Enforce authorisation so authenticated users can only perform actions they are permitted to perform.
CR summaries
CR 2.1: Authorization enforcement
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
Components must provide an authorization enforcement mechanism for all identified and authenticated users based on their assigned responsibilities.
CR 2.2: Wireless use control
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
If a component supports usage through wireless interfaces it must provide the capability to integrate into the system that supports usage authorization, monitoring and restrictions according to commonly accepted industry practices.
CR 2.3: Use control for portable and mobile devices
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
There is no component level requirement associated with ISA-62443-3-3 SR 2.3.
CR 2.4: Mobile code
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
The use control requirements for mobile code are component-specific and can be located as requirements for each specific component type in Clauses 12 through 15.
CR 2.5: Session lock
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
If a component provides a human user interface, whether accessed locally or via a network, the component must provide the capability to protect against further access by initiating a session lock after a configurable time period of inactivity or by manual initiation by the user (human, software process or device); and for the session lock to remain in effect until the human user who owns the session, or another autho…
CR 2.6: Remote session termination
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
If a component supports remote sessions, the component must provide the capability to terminate a remote session either automatically after a configurable time period of inactivity, manually by a local authority, or manually by the user (human, software process or device) who initiated the session.
CR 2.7: Concurrent session control
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
Components must provide the capability to limit the number of concurrent sessions per interface for any given user (human, software process or device).
CR 2.8: Auditable events
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
Components must provide the capability to generate audit records relevant to security for the following categories: access control; request errors; control system events; backup and restore event; configuration changes; and audit log events. Individual audit records must include: timestamp; source (originating device, software process or human user account); category; type; event ID; and event result.
CR 2.9: Audit storage capacity
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
Components must provide the capability to allocate audit record storage capacity according to commonly recognized recommendations for log management; and provide mechanisms to protect against a failure of the component when it reaches or exceeds the audit storage capacity.
CR 2.10: Response to audit processing failures
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
Components must provide the capability to protect against the loss of essential services and functions in the event of an audit processing failure; and provide the capability to support appropriate actions in response to an audit processing failure according to commonly accepted industry practices and recommendations.
CR 2.11: Timestamps
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
Components must provide the capability to create timestamps (including date and time) for use in audit records.
CR 2.12: Non-repudiation
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
If a component provides a human user interface, the component must provide the capability to determine whether a given human user took a particular action. Control elements that are not able to support such capability must be listed in component documents.
CR 2.13: Use of physical diagnostic and test interfaces
Reference: ISA/IEC 62443-4-2, Clause 6
Summary
The use of physical diagnostic and test interfaces requirements are component-specific and can be located as requirements for each specific component type in Clauses 12 through 15.