Identify and authenticate users — humans, software processes and devices — before they interact with the component.
CR summaries
CR 1.1: Human user identification and authentication
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
Components must provide the capability to identify and authenticate all human users according to ISA-62443-3-3 [11] SR 1.1 on all interfaces capable of human user access.
CR 1.2: Software process and device identification and authentication
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
Components must provide the capability to identify itself and authenticate to any other component (software application, embedded devices, host devices and network devices), according to ISA-62443-3-3 [11] SR1.2.
CR 1.3: Account management
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
Components must provide the capability to support the management of all accounts directly or integrated into a system that manages accounts according to ISA-62443-3-3 [11] SR 1.3.
CR 1.4: Identifier management
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
Components must provide the capability to integrate into a system that supports the management of identifiers and/or provide the capability to support the management of identifiers directly according to ISA-62443-3-3 [11] SR 1.4.
CR 1.5: Authenticator management
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
Components must provide the capability to: support the use of initial authenticator content; support the recognition of changes to default authenticators made at installation time; function properly with periodic authenticator change/refresh operation; and protect authenticators from unauthorized disclosure and modification when stored, used and transmitted.
CR 1.6: Wireless access management
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
The wireless access management requirements are network-component-specific and can be located as requirements for network-components in Clause 15.
CR 1.7: Strength of password-based authentication
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
For components that utilize password-based authentication, those components must provide or integrate into a system that provides the capability to enforce configurable password strength according to internationally recognized and proven password guidelines.
CR 1.8: Public key infrastructure certificates
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
When public key infrastructure (PKI) is utilized, the component must provide or integrate into a system that provides the capability to interact and operate in accordance with ISA-62443-3-3 [11] SR1.8.
CR 1.9: Strength of public key-based authentication
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
For components that utilize public-key-based authentication, those components must provide directly or integrate into a system that provides the capability within the same IACS environment to: validate certificates by checking the validity of the signature of a given certificate; validate the certificate chain or, in the case of self-signed certificates, by deploying leaf certificates to all hosts that communicate wi…
CR 1.10: Authenticator feedback
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
When a component provides an authentication capability the component must provide the capability to obscure feedback of authenticator information during the authentication process.
CR 1.11: Unsuccessful login attempts
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
When a component provides an authentication capability the component must provide the capability to: enforce a limit of a configurable number of consecutive invalid access attempts by any user (human, software process or device) during a configurable time period; and deny access for a specified period of time or until unlocked by an administrator when this limit has been reached.
CR 1.12: System use notification
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
When a component provides local human user access/HMI, it must provide the capability to display a system use notification message before authenticating. The system use notification message must be configurable by authorized personnel.
CR 1.13: Access via untrusted networks
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
The access via untrusted networks requirements are component-specific and can be located as requirements for each specific component type in Clauses 12 through 15.
CR 1.14: Strength of symmetric key-based authentication
Reference: ISA/IEC 62443-4-2, Clause 5
Summary
For components that utilize symmetric keys, the component must provide the capability to: establish the mutual trust using the symmetric key; store securely the shared secret (the authentication is valid as long as the shared secret remains secret); restrict access to the shared secret; and ensure that the algorithms and keys used for the symmetric key authentication comply with CR 4.3 - Use of cryptography Subclause…