← Home

IEC 62443-4-2 Clause 5 – Identification and Authentication Control

ISA/IEC 62443-4-2, Clause 5 defines Foundational Requirement FR 1 (IAC) and the associated component requirements (CRs) and requirement enhancements (REs) used when claiming Security Level capability for this FR on a component.

Identify and authenticate users — humans, software processes and devices — before they interact with the component.

Teaching note: Summaries paraphrase ISA/IEC 62443-4-2 for learning. They are not verbatim extracts — always use the published standard for normative wording, RE text and SL mappings (see Annex B). Component-type specifics also appear under Clauses 12–15.

Reference: ISA/IEC 62443-4-2, Clause 5
Related: Part 4-2 overview | Common Component Security Constraints | IEC 62443-3-3 FR 1 | Annex B mapping

Component requirement pages: Cl. 5 | Cl. 6 | Cl. 7 | Cl. 8 | Cl. 9 | Cl. 10 | Cl. 11


Purpose

Identify and authenticate users — humans, software processes and devices — before they interact with the component.

Requirement enhancements under each CR raise the capability needed for higher SL-C(IAC) claims. Exact RE text and which SL columns they populate are in the standard and Annex B.


Component requirements in this FR


CR summaries

CR 1.1: Human user identification and authentication

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
Components must provide the capability to identify and authenticate all human users according to ISA-62443-3-3 [11] SR 1.1 on all interfaces capable of human user access.

CR 1.2: Software process and device identification and authentication

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
Components must provide the capability to identify itself and authenticate to any other component (software application, embedded devices, host devices and network devices), according to ISA-62443-3-3 [11] SR1.2.

CR 1.3: Account management

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
Components must provide the capability to support the management of all accounts directly or integrated into a system that manages accounts according to ISA-62443-3-3 [11] SR 1.3.

CR 1.4: Identifier management

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
Components must provide the capability to integrate into a system that supports the management of identifiers and/or provide the capability to support the management of identifiers directly according to ISA-62443-3-3 [11] SR 1.4.

CR 1.5: Authenticator management

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
Components must provide the capability to: support the use of initial authenticator content; support the recognition of changes to default authenticators made at installation time; function properly with periodic authenticator change/refresh operation; and protect authenticators from unauthorized disclosure and modification when stored, used and transmitted.

CR 1.6: Wireless access management

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
The wireless access management requirements are network-component-specific and can be located as requirements for network-components in Clause 15.

CR 1.7: Strength of password-based authentication

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
For components that utilize password-based authentication, those components must provide or integrate into a system that provides the capability to enforce configurable password strength according to internationally recognized and proven password guidelines.

CR 1.8: Public key infrastructure certificates

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
When public key infrastructure (PKI) is utilized, the component must provide or integrate into a system that provides the capability to interact and operate in accordance with ISA-62443-3-3 [11] SR1.8.

CR 1.9: Strength of public key-based authentication

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
For components that utilize public-key-based authentication, those components must provide directly or integrate into a system that provides the capability within the same IACS environment to: validate certificates by checking the validity of the signature of a given certificate; validate the certificate chain or, in the case of self-signed certificates, by deploying leaf certificates to all hosts that communicate wi…

CR 1.10: Authenticator feedback

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
When a component provides an authentication capability the component must provide the capability to obscure feedback of authenticator information during the authentication process.

CR 1.11: Unsuccessful login attempts

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
When a component provides an authentication capability the component must provide the capability to: enforce a limit of a configurable number of consecutive invalid access attempts by any user (human, software process or device) during a configurable time period; and deny access for a specified period of time or until unlocked by an administrator when this limit has been reached.

CR 1.12: System use notification

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
When a component provides local human user access/HMI, it must provide the capability to display a system use notification message before authenticating. The system use notification message must be configurable by authorized personnel.

CR 1.13: Access via untrusted networks

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
The access via untrusted networks requirements are component-specific and can be located as requirements for each specific component type in Clauses 12 through 15.

CR 1.14: Strength of symmetric key-based authentication

Reference: ISA/IEC 62443-4-2, Clause 5

Summary
For components that utilize symmetric keys, the component must provide the capability to: establish the mutual trust using the symmetric key; store securely the shared secret (the authentication is valid as long as the shared secret remains secret); restrict access to the shared secret; and ensure that the algorithms and keys used for the symmetric key authentication comply with CR 4.3 - Use of cryptography Subclause…

Key takeaways