Ransomware is a type of malicious software (malware) designed to block access to a computer system or data, typically by encrypting files, until a sum of money (ransom) is paid. This form of attack is increasingly targeting industrial automation and control system (IACS) environments due to the critical nature of these systems. Unlike phishing (which tricks users into revealing sensitive information) or DDoS attacks (which disrupt availability), ransomware specifically encrypts data and extorts the victim.
Reference: ISA/IEC 62443-3-2:2020, Annex B; ISA/IEC 62443-1-1:2007, Section 3.2.2; ISA/IEC 62443-2-1:
2009, Section 4.2.3.

The abbreviation CSMS stands for Cyber Security Management System in ISA 62443-2-1. This standard defines the elements necessary to establish a CSMS for industrial automation and control systems (IACS) and provides guidance on how to develop those elements123. A CSMS is a collection of policies, procedures, practices, and personnel that are responsible for ensuring the security of IACS throughout their lifecycle24. References: 1: ISA/IEC 62443 Series of Standards - ISA 2: ISA 62443-2-1 - Security for industrial automation and control systems, Part 2-1: Establishing an Industrial Automation and Control Systems Security Program | GlobalSpec 3: IEC 62443-2-1:2010 | IEC Webstore | cyber security, smart city 4: Structuring the ISA/IEC 62443 Standards - ISAGCA

The primary objective of the IACS Security Program, as defined in ISA/IEC 62443-2-1, is to establish a structured and sustainable approach for the mitigation of cybersecurity risks throughout the IACS lifecycle.
"The purpose of the IACS security program is to manage and mitigate risk associated with cybersecurity threats. It defines policies, procedures, and practices to reduce the likelihood and impact of security incidents."
- ISA/IEC 62443-2-1:2010, Clause 4.1 - Security Program Overview
The standard clearly distinguishes between risk mitigation and risk elimination - the latter being infeasible in industrial environments.
References:
ISA/IEC 62443-2-1:2010 - Clause 4.1
ISA/IEC 62443-2-1 - Security management and governance objectives

Access control is the process of granting or denying specific requests to obtain and use information and related information processing services. It is one of the foundational requirements (FRs) of the ISA/IEC
62443 standards for securing industrial automation and control systems (IACSs). According to the ISA/IEC
62443-3-3 standard, access control includes the following system requirements (SRs):
SR 1.1: Identification and authentication control
SR 1.2: Use control
SR 1.3: System integrity
SR 1.4: Data confidentiality
SR 1.5: Restricted data flow
SR 1.6: Timely response to events
SR 1.7: Resource availability
Among these SRs, the ones that are most related to the critical variables of account management and password strength are SR 1.1 and SR 1.2. SR 1.1 requires that the IACS shall provide the capability to uniquely identify and authenticate all users, processes, and devices that attempt to establish a logical connection to the system. This means that the IACS should have a robust account management system that can create, modify, delete, and monitor user accounts and their privileges. It also means that the IACS should enforce strong password policies that can prevent unauthorized access or compromise of user credentials.
Password strength refers to the level of difficulty for an attacker to guess or crack a password. It depends on factors such as length, complexity, randomness, and uniqueness of the password.
SR 1.2 requires that the IACS shall provide the capability to enforce the use of logical connections in accordance with the security policy of the organization. This means that the IACS should have a mechanism to control the access rights and permissions of users, processes, and devices based on their roles, responsibilities, and needs. It also means that the IACS should have a mechanism to audit and log the activities and events related to access control, such as successful or failed login attempts, password changes, privilege escalations, or unauthorized actions.
Therefore, account management and password strength are the critical variables related to access control, as they directly affect the identification, authentication, and authorization of users, processes, and devices in the IACS.
References:
ISA/IEC 62443-3-3:2013, Security for industrial automation and control systems - Part 3-3: System security requirements and security levels1 ISA/IEC 62443 Cybersecurity Fundamentals Specialist Certificate Program2 ISA/IEC 62443 Cybersecurity Library3 Using the ISA/IEC 62443 Standards to Secure Your Control Systems4

A Wide Area Network (WAN) is a communications system that covers a large geographic area, such as a city, a country, or even several countries or continents1. WANs are often used to connect local area networks (LANs) and other types of networks together, so that users and computers in one location can communicate with users and computers in other locations2. WANs use various communication infrastructures, such as public telephone lines, undersea cables, and communication satellites, to transmit data over long distances1. WANs are typically established with leased telecommunication circuits or less costly circuit switching or packet switching methods2. WANs are often built by Internet service providers, who provide connections from an organization's LAN to the Internet2. The Internet itself may be considered a WAN2. References: Hardware and network technologies - CCEA LAN and WAN - BBC, Wide area network
- Wikipedia.