iec62443-4-2-FR-1 ================= .. contents:: +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | Req ID | Requirement name | Supported | Need | Need HW | Status if supported | | | | by CIP | application | solution | by CIP | | | | | support | | | +===========+===========================+==================+==========================+==================+============================+ | CR-1.1 | Human | TRUE | FALSE | FALSE | CompletedAdded | | | user | | | | packages | | | identification and authe | | | | passwd, | | | ntication | | | | login | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.1 | Multi-factor | TRUE | FALSE | FALSE | CompletedAdding | | RE(2) | authentication | | | | package | | | for all | | | | libpam-go | | | interfaces | | | | ogle-auth | | | | | | | enticator | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR | Unique | FALSE | TRUE | FALSE | N.A. | | 1.2-RE(1) | identification and | | | | | | | authentication | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.3 | Account | TRUE | FALSE | FALSE | CompletedAdded | | | management | | | | usermod | | | | | | | package | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.4 | Identifier | TRUE | FALSE | FALSE | CompletedAdded | | | management | | | | package | | | | | | | adduser | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.5 | Authenticator management- | TRUE | FALSE | FALSE | CompletedAdded | | | initialize | | | | package | | | authenticator content | | | | tpm2-tools, | | | | | | | tpm2-abrmd | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR- | The authenticators | TRUE | FALSE | TRUE | Completed | | 1.5-RE(1) | on which | | | | | | | the | | | | | | | company | | | | | | | rely | | | | | | | shall be | | | | | | | protected | | | | | | | via | | | | | | | hardware | | | | | | | mechanism | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | NDR-1.6 | Wireless | TRUE | TRUE | FALSE | In-progress | | | access | | | | Wireless | | | management | | | | drivers | | | | | | | to be | | | | | | | included | | | | | | | in CIP | | | | | | | kernel | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | NDR-1.6 | Unique | TRUE | TRUE | FALSE | In-progress | | RE(1) | identification and | | | | Wireless | | | authentication | | | | drivers | | | | | | | to be | | | | | | | included | | | | | | | in CIP | | | | | | | kernel | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.7 | Strength | TRUE | FALSE | FALSE | Completed | | | of | | | | libpam-cracklib | | | passw | | | | | | | ord-based | | | | | | | authe | | | | | | | ntication | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.7 | Password | TRUE | FALSE | FALSE | CompletedAdded | | RE(1) | generation | | | | packages | | | and | | | | passwd, | | | lifetime | | | | login | | | restrictions | | | | | | | for human | | | | | | | users | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.7 | Password | FALSE | FALSE | FALSE | N.A. | | RE(2) | lifetime | | | | | | | restrictions | | | | | | | for all | | | | | | | users | | | | | | | (human, | | | | | | | software | | | | | | | process, | | | | | | | or | | | | | | | device) | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.8 | Public | TRUE | FALSE | FALSE | CompletedAdded | | | key | | | | package | | | infra | | | | openssl | | | structure | | | | | | | (PKI) | | | | | | | cer | | | | | | | tificates | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.9 | Strength | TRUE | FALSE | FALSE | CompletedAdded | | | of public | | | | package | | | key-based | | | | openssl | | | authe | | | | | | | ntication | | | | | | | - check | | | | | | | validity | | | | | | | of signature | | | | | | | of a given | | | | | | | certificate | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.9 | Hardware | TRUE | FALSE | TRUE | Completed | | RE(1) | security | | | | | | | for | | | | | | | public | | | | | | | key-based | | | | | | | authe | | | | | | | ntication | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.10 | Authenticator | TRUE | TRUE | FALSE | CompletedAdded | | | feedback | | | | package | | | | | | | openssl | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.11 | Unsuccessful | TRUE | FALSE | FALSE | Completed, | | | login | | | | added | | | attempts | | | | package | | | - limit | | | | libpam-mo | | | number | | | | dules-bin | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.12 | System | FALSE | TRUE | FALSE | N.A. | | | use | | | | | | | notification | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | NDR-1.13 | Access | FALSE | TRUE | FALSE | N.A. | | | via | | | | | | | untrusted | | | | | | | networks | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | NDR-1.13 | Explicit | FALSE | TRUE | FALSE | N.A. | | RE(1) | access | | | | | | | request | | | | | | | approval | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.14 | Strength | TRUE | FALSE | FALSE | CompletedAdded | | | of | | | | openssl | | | symmetric | | | | package | | | key-based | | | | | | | authentication | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ | CR-1.14 | Hardware | TRUE | FALSE | TRUE | N.A. | | RE(1) | security | | | | | | | for | | | | | | | symmetric | | | | | | | key-based | | | | | | | authe | | | | | | | ntication | | | | | +-----------+---------------------------+------------------+--------------------------+------------------+----------------------------+ Tests reference and CIP recommendation -------------------------------------- +----------------+----------------------------+-------------------------------+--------------------+ | Req ID | Status if | IEC-62443-4-2 | CIP | | | supported by | tests reference | recommendation | | | CIP | | | +================+============================+===============================+====================+ | CR-1.1 | CompletedAdded | 1. | The CIP | | | packages | `TC_CR1.1_1 | platform | | | passwd, login | `__ | etc).CIP based | | | | | | | | | 2. `TC_CR1. | CIP based products | | | | 1_2 `__ | should be | | | | | uniquely | | | | | identified and | | | | | authenticated. | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.1 RE(1) | CompletedAdded | `TC_ | Same as CR-1.1 | | | package | CR1.1-RE1_1 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.1 RE(2) | CompletedAdding | None | The CIP | | | package | | platform | | | libpam-googl | | complies with | | | e-authenticator | | this | | | | | requirement by | | | | | adding google | | | | | MFA Debian | | | | | package. | | | | | However, CIP | | | | | users can use | | | | | their own way | | | | | to achieve this | | | | | MFA. | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.2 | N.A. | None | The CIP | | | | | platform can’t | | | | | meet this | | | | | requirement, | | | | | CIP users | | | | | should use | | | | | their | | | | | applications to | | | | | meet this | | | | | requirementAll | | | | | components need | | | | | to identify | | | | | themselves. We | | | | | recommend the | | | | | usage of TPM | | | | | generated id or | | | | | certificates | | | | | for device id, | | | | | a process pid | | | | | and the | | | | | addition of the | | | | | active user | | | | | account. The | | | | | pid must be | | | | | logged in the | | | | | processes | | | | | lifetime as it | | | | | changes after a | | | | | process | | | | | restart. | +----------------+----------------------------+-------------------------------+--------------------+ | CR1.2-RE(1) | Unique | FALSE | TRUE | | | identification | | | | | and | | | | | authentication | | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.3 | CompletedAdded | | default_action_ | | | usermod package | 1. `TC_CR1.3_1 | | | | | `__ | | | | | | | | | | 2. `TC_CR1.3_2 | | | | | `__ | | | | | | | | | | 3. `TC_CR1. | | | | | 3_3 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.4 | CompletedAdded | `TC_CR1. | default_action_ | | | package adduser | 4_1 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.5 | CompletedAdded | | default_action_ | | | package | 1. `TC_CR1.5_2 | | | | tpm2-tools, | `__ | | | | | | | | | | 2. `TC_CR1. | | | | | 5_3 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.5-RE(1) | Completed | None | This | | | | | requirement | | | | | expects a | | | | | secure storage, | | | | | CIP added TPM | | | | | tools. However, | | | | | secure storage | | | | | and any other | | | | | tools needed | | | | | should be met | | | | | by CIP users | | | | | based on their | | | | | requirements. | +----------------+----------------------------+-------------------------------+--------------------+ | NDR-1.6 | In-p | None | default_action_ | | | rogressWireless | | | | | drivers to be | | | | | included in CIP | | | | | kernel | | | +----------------+----------------------------+-------------------------------+--------------------+ | NDR-1.6 RE(1) | In-p | None | default_action_ | | | rogressWireless | | | | | drivers to be | | | | | included in CIP | | | | | kernel | | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.7 | Completed | `TC_CR1. | default_action_ | | | libpam-cracklib | 7_1 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.7 RE(1) | CompletedAdded | `TC_CR1.7-RE1_1 | default_action_ | | | packages | `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.7 RE(2) | N.A. | None | This is for | | | | | SL-4 | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.8 | CompletedAdded | `TC_CR1. | default_action_ | | | package openssl | 8_1 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.9 | CompletedAdded | | default_action_ | | | package openssl | 1. `TC_CR1.9_1 | | | | | `__ | | | | | | | | | | 2. `TC_CR1.9_2 | | | | | `__ | | | | | | | | | | 3. `TC_CR1.9_3 | | | | | `__ | | | | | | | | | | 4. `TC_CR1.9_4 | | | | | `__ | | | | | | | | | | 5. `TC_CR1.9_5 | | | | | `__ | | | | | | | | | | 6. `TC_CR1.9_6 | | | | | `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.9 RE(1) | Completed | None | It requires HW | | | | | support, should | | | | | be met by CIP | | | | | users | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.10 | CompletedAdded | `TC_CR2.10 | default_action_ | | | package openssl | _1 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.11 | Completed, | `TC_CR1.1 | default_action_ | | | added package | 1_1 `__ | | | | | | | | | | `TC_CR1.11 | | | | | _2 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.12 | N.A. | None | CIP does not | | | | | support this | | | | | requirement, | | | | | CIP users | | | | | should | | | | | implement | | | | | notifications | | | | | based on their | | | | | require | | | | | ments.Following | | | | | are some | | | | | guidelinesAPP: | | | | | If the device | | | | | has a HMI for | | | | | an application | | | | | requiring | | | | | authentication, | | | | | the application | | | | | shall be able | | | | | to display a | | | | | configurable | | | | | use | | | | | notification | | | | | message before | | | | | the credentials | | | | | are requested | | | | | from the user. | +----------------+----------------------------+-------------------------------+--------------------+ | NDR-1.13 | N.A. | None | CIP does not | | | | | support this | | | | | req | | | | | uirement.Access | | | | | of networks | | | | | should be | | | | | monitored using | | | | | network | | | | | security | | | | | software and | | | | | tools, only | | | | | used ports | | | | | should be open | | | | | and unused | | | | | ports should be | | | | | blocked to | | | | | avoid | | | | | unauthorized | | | | | access. | +----------------+----------------------------+-------------------------------+--------------------+ | NDR-1.13 RE(1) | Explicit access | FALSE | TRUE | | | request | | | | | approval | | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.14 | CompletedAdded | `TC_CR1. | default_action_ | | | openssl package | 8_1 `__ | | +----------------+----------------------------+-------------------------------+--------------------+ | CR-1.14 RE(1) | N.A. | None | Requires HW | | | | | support | +----------------+----------------------------+-------------------------------+--------------------+ .. _default_action: Default action -------------- Here default action means use CIP provided package or equivalent to meet the requirement. Even though CIP as platform provides several packages, CIP users need to re-use capabilities provided by the packages to meet specific security requirements.