Validate Program Inputs

Devices and programs designed to interact with control system parameters should validate the format and content of all user inputs and actions to ensure the values are within intended operational ranges. These values should be evaluated and further enforced through the program logic running on the field controller. If a problematic or invalid input is identified, the programs should either utilize a predetermined safe value or enter a known safe state, while also logging or alerting on the event.[1]

ID: M0818
Security Controls: IEC 62443-3-3:2013 - SR 3.5, IEC 62443-3-3:2013 - SR 3.6, IEC 62443-4-2:2019 - CR 3.5, IEC 62443-4-2:2019 - CR 3.6, NIST SP 800-53 Rev. 5 - SI-10
Version: 1.0
Created: 22 March 2023
Last Modified: 20 September 2023

Techniques Addressed by Mitigation

Domain ID Name Use
ICS T0836 Modify Parameter

Devices and programs should validate the content of any remote parameter changes, including those from HMIs, control servers, or engineering workstations.[1]

ICS T0855 Unauthorized Command Message

Devices and programs that receive command messages from remote systems (e.g., control servers) should verify those commands before taking any actions on them.