Mapping to ISA/IEC 62443-4-2 (informative) – OPC Unified Architecture

ISA/IEC 62443-4-2 CRs and Res	Related to				Applies to OPC UA	OPC UA Part #	Keyword text or comment
	SL1	SL2	SL3	SL4
CR 1.1: Human user identification and authentication	√	√	√	√	Y	OPC 10000-4	IssuedIdentityToken
						OPC 10000-6	JSON Web Token (JWT), JWT UserTokenPolicy
						OPC 10000-7-ConformanceUnits	Security User JWT IssuedToken 2, Security User JWT Token Policy, OPC UA Authority Profile, OAuth2 Authority Profile, Azure Identity Provider Authority Profile
						OPC 10000-7 - Profiles
CR 1.1 RE (1): Unique identification and Authentication		√	√	√	Y	OPC 10000-4	IssuedIdentityToken
						OPC 10000-6	JSON Web Token (JWT), JWT UserTokenPolicy
						OPC 10000-7-ConformanceUnits	Security User JWT IssuedToken 2, Security User JWT Token Policy, OPC UA Authority Profile,
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet
CR1.1 RE(2) Multifactor authentication for all interfaces			√	√	P		OPC UA does not define any alternate schemes for two factor authentication, but if Issued tokens are used for user Authentication, the issued token provider can implement multifactor authentication. OPC UA authenticates the application as well as the user.
						OPC 10000-4	IssuedIdentityToken
						OPC 10000-6	JSON Web Token (JWT), JWT UserTokenPolicy
						OPC 10000-7-ConformanceUnits	Security User JWT IssuedToken 2, Security User JWT Token Policy, OPC UA Authority Profile
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet
CR 1.2: Software process and device identification and authentication		√	√	√	Y	Error! Reference source not found.	ApplicationAuthentication, X.509 v3 Security Certificates
						OPC 10000-4	ApplicationInstance Security Certificate
						OPC 10000-6	EndpointDescription, EndpointUrl, Hostname (Device)
						OPC 10000-7 ConformanceUnits	Security Default ApplicationInstance Certificate
						OPC 10000-7 - Profiles	Global Certificate Management Server Facet Global Certificate Management Client Facet
CR 1.2 RE (1) Unique identification and authentication			√	√	Y	Error! Reference source not found.	ApplicationAuthentication, X.509 v3 Security Certificates
						OPC 10000-4	ApplicationInstance Security Certificate
						OPC 10000-6	EndpointDescription, EndpointUrl, Hostname (Device)
						OPC 10000-7-ConformanceUnits	Security Default ApplicationInstance Certificate,
						OPC 10000-7 - Profiles	Global Certificate Management Server Facet Global Certificate Management Client Facet
CR 1.3: Account management	√	√	√	√	P		OPC UA does not directly provide account management, but if an AuthorizationService is used for user Authentication, it could support account management.
						OPC 10000-4	IssuedIdentityToken
						OPC 10000-6	JSON Web Token (JWT), JWT UserTokenPolicy
						OPC 10000-7-ConformanceUnits	Security User JWT IssuedToken 2, Security User JWT Token Policy, OPC UA Authority Profile
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet
CR 1.4: Identifier management	√	√	√	√	Y	OPC 10000-4	UserIdentityToken, UserTokenPolicy
						OPC 10000-7-ConformanceUnits	Security User JWT IssuedToken 2, Security User JWT Token Policy, OPC UA Authority Profile
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet
CR 1.5: Authenticator management	√	√	√	√	Y	OPC 10000-4	UserIdentityToken, UserTokenPolicy
						OPC 10000-7-ConformanceUnits	Security User JWT IssuedToken 2, Security User JWT Token Policy, OPC UA Authority Profile
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet
CR 1. 5 RE (1) Hardware security for authenticators			√	√	N		Secure elements are recommended in 9.1 and also discussed in OPC 10000-12 and OPC 10000-21, but not defined in OPC.
NDR 1.6 – Wireless access management	√	√	√	√	N		OPC UA does specify physical characteristics of a network including wireless.
NDR 1.6 RE (1) Unique identification and authentication		√	√	√	N		Same as above
CR 1.7: Strength of password based authentication	√	√	√	√	N		OPC UA provides the mechanism for exchanging passwords information, but it does not define the implementation of the password – this is vendor specific. If an AuthorizationService is used, it can provide password strength enforcement.
CR 1.7 RE (1) Password generation and lifetime restrictions for human users			√	√	N		Same as CR 1.7 above.
CR 1.7 RE (2) Password lifetime restrictions for all users (human, software process, or device)				√	N		Same as CR 1.7 above.
CR 1.8: Security certificates		√	√	√	Y	Error! Reference source not found.	Security Certificates, TrustLists (CertificateStore), OPC UA Security Services
						OPC 10000-4	Obtaining, validating, and installing Security Certificate services
						OPC 10000-6	Security Certificates
						OPC 10000-7-ConformanceUnits	Security Certificate Administration, Security Certificate Validation
						OPC 10000-7 - Profiles	Global Security Certificate Management Server Global Certificate Management Client Facet
						OPC 10000-12	Security Certificate Management Overview
CR 1.9: Strength of public key-based authentication		√	√	√	Y	Error! Reference source not found.	Cryptographic Keys
						OPC 10000-4	Trusted Security Certificates
						OPC 10000-7-ConformanceUnits	Basic256_Limits,
						OPC 10000-7 - Profiles	SecurityPolicy [A] – Aes128_Sha256_RsaOaep SecurityPolicy [B] – Basic256Sha256 SecurityPolicy - Aes256-Sha256-RsaPss
CR 1.9 RE (1) Hardware security for public key-based authentication			√	√	N		Secure elements are recommended in 9.1 and also discussed in OPC 10000-12 and OPC 10000-21, but not defined in OPC.
CR 1.10: Authenticator feedback	√	√	√	√	Y	Error! Reference source not found.	ApplicationAuthentication, X.509 v3 Security Certificates
						OPC 10000-4	ApplicationInstance Security Certificate
						OPC 10000-6	EndpointDescription, EndpointUrl, Hostname (Device)
						OPC 10000-7-ConformanceUnits	Security Default ApplicationInstance Certificate
						OPC 10000-7 - Profiles	Global Certificate Management Server Facet
CR 1.11: Unsuccessful login attempts	√	√	√	√	N		OPC does not provide temporary lock out for repeated user access failure, but an AuthenticationService could. OPC does monitor SecureChannel connection and could block secure channel connection for repeated user login failure.
CR 1.12: System use notification	√	√	√	√	N		OPC does not define the how a client prompts for username/password.
NDR 1.13 – Access via untrusted networks	√	√	√	√	N		OPC does not define network hardware requirements. It can restrict communication to be between uniquely identified applications (see CR 1.2).
NDR 1.13 RE (1) Explicit access request approval			√	√	N		Same as NDR 1.13 above
CR 1.14: Strength of symmetric key-based authentication		√	√	√	Y	Error! Reference source not found.	Symmetric Encryption
						OPC 10000-6	SymmetricEncryptionAlgorithm
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	Global Service KeyCredential Pull Facet Global Service KeyCredential Push Facet KeyCredential Service Server Facet KeyCredential Service Client Facet
						Part 14	SecuritKeyService (SKS), SymmetricEncryptionAlgorithm
CR 1.14 RE (1) Hardware security for symmetric key-based authentication			√	√	N		The OPC UA specification does not provide hardware requirements and does not utilize long lived symmetric keys

Table A.2 – ISA/IEC 62443 mapping FR 2 Use control

ISA/IEC 62443-4-2 CRs and Res	Related to				Applies to OPC UA	OPC UA Part #	Keyword text or comment
	SL1	SL2	SL3	SL4
CR 2.1: Authorization enforcement	√	√	√	√	Y	Error! Reference source not found.	UserAuthorization
						OPC 10000-4	Authorization Services, IssuedIdentityToken
						OPC 10000-6	AuthorizationService, JSON Web Token (JWT)
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet
RE (1): Authorization enforcement for all users (humans, software processes, and devices)		√	√	√	Y	Error! Reference source not found.	UserAuthorization
						OPC 10000-4	Authorization Services, IssuedIdentityToken
						OPC 10000-6	AuthorizationService, JSON Web Token (JWT)
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet
RE (2): Permission mapping to roles		√	√	√	Y	Error! Reference source not found.	Roles, JWT, and User Roles
						OPC 10000-18	User Authorization, Role Type
						OPC 10000-6	RolePermissions
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	User Role Management 2022 Server Facet User Role Management Client Facet
CR 2.1 RE (3) Supervisor override			√	√	P		OPC provides the ability to switch user context, but it does not provide an automatic timeout for a switch.
						OPC 10000-4	Authorization Services
CR 2.1 RE (4) Dual approval				√	N		OPC does not define the logic for applications and thus does not define dual approval
CR 2.2: Wireless use control	√	√	√	√	N		OPC is hardware agnostic.
CR 2.3 – Use control for portable and mobile devices	NA	NA	NA	NA	N		No component level requirements defined in 62443
SAR 2.4: Mobile code	√	√	√	√	N		OPC does not define Mobile code technologies
SAR 2.4 RE (1): Mobile code authenticity check		√	√	√	N		OPC does not define Mobile code technologies
EDR 2.4: Mobile code	√	√	√	√	N		OPC does not define Mobile code technologies
EDR 2RE (1): Mobile code authenticity check		√	√	√	N		OPC does not define Mobile code technologies
HDR 2.4: Mobile code	√	√	√	√	N		OPC does not define Mobile code technologies
HDR 2.4RE (1): Mobile code authenticity check		√	√	√	N		OPC does not define Mobile code technologies
NDR 2.4 – Mobile code	√	√	√	√	N		OPC does not define Mobile code technologies
NDR 2.4 – Mobile code		√	√	√	N		OPC does not define Mobile code technologies
CR 2.5: Session lock	√	√	√	√	N		OPC UA does not define human user interface
CR 2.6: Remote session termination		√	√	√	P		OPC allows identification of remote session via ApplicationAuthentication, remote restrictions are application specific, but the infrastructure is provided.
						OPC 10000-4	IssuedIdentityToken
						OPC 10000-6	JSON Web Token (JWT), JWT UserTokenPolicy
						OPC 10000-7-ConformanceUnits	Security User JWT IssuedToken 2, Security User JWT Token Policy, OPC UA Authority Profile
						OPC 10000-7 - Profiles
CR 2.7 – Concurrent session control			√	√	N		OPC provides limits on sessions, subscription and other functionality and defines behaviour if these limits are exceeded, but it does not provide limits per user.
CR 2.8: Auditable events	√	√	√	√	Y	Error! Reference source not found.	Auditability, Auditing, Audit Event Management
						OPC 10000-4	Auditing
						OPC 10000-5	AuditSecurityEventType
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	Auditing 2022 Server Facet Auditing Client Facet, Best Practice – Audit Events
CR 2.9: Audit storage capacity	√	√	√	√	N		OPC does not define Audit storage.
CR 2.9 RE (1) Warn when audit record storage capacity threshold reached.			√	√	N		OPC does not define Audit storage.
CR 2.10: Response to audit processing failures	√	√	√	√	N		OPC does not provide Audit storage
CR 2.11: Timestamps	√	√	√	√	Y	Error! Reference source not found.	Message replay, Timestamps, SecureChannelId
						OPC 10000-4	TimestampsToReturn
						OPC 10000-5	AuditEventType
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	Auditing 2022 Server Facet
CR 2.11 RE (1): Time synchronization		√	√	√	Y	Error! Reference source not found.	Cryptographic Keys (time validity of security profile)
						OPC 10000-4	SourceTimestamp, VersionTime, Redundant Server Set Requirements
						OPC 10000-6	Time Synchronization
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 – Profiles	Security Time Synchronization
CR 2.11 RE (2) Protection of time source integrity				√	N		OPC does not define a unique time synchronization scheme, but utilize other industry standard.
CR 2.12: Non-repudiation	√	√	√	√	P		The connection is secured against repudiation, with the exception that we use a symmetric key for the communication. Thus every message must have been signed by either the Client or the Server, but it is not possible to determine which partner signed it.
						Error! Reference source not found.	Message alteration, Server Profiling, System Hijacking, Repudiation, Audit Event Management
						OPC 10000-4	Signing, GetEndpoints, SecureChannel, Auditing, Proof of Possession,
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 – Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet Auditing 2022 Server Facet Auditing Client Facet Best Practice – Audit Events
CR 2.12 RE (1) Non-repudiation for all users				√	P		The connection is secured against repudiation, with the exception that we use a symmetric key for the communication. Thus every message must have been signed by either the Client or the Server, but it is not possible to determine which partner signed it.
						Error! Reference source not found.	Message alteration, Server Profiling, System Hijacking, Repudiation, Audit Event Management
						OPC 10000-4	Signing, GetEndpoints, SecureChannel, Auditing, Proof of Possession
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 – Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet Auditing 2022 Server Facet Auditing Client Facet Best Practice – Audit Events
EDR 2.13: Use of physical diagnostic and test interfaces		√	√	√	N		OPC is hardware agnostic.
EDR 2.13 RE (1) Active monitoring			√	√	N		OPC is hardware agnostic
HDR 2.13: Use of physical diagnostic and test interfaces		√	√	√	N		OPC is hardware agnostic
HDR 2.13 RE (1) Active monitoring			√	√	N		OPC is hardware agnostic
NDR 2.13: Use of physical diagnostic and test interfaces		√	√	√	N		OPC is hardware agnostic
NDR 2.13 RE (1) Active monitoring			√	√	N		OPC is hardware agnostic

Table A.3 – ISA/IEC 62443 Mapping FR 3 System integrity

ISA/IEC 62443-4-2 CRs and Res	Related to				Applies to OPC UA	OPC UA Part #	Keyword text or comment
	SL1	SL2	SL3	SL4
CR 3.1: Communication integrity	√	√	√	√	Y	Error! Reference source not found.	SecureChannel – OpenSecureChannel
						OPC 10000-4	SecureChannel Service Set
						OPC 10000-6	SecureChannel, SecurityProtocol
						OPC 10000-7-ConformanceUnits	Security Policy Required,
						OPC 10000-7 - Profiles	SecurityPolicy [A] – Aes128_Sha256_RsaOaep SecurityPolicy [B] – Basic256Sha256 SecurityPolicy - Aes256-Sha256-RsaPss SecurityPolicy [A] - PubSub-Aes128-CTR SecurityPolicy - PubSub-Aes256-CTR
CR 3.1 RE (1): Communication authentication		√	√	√	Y	Error! Reference source not found.	SecureChannel – OpenSecureChannel
						OPC 10000-4	SecureChannel Service Set
						OPC 10000-6	SecureChannel
						OPC 10000-7-ConformanceUnits	Security Policy Required
						OPC 10000-7 - Profiles	SecurityPolicy [A] – Aes128_Sha256_RsaOaep SecurityPolicy [B] – Basic256Sha256 SecurityPolicy - Aes256-Sha256-RsaPss
SAR 3.2: Protection from malicious code	√	√	√	√	N		OPC does not define requirement related to malicious code protection (for example. virus checkers)
EDR 3.2: Protection from malicious code	√	√	√	√	N		OPC does not define requirement related to installation or execution of software
HDR 3.2: Protection from malicious code	√	√	√	√	N		OPC does not define requirement related to malicious code protection (for example. virus checkers)
HDR 3.2 RE (1): Report version of code protection		√	√	√	N		OPC does not define requirement related to malicious code protection (for example. virus checkers)
NDR 3.2 – Protection from malicious code	√	√	√	√	N		OPC does not define requirement related to malicious code protection (for example. virus checkers)
CR 3.3: Security functionality verification	√	√	√	√	Y	Error! Reference source not found.	Identity Provider, SecurityKeyService, SecureChannel, TLS
						OPC 10000-4	OpenSecureChannel, CreateSession, Write
						OPC 10000-6	OPC UA Secure Conversation (UASC), Verifying Message Security, Token Policy, Bad_SecureChannel
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	User Token – JWT Server Facet, User Token – JWT Client Facet SecurityPolicy [A] – Aes128_Sha256_RsaOaep SecurityPolicy [B] – Basic256Sha256 SecurityPolicy - Aes256-Sha256-RsaPss
CR 3.3 RE (1) Security functionality verification during normal operation				√	N		OPC does not define security function verification
CR 3.4: Software and information integrity	√	√	√	√	P
						Error! Reference source not found.	ApplicationInstance Security Certificate
						OPC 10000-4	SoftwareCertificates
						OPC 10000-6	ApplicationInstance Security Certificate, X.509 v3
						OPC 10000-7-ConformanceUnits	Security ApplicationInstance Security Certificate, Security Certificate Validation
						OPC 10000-7 - Profiles	Global Security Certificate Management Server Global Certificate Management Client Facet
CR 3.4 RE (1): Authenticity of software and information		√	√	√	P
						Error! Reference source not found.	ApplicationInstance Security Certificate
						OPC 10000-4	SoftwareCertificates
						OPC 10000-6	ApplicationInstance Security Certificate, X.509 v3
						OPC 10000-7-ConformanceUnits	Security ApplicationInstance Security Certificate Security Certificate Validation
						OPC 10000-7 - Profiles	Global Security Certificate Management Server Global Certificate Management Client Facet
CR 3.4 RE (2) Automated notification of integrity violations			√	√	P
						Error! Reference source not found.	ApplicationInstance Security Certificate
						OPC 10000-4	SoftwareCertificates
						OPC 10000-6	ApplicationInstance Security Certificate, X.509 v3
						OPC 10000-7-ConformanceUnits	Security ApplicationInstance Security Certificate, Security Certificate Validation
						OPC 10000-7 - Profiles	Global Security Certificate Management Server Global Certificate Management Client Facet
CR 3.5: Input validation	√	√	√	√	N		OPC does not define HMI requirements, but does ensure that input data (method parameter or for write) is of the correct datatype
CR 3.6: Deterministic output	√	√	√	√	N		OPC does not define application behaviour, but does define information models that include substituted values and other behaviours for failed states.
CR 3.7: Error handling	√	√	√	√	Y	OPC 10000-4	Request/Response Service
						OPC 10000-5	SessionDiagnosticsObjectType
						OPC 10000-6	MessageChunks, Error Handling, Error Message, CloseSecureChannel
						OPC 10000-7-ConformanceUnits	Security Policy Required,
						OPC 10000-7 - Profiles	SecurityPolicy [A] – Aes128_Sha256_RsaOaep SecurityPolicy [B] – Basic256Sha256 SecurityPolicy - Aes256-Sha256-RsaPss
CR 3.8: Session integrity		√	√	√	Y	Error! Reference source not found.	SecureChannel, Session ID
						OPC 10000-4	Session Service Set, Creating a Session, Auditing Session Service, SessionAuthenticationToken
						OPC 10000-7-ConformanceUnits	Session Base Discovery Get Endpoints
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile, Base Server Behaviour Facet
CR 3.9: Protection of audit information		√	√	√	P		OPC provides security related to Audit event generation, but does not define Audit Logging requirements or tools for analysing audit records
						Error! Reference source not found.	SecureChannel, Session ID
						OPC 10000-4	Session Service Set, Creating a Session, Auditing Session Service, SessionAuthenticationToken
						OPC 10000-7-ConformanceUnits	Session Base Discovery Get Endpoints
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile, Base Server Behaviour Facet
CR 3.9 RE (1) Audit records on write-once media				√	N		OPC does not define hardware requirements
EDR 3.10: Support for updates	√	√	√	√	N		Some companion specification can define additional functionality that would apply, such as OPC 10000-100
EDR 3.10: RE (1): Update authenticity and integrity		√	√	√	N
HDR 3.10: Support for updates	√	√	√	√	N
HDR 3.10 RE (1): Update authenticity and integrity		√	√	√	N
NDR 3.10 – Support for updates	√	√	√	√	N
NDR 3.10 RE (1) Update authenticity and integrity		√	√	√	N
EDR 3.11: Physical tamper resistance and detection		√	√	√	N
EDR 3.11 RE (1) Notification of a tampering attempt			√	√	N
HDR 3.11: Physical tamper resistance and detection		√	√	√	N
HDR 3.11 RE (1) Notification of a tampering attempt			√	√	N
NDR 3.11 – Physical tamper resistance and detection		√	√	√	N
NDR 3.11 RE (1) Notification of a tampering attempt			√	√	N
EDR 3.12: Provisioning product supplier roots of trust		√	√	√	N
HDR 3.12: Provisioning product supplier roots of trust		√	√	√	N
NDR 3.12 – Provisioning product supplier roots of trust		√	√	√	N
EDR 3.13: Provisioning asset owner roots of trust		√	√	√	N
HDR 3.13: Provisioning asset owner roots of trust		√	√	√	N
NDR 3.13 – Provisioning asset owner roots of trust		√	√	√	N
EDR 3.14: Integrity of the boot process	√	√	√	√	N
EDR 3.14 RE (1): Authenticity of the boot process		√	√	√	N
HDR 3.14: Integrity of the boot process	√	√	√	√	N
HDR 3.4 RE (1): Authenticity of the boot process		√	√	√	N
NDR 3.14 – Integrity of the boot process	√	√	√	√	N
NDR 3.14 RE (1) Authenticity of the boot process		√	√	√	N

Table A.4 – ISA/IEC 62443 Mapping FR 4 Data confidentiality

ISA/IEC 62443-4-2 CRs and Res	Related to				Applies to OPC UA	OPC UA Part #	Keyword text or comment
	SL1	SL2	SL3	SL4
CR 4.1: Information confidentiality	√	√	√	√	Y	Error! Reference source not found.	Confidentiality, Eavesdropping, Client/Server, PubSub, Confidentiality
						OPC 10000-4	SecureChannel Service Set
						OPC 10000-6	OPC UA HTTPS, WebSockets (Security)
						OPC 10000-7-ConformanceUnits	Security Policy Required
						OPC 10000-7 - Profiles	SecurityPolicy [A] – Aes128_Sha256_RsaOaep SecurityPolicy [B] – Basic256Sha256 SecurityPolicy - Aes256-Sha256-RsaPss
CR 4.2: Information persistence		√	√	√	N		OPC does not describe hardware
CR 4.2 RE (1) Erase of shared memory resources			√	√	N		OPC does not describe hardware
CR 4.2 RE (2) Erase verification			√	√	N		OPC does not describe hardware
CR 4.3: Use of cryptography	√	√	√	√	Y	Error! Reference source not found.	Asymmetric Cryptography, Cryptography, Symmetric Cryptography, SecurityPolicies, Random Number Generation, Security Certificate Management
						OPC 10000-4	GetEndpoints, OpenSecureChannel
						OPC 10000-6	Security Handshake, Security Certificates, AccessTokens, Security Header, Deriving Keys (Table 49)
						OPC 10000-7-ConformanceUnits
						OPC 10000-7 - Profiles	Best Practice – Random Numbers AccessToken Request Client Facet, Security User Access Control Base Profile, Global Discovery and Security Certificate Management 2017 Server, Global Security Certificate Management Client 2017 Profile
						OPC 10000-12	Certificate Management Overview, KeyCredential Management

Table A.5 – ISA/IEC 62443 Mapping FR 5 Restricted data flow

ISA/IEC 62443-4-2 CRs and Res	Related to				Applies to OPC UA	OPC UA Part #	Keyword text or comment
	SL1	SL2	SL3	SL4
CR 5.1: Network segmentation	√	√	√	√	P		OPC describe network segmentation in part 2, but does not require it or provide any additional support for it.
						Error! Reference source not found.	Network Segmentation, OpenSecureChannel
						OPC 10000-7 ConformanceUnits
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile, Base Server Behaviour Facet
NDR 5.2 – Zone boundary protection	√	√	√	√	N		OPC does not define network hardware.
NDR 5.2 RE (1) Deny all, permit by exception		√	√	√	N		OPC does not define network hardware.
NDR 5.2 RE (2) Island mode			√	√	N		OPC does not define network hardware.
NDR 5.2 RE (3) Fail close			√	√	N		OPC does not define network hardware.
NDR 5.3 – General purpose, person-to-person communication restrictions	√	√	√	√	N		OPC does not define network hardware.
CR 5.4 – Application partitioning	NA	NA	NA	NA	NA		Nothing defined in IEC 62443

Table A.6 – ISA/IEC 62443 Mapping FR 6 Timely response to events

ISA/IEC 62443-4-2 CRs and Res	Related to				Applies to OPC UA	OPC UA Part #	Keyword text or comment
	SL1	SL2	SL3	SL4
CR 6.1: Audit log accessibility	√	√	√	√	N		OPC does not define an Audit log. OPC defines standard Audit records and also defined historical storage of events. It provides access restriction for all data.
CR 6.1 RE (1) Programmatic access to audit logs			√	√	N		OPC does not define an Audit log. OPC defines standard Audit records and also defined historical storage of events. It provides access restriction for all data, standard methods for programmatical access are defined.
CR 6.2: Continuous monitoring		√	√	√	Y	OPC 10000-7-ConformanceUnits	Monitor Items, GetMonitoredItems Method, SetMonitoringMode.
						OPC 10000-7 - Profiles	Subscription Server Facet, Standard UA Client 2022 Profile, Standard DataChange Subscription 2017 Server Facet

Table A.7 – ISA/IEC 62443 Mapping FR 7 Resource availability

ISA/IEC 62443-4-2 CRs and Res	Related to				Applies to OPC UA	OPC UA Part #	Keyword text or comment
	SL1	SL2	SL3	SL4
CR 7.1: Denial of service protection	√	√	√	√	Y	Error! Reference source not found.	Application Crashes, Fuzz Testing, Certification
						OPC 10000-4	CreateSession, OpenSecureChannel, AuthenticationToken
						OPC 10000-7-ConformanceUnits	Session Base Discovery Get Endpoints
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile, Base Server Behaviour Facet
CR 7.1 RE (1): Manage communication load from component		√	√	√	Y	Error! Reference source not found.	Message flooding, GetEndpoints, OpenSecureChannel
						OPC 10000-4	CreateSession, OpenSecureChannel, AuthenticationToken
						OPC 10000-7-ConformanceUnits	Session Base Discovery Get Endpoints
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile, Base Server Behaviour Facet
CR 7.2: Resource management	√	√	√	√	Y	Error! Reference source not found.	Resource exhaustion, ClientAuthentication, ServerAuditing, OpenSecureChannel
						OPC 10000-4	CreateSession, OpenSecureChannel, AuthenticationToken
						OPC 10000-7-ConformanceUnits	Session Base Discovery Get Endpoints
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile, Base Server Behaviour Facet
CR 7.3: Control system backup	√	√	√	√	N		OPC does not define system level backup requirements.
CR 7.3 RE (1): Backup integrity verification		√	√	√	N		OPC does not define verification of backup requirements.
CR 7.4: Control system recovery and reconstitution					N		OPC UA does not define backup and restore requirements (to a specific state).
CR 7.5 - Emergency Power	NA	NA	NA	NA	NA		(no requirements for this)
CR 7.6: Network and security configuration settings	√	√	√	√	P		OPC UA requires that application can be configured for network and security setting, but it does not define how this is accomplished.
						Error! Reference source not found.	ClientAuthentication, OpenSecureChannel
						OPC 10000-4	CreateSession, OpenSecureChannel, Discovery
						OPC 10000-7-ConformanceUnits	Session Base Discovery Get Endpoints
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile
CR 7.6 RE (1) Machine-readable reporting of current security settings			√	√	P		This is not defined in an OPA UA specification, but OPC UA does define a machine readable XML format that an application could use to export the security setting.
						Error! Reference source not found.	ClientAuthentication, OpenSecureChannel
						OPC 10000-4	CreateSession, OpenSecureChannel, Discovery
						OPC 10000-7-ConformanceUnits	Session Base Discovery Get Endpoints
						OPC 10000-7 - Profiles	Standard UA Client 2022 Profile
CR 7.7: Least functionality	√	√	√	√	N	Error! Reference source not found.	The OPC UA specification does describe that least functionality is recommended with regard to OPC UA access, but this requirement applies to all service/ports protocols, etc. which is beyond the scope of OPC UA Specifications.
CR 7.8: Control system component inventory		√	√	√	N		This scope is beyond what is defined in core OPC UA specifications. Some companion specification can define additional details about the overall environment in which OPC UA is executing, which could be able to cover this requirement.

Annex A Mapping to ISA/IEC 62443-4-2 (informative)