IEC 62443-4-2-2020 pdf free download

IEC 62443-4-2-2020 pdf free download.Security for industrial automation and control systems — Part 4-2: Technical security requirements for IACS components
Sécurité des systèmes d’automatisation et de commande industrielles — Partie 4-2: Exigences de securite technique des composants IACS.
b) support the recognition of changes to default authenticators made at installation time;
C) function properly with periodic authenticator change/refresh operation; and
d) protect authenticators from unauthorized disclosure and modification when stored, used and transmitted.
5.7.2 Rationale and supplemental guidance
In addition to an identifier (see 5.6) an authenticator is required to prove identity. Control system authenticators include, but are not limited to, tokens, symmetric keys, private keys (part of a public/private key pair), biometrics, passwords, physical keys and key cards. There should be security policies in place instructing human users to take reasonable measures to safeguard authenticators, including maintaining possession of their individual authenticators, not loaning or sharing authenticators with others and reporting lost or compromised authenticators immediately.
Authenticators have a lifecycle. When an account is created automatically a new authenticator needs to be created, in order for the account owner to be able to authenticate. For example, in a password-based system, the account has a password associated with it. Definition of the initial authenticator content could be interpreted as the administrator defining the initial password that the account management system sets for all new accounts. Being able to configure these initial values makes it harder for an attacker to guess the password between account creation and first account use (which should involve the setting of a new password by the account owner). Some control systems are installed with unattended installers that create all necessary accounts with default passwords and some embedded devices are shipped with default passwords. Over time, these passwords often become general knowledge and are documented on the Internet. Being able to change the default passwords protects the system against unauthorized users using default passwords to gain access. Passwords can be obtained from storage or from transmission when used in network authentication. The complexity of this can be increased by cryptographic protections such as encryption or hashing or by handshake protocols that do not require transmission of the password at all. Still, passwords might be subject to attacks, for example, brute force guessing or breaking the cryptographic protection of passwords in transit or storage. The window of opportunity can be reduced by changing/refreshing the passwords periodically.IEC 62443-4-2-2020 pdf free download.