Authorization Enforcement

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector [1], while IEEE 1686 defines standard permissions for users of IEDs. [2]

ID: M0800
Security Controls: IEC 62443-3-3:2013 - SR 2.1, IEC 62443-4-2:2019 - CR 2.1, NIST SP 800-53 Rev. 5 - AC-3
Version: 1.1
Created: 11 September 2020
Last Modified: 20 October 2023

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0800 Activate Firmware Update Mode

Restrict configurations changes and firmware updating abilities to only authorized individuals.

ICS T0858 Change Operating Mode

All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.

ICS T0868 Detect Operating Mode

All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

ICS T0816 Device Restart/Shutdown

All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

ICS T0871 Execution through API

All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. [3]

ICS T0838 Modify Alarm Settings

Only authorized personnel should be able to change settings for alarms.

ICS T0821 Modify Controller Tasking

All field controllers should restrict the modification of controller tasks to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

ICS T0836 Modify Parameter

All field controllers should restrict the modification of parameter values to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism. They should also restrict online edits and enable write protection for parameters.

ICS T0889 Modify Program

All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

ICS T0861 Point & Tag Identification

Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.

ICS T0843 Program Download

All field controllers should restrict the download of programs, including online edits and program appends, to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

ICS T0845 Program Upload

All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.

ICS T0886 Remote Services

Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.

References