Authorization Enforcement

From attackics
Jump to navigation Jump to search
Authorization Enforcement
Mitigation
ID M0800
NIST SP 800-53 Rev. 4 AC-3
IEC 62443-3-3:2013 SR 2.1
IEC 62443-4-2:2019 CR 2.1

Description

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector 1, while IEEE 1686 defines standard permissions for users of IEDs.2


Techniques Addressed by Mitigation

NameUse
Activate Firmware Update ModeRestrict configurations changes and firmware updating abilities to only authorized individuals.
Change Program StateAll field controllers should restrict program state changes to required authenticated users (e.g., engineers, field technicians) only, preferably through implementing a role-based access mechanism.
Data Historian CompromiseAll remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.
Detect Operating ModeAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Detect Program StateAll field controllers should restrict program state information to required authenticated users (e.g., engineers, field technicians) only, preferably through implementing a role-based access mechanism.
Device Restart/ShutdownAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Engineering Workstation CompromiseAll remotely accessible services should implement access control mechanisms to restrict the information or services accessible to users.
Execution through APIAll APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls.3
Location IdentificationSystems and devices should restrict access to any data with confidentiality concerns, including location information.
Modify Alarm SettingsOnly authorized personnel should be able to change settings for alarms.
Modify ParameterAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Point & Tag IdentificationSystems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.
Program DownloadAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Program UploadAll field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Utilize/Change Operating ModeAll field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.