Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. Programmable controllers typically have several modes of operation that control the state of the user program and control access to the controllers API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controllers API. Operating modes and the mechanisms by which they are selected often vary by vendor and product line. Some commonly implemented operating modes are described below:
Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.
All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.
Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.
|M0804||Human User Authentication||
All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support Account Use Policies, Password Policies, and User Account Management.
Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. 
Segment operational network and systems to restrict access to critical system functions to predetermined management systems. 
|M0813||Software Process and Device Authentication||
Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.
|ID||Data Source||Data Component|
|DS0015||Application Log||Application Log Content|
|DS0029||Network Traffic||Network Traffic Content|
|DS0040||Operational Databases||Device Alarm|