MID-084: Restrict Sensitive Data from Logs

Mitigation Level: Foundational

Description

Device logs should not contain information that would be overly beneficial to a threat actor if they were to obtain them. For example, logging user-input password attempts in cleartext, private certificates in cleartext, full path names, core-dumps or process debug messages, or PII could give threat actors the ability to escalate their attack. Device logs should instead contain only information that is necessary for detecting malicious behavior on the device or auditing.

One way to do this would be to log usernames and limited related user-information, along with the action that the user took, but not necessarily all the information associated with that action or user. For example, a device could log that a user attempted to sign-in to the device from a given IP address, but not what password they used. Another example could be logging that a new public/private certificate by a given user in a given file, but not necessarily the private key itself associated with the action.

IEC 62443 4-2 Mappings

• CR 4.1 – Information confidentiality

References

[1] CQR. “Information Leakage through Debug Information.” cqr.company. Accessed: Mar. 11. 2025. [Online]. Available: https://cqr.company/web-vulnerabilities/information-leakage-through-debug-information/

[2] OWASP. “Logging Cheat Sheet.” owasp.org. Accessed: Mar. 11. 2025. [Online]. Available: https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

MID-084