iec62443-4-2-FR-3 ================= .. contents:: +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | Req ID | Requirement name | Supported | Need | Need HW | Status if | | | | by CIP | ap | solution | supported | | | | | plication | | by CIP | | | | | support | | | +==========+==================+==================+===========================+==================+============================+ | CR-3.1 | Communication | TRUE | TRUE | FALSE | CompletedAdded | | | integrity | | | | openssl | | | | | | | package | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR 3.1 | Communication | TRUE | TRUE | FALSE | CompletedAdded | | RE(1) | authentication | | | | openssl | | | | | | | package | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | SAR-3.2 | Protection | FALSE | FALSE | FALSE | N.A. | | | from | | | | | | | malicious | | | | | | | code | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.2 | Protection | FALSE | TRUE | FALSE | N.A. | | | from | | | | | | | malicious | | | | | | | code | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.2 | Protection | FALSE | FALSE | FALSE | N.A. | | | from | | | | | | | malicious | | | | | | | code | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.2 | Report | FALSE | FALSE | FALSE | N.A. | | RE(1) | version | | | | | | | of code | | | | | | | protection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.2 | Protection | FALSE | TRUE | FALSE | N.A. | | | from | | | | | | | malicious | | | | | | | code | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.3 | Security | FALSE | TRUE | FALSE | N.A. | | | functionality | | | | | | | verification | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.3 | Security | FALSE | FALSE | FALSE | N.A. | | RE(1) | functionality | | | | | | | verification | | | | | | | during | | | | | | | normal | | | | | | | operation | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.4 | Software | TRUE | TRUE | FALSE | CompletedAdded | | | and | | | | packages | | | information | | | | openssl, | | | integrity | | | | aide, | | | | | | | aide-common | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.4 | Authenticity | TRUE | TRUE | FALSE | Same as | | RE(1) | of | | | | CR-3.4 | | | software | | | | | | | and | | | | | | | information | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR 3.4 | Automated | TRUE | TRUE | FALSE | CompletedAdded | | RE(2) | notification | | | | syslog-ng | | | of | | | | package | | | integrity | | | | | | | violations | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.5 | Input | TRUE | TRUE | FALSE | N.A. | | | validation | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.6 | Deterministic | FALSE | TRUE | FALSE | N.A. | | | output | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.7 | Error | TRUE | TRUE | FALSE | Added | | | handling | | | | syslog-ng | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.8 | Session | TRUE | TRUE | FALSE | CompletedAdded | | | integrity | | | | package | | | | | | | openssl | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.9 | Protection | TRUE | FALSE | FALSE | CompletedAdded | | | of audit | | | | package | | | in | | | | acl | | | formation | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | CR-3.9 | Audit | FALSE | FALSE | FALSE | N.A. | | RE(1) | records | | | | | | | on | | | | | | | write-once | | | | | | | media | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.10 | Support | TRUE | TRUE | FALSE | in-progress | | | for | | | | | | | updates | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.10 | Update | TRUE | TRUE | FALSE | in-progress | | RE(1) | aut | | | | | | | henticity | | | | | | | and | | | | | | | integrity | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.10 | Support | FALSE | TRUE | FALSE | N.A. | | | for | | | | | | | updates | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.10 | Update | FALSE | TRUE | FALSE | N.A. | | RE(1) | authenticity | | | | | | | and | | | | | | | integrity | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.10 | Support | TRUE | TRUE | FALSE | in-progress | | | for | | | | | | | updates | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.10 | Update | TRUE | TRUE | FALSE | in-progress | | RE(1) | authenticity | | | | | | | and | | | | | | | integrity | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.11 | Physical | FALSE | FALSE | TRUE | N.A. | | | tamper | | | | | | | resistance | | | | | | | and | | | | | | | detection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.11 | Notification | FALSE | TRUE | TRUE | N.A. | | RE(1) | of a | | | | | | | tampering | | | | | | | attempt | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.11 | Physical | FALSE | FALSE | TRUE | N.A. | | | tamper | | | | | | | resistance | | | | | | | and | | | | | | | detection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.11 | Notification | FALSE | FALSE | TRUE | N.A. | | RE(1) | of a | | | | | | | tampering | | | | | | | attempt | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.11 | Physical | FALSE | FALSE | TRUE | N.A. | | | tamper | | | | | | | resistance | | | | | | | and | | | | | | | detection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.11 | Notification | FALSE | FALSE | TRUE | N.A | | RE(1) | of a | | | | | | | tampering | | | | | | | attempt | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.12 | Provisioning | FALSE | FALSE | TRUE | N.A. | | | product | | | | | | | supplier | | | | | | | roots of | | | | | | | trust - | | | | | | | protection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.12 | Provisioning | FALSE | FALSE | TRUE | N.A. | | | product | | | | | | | supplier | | | | | | | roots of | | | | | | | trust-protection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.12 | Provisioning | FALSE | FALSE | TRUE | N.A. | | | product | | | | | | | supplier | | | | | | | roots of | | | | | | | trust - | | | | | | | protection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.13 | Provisioning | FALSE | TRUE | TRUE | N.A. | | | asset | | | | | | | owner | | | | | | | roots of | | | | | | | trust - | | | | | | | protection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.13 | Provisioning | FALSE | FALSE | TRUE | N.A. | | | asset | | | | | | | owner | | | | | | | roots of | | | | | | | trust - | | | | | | | protection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.13 | Provisioning | FALSE | TRUE | TRUE | N.A. | | | asset | | | | | | | owner | | | | | | | roots of | | | | | | | trust - | | | | | | | protection | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.14 | Integrity | FALSE | TRUE | TRUE | in-progress | | | of the | | | | | | | boot | | | | | | | process | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | EDR-3.14 | Authenticity | FALSE | TRUE | TRUE | in-progress | | RE(1) | of the | | | | | | | boot | | | | | | | process | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.14 | Integrity | FALSE | FALSE | TRUE | N.A. | | | of the | | | | | | | boot | | | | | | | process | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | HDR-3.14 | Authenticity | FALSE | FALSE | TRUE | N.A. | | RE(1) | of the | | | | | | | boot | | | | | | | process | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.14 | Integrity | FALSE | FALSE | TRUE | in-progress | | | of the | | | | | | | boot | | | | | | | process | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ | NDR-3.14 | Authenticity | FALSE | FALSE | TRUE | in-progress | | RE(1) | of the | | | | | | | boot | | | | | | | process | | | | | +----------+------------------+------------------+---------------------------+------------------+----------------------------+ Tests reference and CIP recommendation -------------------------------------- +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | Req ID | Status if | IEC-62443-4-2 | CIP | | | supported by | tests reference | recommendation | | | CIP | | | +================+============================+===============================+===================================================================+ | CR-3.1 | CompletedAdded | Refer CR1.9 | default_action_ | | | openssl package | tests for | | | | | openssl | | | | | | \ The | | | | | platform | | | | | provides | | | | | capabilities | | | | | for secure | | | | | communication, | | | | | application | | | | | needs to use | | | | | them | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR 3.1 RE(1) | CompletedAdded | Refer CR1.9 | Same as CR-3.1 | | | openssl package | tests for | | | | | openssl | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | SAR-3.2 | N.A. | None | This | | | | | requirement is | | | | | only for | | | | | Software | | | | | application | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.2 | N.A. | None | CIP does not | | | | | support this | | | | | requ | | | | | irement.SYSTEM: | | | | | Use a | | | | | combination of | | | | | detection and | | | | | prevention | | | | | techniques to | | | | | protect the | | | | | system from | | | | | installation | | | | | and execution | | | | | of unauthorized | | | | | software. We | | | | | recommend all | | | | | software to be | | | | | signed by its | | | | | trusted source | | | | | and to use | | | | | whitelisting | | | | | and ACL to | | | | | prevent | | | | | execution of | | | | | unknown | | | | | software. | | | | | Secure boot can | | | | | also be useful | | | | | to ensure | | | | | system | | | | | integrity. | | | | | Disabling | | | | | portable | | | | | storage device | | | | | auto-mount | | | | | function in | | | | | default is | | | | | recommended. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.2 | N.A. | None | SYSTEM: Use a | | | | | combination of | | | | | detection and | | | | | prevention | | | | | techniques to | | | | | protect the | | | | | system from | | | | | installation | | | | | and execution | | | | | of unauthorized | | | | | software. We | | | | | recommend all | | | | | software to be | | | | | signed by its | | | | | trusted source | | | | | and to use | | | | | whitelisting | | | | | and ACL to | | | | | prevent | | | | | execution of | | | | | unknown | | | | | software. | | | | | Secure boot can | | | | | also be useful | | | | | to ensure | | | | | system | | | | | integrity. | | | | | Disabling | | | | | portable | | | | | storage device | | | | | auto-mount | | | | | function in | | | | | default is | | | | | recommended. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.2 RE(1) | N.A. | None | APP: Need to | | | | | automatically | | | | | report the | | | | | version of | | | | | signatures of | | | | | software for | | | | | protection from | | | | | malicious | | | | | code.However, | | | | | this | | | | | requirement | | | | | assumes the | | | | | installation of | | | | | anti-virus | | | | | software | | | | | provided for | | | | | general-purpose | | | | | operating | | | | | systems such as | | | | | Windows. If you | | | | | install a | | | | | specific | | | | | anti-virus | | | | | software, you | | | | | need to log | | | | | also its | | | | | version. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.2 | N.A. | None | CIP does not | | | | | support this | | | | | requ | | | | | irement.SYSTEM: | | | | | Network devices | | | | | need to either | | | | | be protected | | | | | from malicious | | | | | code by | | | | | external | | | | | compensation | | | | | control or need | | | | | internal | | | | | protection from | | | | | malicious code | | | | | like in HDR | | | | | 3.2/EDR | | | | | 3.2.However, | | | | | even if the | | | | | network device | | | | | itself takes | | | | | measures, it is | | | | | recommended to | | | | | keep it | | | | | lightweight so | | | | | that the | | | | | throughput is | | | | | not affected. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.3 | N.A. | None | CIP does not | | | | | support this | | | | | requirement.CIP | | | | | users should | | | | | verify the | | | | | security | | | | | functionality | | | | | supported by | | | | | the product | | | | | according to | | | | | this | | | | | requirement | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.3 RE(1) | N.A. | None | This is for | | | | | SL-4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.4 | CompletedAdded | `TC_CR3. | CIP supports | | | packages | 4_1 `__ | configuration | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.4 RE(1) | Same as CR-3.4 | | Same as CR-3.4 | | | | `TC_CR3.4-RE1_1 | | | | | `__ | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR 3.4 RE(2) | CompletedAdded | | Same as | | | syslog-ng | `TC_CR3.4-RE2_1 | CR-3.4Any | | | package | `__ | purpose. Once | | | | | checksum or | | | | | digital | | | | | verification is | | | | | failed, | | | | | depending upon | | | | | which layer it | | | | | failed, the | | | | | system needs to | | | | | determine how | | | | | to handle it, | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.5 | N.A. | None | CIP users to | | | | | make sure all | | | | | the interfaces | | | | | do input | | | | | validation such | | | | | as input for | | | | | industrial | | | | | process | | | | | control, input | | | | | via external | | | | | interfaces | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.6 | N.A. | None | CIP does not | | | | | support this | | | | | requirement.CIP | | | | | user should | | | | | make sure it is | | | | | met by | | | | | application. | | | | | Meeting this | | | | | requirement is | | | | | full | | | | | responsibility | | | | | of CIP user | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.7 | Added syslog-ng | None | CIP ensures no | | | | | confidential | | | | | information is | | | | | exposed in logs | | | | | which can be | | | | | exploited by | | | | | adversaries.CIP | | | | | users should | | | | | ensure any | | | | | sensitive | | | | | information is | | | | | not printed in | | | | | the logs. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.8 | CompletedAdded | Refer openssl | CIP platform | | | package openssl | tests in CR1.9 | provides low | | | | | level package | | | | | for session | | | | | integrity. | | | | | Application | | | | | developers | | | | | should use | | | | | platform | | | | | capabilities to | | | | | protect | | | | | application | | | | | sessions. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.9 | CompletedAdded | `TC_CR3. | default_action_ | | | package acl | 9_1 `__ | | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | CR-3.9 RE(1) | N.A. | None | For SL-4 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.10 | in-progress | None | CIP provides | | | | | reference | | | | | implementation | | | | | for software | | | | | updates. | | | | | However, CIP | | | | | does not | | | | | provide any | | | | | software update | | | | | for CIP users | | | | | or devices.CIP | | | | | users can use | | | | | CIP software | | | | | update as | | | | | reference | | | | | implementation | | | | | and develop | | | | | software | | | | | updates based | | | | | on their | | | | | requirements. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.10 RE(1) | in-progress | None | Same as | | | | | EDR-3.10 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.10 | N.A. | None | This is for | | | | | host devices | | | | | not supported | | | | | by CIP | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.10 RE(1) | N.A. | None | This is for | | | | | host devices | | | | | not supported | | | | | by CIP | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.10 | in-progress | None | Same as | | | | | EDR-3.10 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.10 RE(1) | in-progress | None | Same as | | | | | EDR-3.10 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.11 | N.A. | None | Requires HW | | | | | support | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.11 RE(1) | N.A. | None | CIP does not | | | | | support this | | | | | requirement.CIP | | | | | users should | | | | | support this | | | | | requirement. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.11 | N.A. | None | This is for | | | | | host devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.11 RE(1) | N.A. | None | This is for | | | | | host devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.11 | N.A. | None | Requires HW | | | | | support | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.11 RE(1) | N.A | None | CIP does not | | | | | support this | | | | | requirement | | | | | This | | | | | requirement | | | | | should be | | | | | supported by | | | | | CIP users | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.12 | N.A. | None | CIP does not | | | | | support this | | | | | r | | | | | equirement.This | | | | | will be | | | | | supported by | | | | | CIP users | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.12 | N.A. | None | It’s for host | | | | | devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.12 | N.A. | None | Same as | | | | | EDR-3.12 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.13 | N.A. | None | CIP platform | | | | | does not | | | | | support this | | | | | requirement.CIP | | | | | users should | | | | | support this | | | | | requirement by | | | | | using CIP | | | | | capability. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.13 | N.A. | None | This is only | | | | | applicable to | | | | | host devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.13 | N.A. | None | Same as | | | | | EDR-3.13 | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.14 | in-progress | None | CIP provides | | | | | reference | | | | | implementation | | | | | of secure | | | | | boot.CIP users | | | | | should meet it | | | | | it based on | | | | | their secure | | | | | hardware | | | | | support. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | EDR-3.14 RE(1) | in-progress | None | CIP provides | | | | | reference | | | | | implementation | | | | | of secure boot | | | | | imp | | | | | lementation.CIP | | | | | users should | | | | | meet it it | | | | | based on their | | | | | secure hardware | | | | | support. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.14 | N.A. | None | It’s for host | | | | | devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | HDR-3.14 RE(1) | N.A. | None | It’s for host | | | | | devices | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.14 | in-progress | None | CIP provides | | | | | reference | | | | | implementation | | | | | of secure boot | | | | | imp | | | | | lementation.CIP | | | | | users should | | | | | meet it it | | | | | based on their | | | | | secure hardware | | | | | support. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ | NDR-3.14 RE(1) | in-progress | None | CIP provides | | | | | reference | | | | | implementation | | | | | of secure boot | | | | | imp | | | | | lementation.CIP | | | | | users should | | | | | meet it it | | | | | based on their | | | | | secure hardware | | | | | support. | +----------------+----------------------------+-------------------------------+-------------------------------------------------------------------+ .. _default_action: Default action -------------- Here default action means use CIP provided package or equivalent to meet the requirement. Even though CIP as platform provides several packages, CIP users need to re-use capabilities provided by the packages to meet specific security requirements.