IA-6: AUTHENTICATOR FEEDBACK

TAILORED FOR INDUSTRIAL CONTROL SYSTEMS

ICS Control Baselines:
Low
Moderate
High

The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.

SUPPLEMENTAL GUIDANCE

The feedback from information systems does not provide information that would allow unauthorized individuals to compromise authentication mechanisms. For some types of information systems or system components, for example, desktops/notebooks with relatively large monitors, the threat (often referred to as shoulder surfing) may be significant. For other types of systems or components, for example, mobile devices with 2-4 inch screens, this threat may be less significant, and may need to be balanced against the increased likelihood of typographic input errors due to the small keyboards. Therefore, the means for obscuring the authenticator feedback is selected accordingly. Obscuring the feedback of authentication information includes, for example, displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.

ICS SUPPLEMENTAL GUIDANCE

This control assumes a visual interface that provides feedback of authentication information during the authentication process. When ICS authentication uses an interface that does not support visual feedback, (e.g., protocol-based authentication) this control may be tailored out.

PE-18 — PHYSICAL AND ENVIRONMENTAL PROTECTION | LOCATION OF INFORMATION SYSTEM COMPONENTS

CONTROL ENHANCEMENTS

NO CONTROL ENHANCEMENTS

REFERENCES:

NIST Special Publication 800-82 | GUIDE TO INDUSTRIAL CONTROL SYSTEMS (ICS) SECURITY