examples of controls:

• • Unique user accounts (no shared credentials)
  • Strong password policies or certificates
  • Multi-factor authentication where required
  • Device authentication for network access

Purpose: Ensure that authenticated users can only perform actions they are authorized to perform.

Description: Use Control focuses on authorization rather than authentication. Once a user or system is authenticated, their actions must be restricted according to defined roles and permissions. This limits accidental misuse and reduces the potential impact of compromised credentials.

Examples of controls:

• • Access Control Lists (ACL)
  • Privilege separation (operator vs engineer vs administrator)
  • Access restrictions for safety-critical functions
  • Enforcement of least-privilege principles

Purpose: Protect the system against unauthorized or unintended modification.

Description: System Integrity ensures that software, firmware, configurations, and data remain trustworthy and unaltered unless changes are authorized. This includes protection against malware, unauthorized configuration changes, and tampering.

Examples of controls:

• • Secure boot and firmware integrity checks
  • Malware detection and prevention
  • Configuration management and change tracking
  • Code signing and update verification

Purpose: Prevent unauthorized access to sensitive information.

Description: This requirement ensures that sensitive data—such as operational data, credentials, or proprietary information—is protected from disclosure. While confidentiality is often less critical than availability in OT environments, it is still essential for preventing espionage and lateral attacks.

Examples of controls:

• • Encryption of data in transit and at rest
  • Secure communication protocols
  • Access controls for sensitive data repositories

Purpose: Control and limit communication paths within and between systems.

Description: This requirement enforces segmentation of the system into zones and conduits, ensuring that data flows only where explicitly permitted. It minimizes attack propagation and limits the blast radius of a compromise.

Examples of controls:

• • Network segmentation and zoning
  • Firewalls and industrial security gateways
  • Whitelisting of communication paths and protocols
  • Demilitarized zones (DMZs) between IT and OT networks

Purpose: Ensure timely detection, reporting, and response to cybersecurity events.

Description: Systems must be capable of detecting abnormal or malicious activity and generating alerts so that operators can respond before damage occurs. This includes logging, monitoring, and alarm mechanisms.

Examples of controls:

• • Security event logging and alerting
  • Intrusion detection systems (IDS)
  • Time synchronization for accurate event correlation
  • Incident response procedures

Purpose: Ensure the system remains operational and resilient under adverse conditions.

Description: Resource Availability focuses on protecting the system against denial-of-service conditions, equipment failures, or resource exhaustion. It is especially critical in industrial environments where downtime can have safety or economic consequences.

Examples of controls:

• • Redundancy and failover mechanisms
  • Capacity management and load control
  • Protection against denial-of-service attacks
  • Backup power and communication paths