NE201 Identitiy and Access Management on Automation Devices is newly published

The NAMUR recommendation NE201 from WG 4.18 Automation Security has been newly published and can now be obtained from the office.

Abstract to NE 201 "Identity and Access Management on Automation Devices"

There is an obvious need for an industry-wide solution for identity and access management. Different suppliers offered and still offer different solutions for authorisation and authentication on OT devices. For the users on the other hand, the number of different solutions is growing faster and faster and it is becoming more and more difficult to manage all these different solutions for identification and access management for all the different OT devices in the plant.

The introduction of new technologies in the process industry is accompanied by a rapid change in threat models. The risk of direct attacks on OT devices is growing and will continue to increase with the ever-increasing number of OT devices connected in process industry plants.

In order to counteract the impending threat scenarios, this document has been drafted with the aim of defining user requirements with regard to authentication and authorisation on OT devices. This document is based on the standard for the IT security of industrial automation systems, and in particular IEC 62443-4-2, CR 2.1: "Enforcement of authorisation" and describes the various use cases for concepts of secure identification and access management. For the technical implementation of these requirements in OT devices, technical verification is being carried out in parallel in close cooperation with the Industrial Ethernet Security Harmonisation Group (IESHG) and other standardisation organisations (SDOs), and concepts for the technical implementation of these requirements in OT devices are being developed.