← Home

IEC 62443-2-1 Clause 11 – User Access Control

ISA/IEC 62443-2-1:2024, Clause 11 covers user access control as Security Program Element SPE 6 in the asset owner’s IACS Security Program.

SPE 6 governs how human users, software processes and devices gain access: identities, authentication, least privilege, session protection and authorisation decisions for sensitive actions.

Teaching note: The summaries below paraphrase ISA/IEC 62443-2-1:2024 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment.

Reference: ISA/IEC 62443-2-1:2024, Clause 11
Related: Security Program Requirements (2024) | CSMS (2010)

SPE pages: SPE 1 | SPE 2 | SPE 3 | SPE 4 | SPE 5 | SPE 6 | SPE 7 | SPE 8


Requirements in this SPE


USER 1 – Identification and authentication

Reference: ISA/IEC 62443-2-1, Clause 11.2

USER 1.1: User identity assignment

Clause: 11.2.1

Summary
IACS-specific identities, authenticators and roles shall be assigned to people, software processes and devices that need access.

USER 1.2: User identity removal

Clause: 11.2.2

Summary
Identities, authenticators, roles and rights shall be removed or disabled when access is no longer needed.

USER 1.3: User identity persistence

Clause: 11.2.3

Summary
Accounts needed for essential operations — including operator accounts — shall not be set up to disable themselves automatically.

USER 1.4: Access rights assignment

Clause: 11.2.4

Summary
Access rights for IACS roles and users shall be granted, reviewed and withdrawn under controlled processes.

USER 1.5: Least privilege

Clause: 11.2.5

Summary
Users shall receive only the rights required for their assigned duties.

USER 1.6: Software service authentication

Clause: 11.2.6

Summary
Software services shall be identified and authenticated before they are allowed to run.

USER 1.7: Software services interactive login rights

Clause: 11.2.7

Summary
Software services shall not be given interactive login capability.

USER 1.8: Human user authentication

Clause: 11.2.8

Summary
People shall be identified and authenticated on every IACS interface they can use to log in — including console logins, application interfaces (such as web services, file transfer or OPC) and remote-desktop style access over the network.

USER 1.9: Multifactor authentication (MFA)

Clause: 11.2.9

Summary
Where devices support interactive login, MFA shall be used for remote access and for devices in public areas.

USER 1.10: Mutual authentication

Clause: 11.2.10

Summary
Server applications on IACS devices — including web-based servers — shall use mutual authentication.

USER 1.11: Password protection

Clause: 11.2.11

Summary
Where passwords are used, policy shall make them hard to compromise through rules on complexity, lifetime and reuse.

USER 1.12: Shared and disclosed/compromised passwords

Clause: 11.2.12

Summary
Shared passwords and passwords that have been disclosed or compromised shall be managed under clear policy.

USER 1.13: User login display information

Clause: 11.2.13

Summary
Login screens shall present information that helps users spot fraudulent login attempts.

USER 1.14: User login failure displays

Clause: 11.2.14

Summary
Messages after a failed login shall not reveal details that help an attacker.

USER 1.15: Consecutive login failures

Clause: 11.2.15

Summary
After a configured number of failed logins, the account shall be blocked for a set time or until an authorised administrator unlocks it.

USER 1.16: Session integrity

Clause: 11.2.16

Summary
Active sessions shall be protected against unauthorised access or tampering.

USER 1.17: Concurrent sessions

Clause: 11.2.17

Summary
The number of simultaneous sessions per interface for a person, process or device shall be limited.

USER 1.18: Screen lock

Clause: 11.2.18

Summary
Screens shall lock on request or after idle time, unless locking would create greater IACS risk. Unlocking shall require re-authentication by an authorised user.

USER 1.19: Component authentication

Clause: 11.2.19

Summary
Components that connect to the IACS shall be identified and authenticated.

USER 2 – Authorization and access control

Reference: ISA/IEC 62443-2-1, Clause 11.3

USER 2.1: Authorization

Clause: 11.3.1

Summary
Assigned access rights shall be enforced for all users.

USER 2.2: Separation of duties

Clause: 11.3.2

Summary
Duties shall be separated so that no user holds more privilege than needed for their tasks.

USER 2.3: Multiple approvals

Clause: 11.3.3

Summary
Actions that could seriously affect the process shall need approval from two or more users, unless skipping the action would cause worse process impact.

USER 2.4: Manual elevation of privileges

Clause: 11.3.4

Summary
Raised privilege — including supervisor overrides — shall require an explicit elevation step for every operation that needs it.

Key Takeaways