MID-041: Cryptographically Signed Vendor-supplied Programs
Mitigation Tier: Foundational
Description
Vendor programs, libraries, and other software components are guaranteed to come from a single source, the vendor. Therefore, vendors can use a digital signing scheme where their programs are signed using the vendor’s private key and can be verified using the device’s public key. This signing scheme would ensure that only vendor-supplied programs would be accepted, downloaded, and executed.
IEC 62443 4-2 Mappings
- CR 3.4 – Software and information integrity