iec62443-4-2-FR-2 ================= .. contents:: +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | Req ID | Requirement name | Supported | Need | Need HW | Status if | | | | by CIP | ap | solution | supported | | | | | plication | | by CIP | | | | | support | | | +==========+===========================+==================+===========================+==================+============================+ | CR-2.1 | Authorization enforcement | TRUE | TRUE | FALSE | CompletedAdded | | | | | | | acl | | | | | | | package | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.1 | Authorization | TRUE | TRUE | FALSE | CompletedAdded | | RE(1) | enforcement | | | | acl | | | for all | | | | package | | | users | | | | | | | (humans, | | | | | | | software | | | | | | | processes | | | | | | | and | | | | | | | devices) | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.1 | Permission | TRUE | TRUE | FALSE | CompletedAdded | | RE(2) | mapping | | | | acl | | | to roles | | | | package | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.1 | Supervisor | TRUE | TRUE | FALSE | CompletedAdded | | RE(3) | override | | | | acl | | | | | | | package | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.1 | Dual | FALSE | FALSE | FALSE | N.A. | | RE(4) | approval | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.2 | Wireless | FALSE | TRUE | FALSE | N.A. | | | use | | | | | | | control | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.3 | Use | FALSE | FALSE | FALSE | N.A. | | | control | | | | | | | for | | | | | | | portable | | | | | | | and | | | | | | | mobile | | | | | | | devices | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | SAR-2.4 | Mobile | FALSE | FALSE | FALSE | N.A. | | | code | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | SAR-2.4 | Mobile | FALSE | TRUE | FALSE | N.A. | | RE(1) | code - | | | | | | | authenticity | | | | | | | check | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-2.4 | Mobile | FALSE | TRUE | FALSE | N.A. | | | code | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-2.4 | Mobile | FALSE | TRUE | FALSE | N.A. | | RE(1) | code - | | | | | | | authenticity | | | | | | | check | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-2.4 | Mobile | FALSE | TRUE | FALSE | N.A. | | | code | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-2.4 | Mobile | FALSE | TRUE | FALSE | N.A. | | RE(1) | code - | | | | | | | authenticity | | | | | | | check | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-2.4 | Mobile | FALSE | TRUE | FALSE | N.A. | | | code | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-2.4 | Mobile | FALSE | TRUE | FALSE | N.A. | | RE(1) | code - | | | | | | | authenticity | | | | | | | check | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.5 | Session | TRUE | TRUE | FALSE | Completed Added | | | lock | | | | package | | | | | | | openssh | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.6 | Remote | TRUE | TRUE | FALSE | Completed Added | | | session | | | | package | | | termination | | | | openssh | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.7 | Concurrent | TRUE | TRUE | FALSE | Completed | | | session | | | | Added pam | | | control | | | | and | | | | | | | openssh | | | | | | | package | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.8 | Auditable | TRUE | TRUE | FALSE | Completed Added | | | events | | | | package | | | | | | | auditd | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.9 | Warn when | TRUE | TRUE | FALSE | Completed Added | | RE(1) | audit | | | | package | | | record | | | | auditd | | | storage | | | | and | | | capacity | | | | rsyslog | | | threshold | | | | | | | reached | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.10 | Response | TRUE | TRUE | FALSE | In-progress | | | to audit | | | | | | | p | | | | | | | rocessing | | | | | | | failures | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.11 | Timestamp | TRUE | FALSE | FALSE | Completed Added | | | | | | | package | | | | | | | chrony | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.11 | Time | TRUE | FALSE | FALSE | Completed | | RE(1) | synchronization | | | | Added | | | | | | | package | | | | | | | chrony | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.11 | Protection | FALSE | FALSE | FALSE | N.A. | | RE(2) | of time | | | | | | | source | | | | | | | integrity | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.12 | Non-repudiation | TRUE | TRUE | FALSE | CompletedAdded | | | | | | | packages | | | | | | | audits | | | | | | | and | | | | | | | syslog-ng | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | CR-2.12 | Non-repudiation | FALSE | FALSE | FALSE | N.A. | | RE(1) | for all | | | | | | | users | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-2.13 | Use of | FALSE | FALSE | TRUE | N.A. | | | physical | | | | | | | diagnostic | | | | | | | and test | | | | | | | interfaces | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-2.13 | Active | TRUE | TRUE | TRUE | CompletedAdded | | RE(1) | monitoring | | | | packages | | | | | | | syslog-ng, | | | | | | | auditd | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-2.13 | Use of | FALSE | FALSE | TRUE | N.A. | | | physical | | | | | | | diagnostic | | | | | | | and test | | | | | | | interfaces | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-2.13 | Active | TRUE | FALSE | TRUE | N.A. | | RE(1) | monitoring | | | | | +----------+---------------------------+------------------+---------------------------+------------------+----------------------------+ Tests reference and CIP recommendation -------------------------------------- +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | Req ID | Status if | IEC-62443-4-2 | CIP | | | supported by | tests reference | recommendation | | | CIP | | | +================+============================+===============================+===================================================================+ | CR-2.1 | CompletedAdded | `TC_CR2. | default_action_ | | | acl package | 1_1 `__ | configured | | | | | using ACL, | | | | | chmod or a | | | | | similar | | | | | effective | | | | | mechanism.For | | | | | network | | | | | interface, user | | | | | should create | | | | | user groups for | | | | | each protocols, | | | | | e.g. apache(web | | | | | server), and | | | | | configure file | | | | | and directory | | | | | access control | | | | | using ACL or a | | | | | similar | | | | | effective | | | | | mechanism for | | | | | each users in | | | | | these groups. | | | | | Access | | | | | permissions and | | | | | ACL shall be | | | | | reviewed | | | | | periodically. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.1 RE(1) | CompletedAdded | `TC_CR2. | default_action_ | | | acl package | 1_1 `__ | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.1 RE(2) | CompletedAdded | `TC_CR2. | default_action_ | | | acl package | 1_1 `__ | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.1 RE(3) | CompletedAdded | `TC_CR2. | default_action_ | | | sudo package | 1_1 `__ | specific, this | | | | | requirement | | | | | must be | | | | | implemented at | | | | | application | | | | | level | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.1 RE(4) | N.A. | None | This is for | | | | | SL-4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.2 | N.A. | None | This | | | | | requirement can | | | | | not be | | | | | supported by | | | | | CIP. However, | | | | | CIP has | | | | | following | | | | | recommendations | | | | | for meeting | | | | | this | | | | | requirement | | | | | \ **SYSTEM**:1. | | | | | Every interface | | | | | needs to use | | | | | pam or similar | | | | | a | | | | | uthentication2. | | | | | Network control | | | | | on a system | | | | | level needs to | | | | | adhere to | | | | | security best | | | | | practi | | | | | ces\ **APP**:1. | | | | | Support the | | | | | ability to | | | | | disable SSID | | | | | broadcast | | | | | function2. | | | | | Support client | | | | | white-list | | | | | function3. | | | | | Support alarm | | | | | on known | | | | | vulnerable | | | | | encryption | | | | | (e.g., WEP)4. | | | | | Record client | | | | | connection | | | | | events5. | | | | | Support ACL | | | | | integration6. | | | | | Application | | | | | should not use | | | | | vulnerable | | | | | protocols | | | | | underneath | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.3 | N.A. | None | There is no | | | | | component level | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | SAR-2.4 | N.A. | None | This | | | | | requirement | | | | | only applies to | | | | | Software | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | SAR-2.4 RE(1) | N.A. | None | This | | | | | requirement | | | | | only applies to | | | | | Software | | | | | Applications | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-2.4 | N.A. | None | This | | | | | requirement is | | | | | not supported | | | | | by CIP.Embedded | | | | | devices only | | | | | need to support | | | | | this | | | | | requirement if | | | | | they utilize | | | | | mobile code | | | | | technologies | | | | | such as Java, | | | | | USB ports | | | | | (autorun) | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-2.4 RE(1) | N.A. | None | Same as EDR-2.4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-2.4 | N.A. | None | It’s for host | | | | | devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-2.4 RE(1) | N.A. | None | It’s for host | | | | | devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-2.4 | N.A. | None | It’s not | | | | | applicable to | | | | | CIP same as | | | | | EDR-2.4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-2.4 RE(1) | N.A. | None | It’s not | | | | | applicable to | | | | | CIP same as | | | | | EDR-2.4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.5 | CompletedAdded | None | CIP added | | | package openssh | | openssh package | | | | | to meet this | | | | | requi | | | | | rement.However, | | | | | it’s | | | | | application | | | | | developer’s | | | | | responsibility | | | | | to configure | | | | | timeout period | | | | | for the session | | | | | as well as | | | | | terminating the | | | | | session after | | | | | timeout.This | | | | | can be | | | | | implemented in | | | | | many ways hence | | | | | it’s left to | | | | | CIP users. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.6 | CompletedAdded | None | Same as CR-2.5 | | | package openssh | | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.7 | Completed Added | None | Same as CR-2.5 | | | pam and openssh | | | | | package | | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.8 | CompletedAdded | None | This | | | package auditd | | requirement is | | | | | supported by | | | | | CIP.However, | | | | | application | | | | | needs to | | | | | configure | | | | | applicable | | | | | types of events | | | | | for audit, all | | | | | such events | | | | | should be | | | | | recorded which | | | | | should be made | | | | | available | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.9 | None | This | | | | | requirement is | | | | | supported by | | | | | CIP.However, | | | | | application | | | | | needs to | | | | | configure log | | | | | storage | | | | | capacity, and | | | | | when logs | | | | | should be | | | | | discarded after | | | | | reaching | | | | | certain | | | | | configured | | | | | storage limit. | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.9 RE(1) | CompletedAdded | | Same as CR-2.9 | | | package auditd | `TC_CR2.9-RE1_1 | | | | and rsyslog | `__ | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.10 | In-progress | `TC_CR2.10 | CIP supports | | | | _1 `__ | these packages | | | | | and demonstrate | | | | | to meet this | | | | | requirement. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.11 | CompletedAdded | `TC_CR2.11 | default_action_ | | | package chrony | _1 `__ | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.11 RE(1) | CompletedAdded | `TC_CR2.11 | CIP supports | | | package chrony | _1 `__ | in such a way | | | | | that logs are | | | | | generated with | | | | | system time | | | | | synchronized | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.11 RE(2) | N.A. | None | This is for | | | | | SL-4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.12 | CompletedAdded | `TC_CR2.12 | default_action_ | | | packages audits | _1 `__ | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-2.12 RE(1) | N.A. | None | This is for | | | | | SL-4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-2.13 | N.A. | None | SYSTEM and HW: | | | | | Physical | | | | | diagnostic and | | | | | test interfaces | | | | | need to be | | | | | protected from | | | | | unauthorized | | | | | access, if they | | | | | provide the | | | | | ability to | | | | | execute | | | | | commands on the | | | | | system, affect | | | | | its core | | | | | functionality | | | | | or read out non | | | | | public data. | | | | | Protection | | | | | could be done | | | | | by physical | | | | | access | | | | | restriction | | | | | and/or an | | | | | authorization | | | | | method similar | | | | | to the | | | | | productive | | | | | authorization | | | | | methods | | | | | described in | | | | | this document. | | | | | The Level of | | | | | protection | | | | | needed has to | | | | | be assessed via | | | | | a threat and | | | | | risk analysis. | | | | | Also, it needs | | | | | to carefully | | | | | consider the | | | | | necessity of | | | | | installing test | | | | | interfaces. In | | | | | particular, it | | | | | is desirable to | | | | | remove the JTAG | | | | | interface in | | | | | the final | | | | | production | | | | | because it may | | | | | cause | | | | | unexpected | | | | | behavior for | | | | | even supplier | | | | | due to | | | | | non-public | | | | | instructions to | | | | | the processor | | | | | for hardware | | | | | debugging. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-2.13 RE(1) | CompletedAdded | `TC_CR2.12 | CIP supports | | | packages | _1 `__ | needs to do | | | | | logging when | | | | | diagnostic and | | | | | test interfaces | | | | | are accessed. | | | | | All such | | | | | interfaces | | | | | should be | | | | | considered as | | | | | part of | | | | | application or | | | | | system threat | | | | | model. If there | | | | | are some | | | | | interfaces | | | | | which are used | | | | | only during | | | | | design and | | | | | development , | | | | | such interfaces | | | | | should be | | | | | removed before | | | | | devices are | | | | | shipped out. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-2.13 | N.A. | None | This | | | | | requirement is | | | | | for host | | | | | devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-2.13 RE(1) | N.A. | None | Same as | | | | | HDR-2.13 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ .. _default_action: Default action -------------- Here default action means use CIP provided package or equivalent to meet the requirement. Even though CIP as platform provides several packages, CIP users need to re-use capabilities provided by the packages to meet specific security requirements.