Physical and logical password should be considered from the overall taxonomy and as part of one of the Digital Pathways, as Physical and Logical Access provisioning. Physical passwords here are types of authentication technologies and can be voice commands, fingerprints, or simple presence (by means of an electronic token that an operator carries). Logical passwords here are both pincodes, passphrases or even certificates or hash keys, that support the specific levels of security. Both are considering the mechanism of access control for security in this pathway.
Access control is a key component of security and cybersecurity to any system, being it a physical (gates, doors, equipment, ...) or logical (application, service, activity, ...) one.
Under this heading, the purpose is to clarify that access control should be mandatory for every system being operated in a manufacturing environment. Access control levels can be very low, by providing everybody access to an application on the factory floor. But at least it has considered that only people on the factory floor should be getting access. That physical constraint can be taken into account. This means that from a risk perspective, unaccompanied visitors or subcontractors without oversight could also get access to this system.
By considering access control as a fundamental security mechanism, based upon a risk approach, controls can be further built in, relating back to the types of users, or moments of intervention. Least access principles should be applied, in order to only provide access after a specific given thought. For instance, the system can have a regular user (an operator), a floormanager or head of production (being capable to override a decision from an operator), a service engineer (maintainance) and an administrator.
These roles should allow different levels of access to the systems and can be related to specific risks related to them, and to the overall risk consideration. Physical passwords can be considered into the application as additional means to identify the specfic roles.
As an example, to enhance the security of an application in a manufacturing environment from Level 1 to Level 3, there will be administrator access needed to operate a specific machine or function, instead of simply pushing the button to power up a specific machine. This can be trivial, as a sawing machine that can only be used by an operator qualified to use it, up until ensuring only oversight happens when a maintenance engineer updates the machine via a usb-token and leaves additional malware on the machines.