SPE 6 governs how human users, software processes and devices gain access: identities,
authentication, least privilege, session protection and authorisation decisions for
sensitive actions.
USER 1 – Identification and authentication
Reference: ISA/IEC 62443-2-1, Clause 11.2
USER 1.1: User identity assignment
Clause: 11.2.1
Summary
IACS-specific identities, authenticators and roles shall be assigned to people, software
processes and devices that need access.
USER 1.2: User identity removal
Clause: 11.2.2
Summary
Identities, authenticators, roles and rights shall be removed or disabled when access is no
longer needed.
USER 1.3: User identity persistence
Clause: 11.2.3
Summary
Accounts needed for essential operations — including operator accounts — shall not be set up
to disable themselves automatically.
USER 1.4: Access rights assignment
Clause: 11.2.4
Summary
Access rights for IACS roles and users shall be granted, reviewed and withdrawn under
controlled processes.
USER 1.5: Least privilege
Clause: 11.2.5
Summary
Users shall receive only the rights required for their assigned duties.
USER 1.6: Software service authentication
Clause: 11.2.6
Summary
Software services shall be identified and authenticated before they are allowed to run.
USER 1.7: Software services interactive login rights
Clause: 11.2.7
Summary
Software services shall not be given interactive login capability.
USER 1.8: Human user authentication
Clause: 11.2.8
Summary
People shall be identified and authenticated on every IACS interface they can use to log in —
including console logins, application interfaces (such as web services, file transfer or OPC)
and remote-desktop style access over the network.
USER 1.9: Multifactor authentication (MFA)
Clause: 11.2.9
Summary
Where devices support interactive login, MFA shall be used for remote access and for devices
in public areas.
USER 1.10: Mutual authentication
Clause: 11.2.10
Summary
Server applications on IACS devices — including web-based servers — shall use mutual
authentication.
USER 1.11: Password protection
Clause: 11.2.11
Summary
Where passwords are used, policy shall make them hard to compromise through rules on
complexity, lifetime and reuse.
USER 1.12: Shared and disclosed/compromised passwords
Clause: 11.2.12
Summary
Shared passwords and passwords that have been disclosed or compromised shall be managed
under clear policy.
USER 1.13: User login display information
Clause: 11.2.13
Summary
Login screens shall present information that helps users spot fraudulent login attempts.
USER 1.14: User login failure displays
Clause: 11.2.14
Summary
Messages after a failed login shall not reveal details that help an attacker.
USER 1.15: Consecutive login failures
Clause: 11.2.15
Summary
After a configured number of failed logins, the account shall be blocked for a set time or
until an authorised administrator unlocks it.
USER 1.16: Session integrity
Clause: 11.2.16
Summary
Active sessions shall be protected against unauthorised access or tampering.
USER 1.17: Concurrent sessions
Clause: 11.2.17
Summary
The number of simultaneous sessions per interface for a person, process or device shall be
limited.
USER 1.18: Screen lock
Clause: 11.2.18
Summary
Screens shall lock on request or after idle time, unless locking would create greater IACS
risk. Unlocking shall require re-authentication by an authorised user.
USER 1.19: Component authentication
Clause: 11.2.19
Summary
Components that connect to the IACS shall be identified and authenticated.
USER 2 – Authorization and access control
Reference: ISA/IEC 62443-2-1, Clause 11.3
USER 2.1: Authorization
Clause: 11.3.1
Summary
Assigned access rights shall be enforced for all users.
USER 2.2: Separation of duties
Clause: 11.3.2
Summary
Duties shall be separated so that no user holds more privilege than needed for their tasks.
USER 2.3: Multiple approvals
Clause: 11.3.3
Summary
Actions that could seriously affect the process shall need approval from two or more users,
unless skipping the action would cause worse process impact.
USER 2.4: Manual elevation of privileges
Clause: 11.3.4
Summary
Raised privilege — including supervisor overrides — shall require an explicit elevation step
for every operation that needs it.