Authorization Enforcement

From attackics
Jump to navigation Jump to search
Authorization Enforcement
Mitigation
ID M0800
NIST SP 800-53 Rev. 4 AC-3
IEC 62443-3-3:2013 SR 2.1
IEC 62443-4-2:2019 CR 2.1

Description

The device or system should restrict read, manipulate, or execute privileges to only authenticated users who require access based on approved security policies. Role-based Access Control (RBAC) schemes can help reduce the overhead of assigning permissions to the large number of devices within an ICS. For example, IEC 62351 provides examples of roles used to support common system operations within the electric power sector 1, while IEEE 1686 defines standard permissions for users of IEDs.2


Techniques Addressed by Mitigation

NameUse
Activate Firmware Update ModeRestrict configurations changes and firmware updating abilities to only authorized individuals.
Change Operating ModeAll field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.
Detect Operating ModeAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Device Restart/ShutdownAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Execution through APIAll APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls.3
Modify Alarm SettingsOnly authorized personnel should be able to change settings for alarms.
Modify ParameterAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Point & Tag IdentificationSystems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.
Program DownloadAll field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Program UploadAll field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.
Remote ServicesProvide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.