User Security Manual ==================== .. contents:: .. list-table:: Revision History :header-rows: 1 * - Revision No - Date - Change description - Author - Reviewed by * - 001 - 2021-09-30 - Draft User Security Manual - Dinesh Kumar - To be reviewed by CIP Security WG members * - 002 - 2022-05-30 - Fixed SWG review comments in gitlab - Dinesh Kumar - CIP SWG * - 003 - 2024-05-23 - Add doc reqs for interfaces - Stefan Schroeder - CIP SWG * - 004 - 2024-07-12 - Add details about debian-cve-checker - Sai Ashrith - To be reviewed 1. Objective ------------ This document contains items identified during IEC-62443-4-1 and IEC-62443-4-2 Gap Assessment for user security manual. It should contain following items and is subject to revision based on Certification Body feedback or any other inputs from other CIP members. - How to operate CIP in secure manner - CIP security configurations - CIP users privileges to operate or configure the end products This document is subject to revisions based on new findings or investigations in future. 2. Assumptions -------------- +-----------------------------------+-----------------------------------+ | Assumption | Impact | +===================================+===================================+ | All documented guidelines are | These are recommendations | | strictly followed by CIP users | identified from IEC-62443-4-2 & | | | IEC-62443-4-1 investigation, not | | | following these guidelines | | | indicate non compliance of the | | | product to IEC. | +-----------------------------------+-----------------------------------+ 3. Scope -------- This document covers requirements from IEC-62443-4-1 & IEC-62443-4-2, where we have received gap assessment comments from Certification Body. 4. Guidelines ------------- 4.1 IEC-62443-4-2 (EDR-3.2) Protection from malicious code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CIP platform does not meet this requirement completely hence CIP users are advised to do risk assessment for the end product and find out suitable means to deploy for mitigating the risk by installing malicious code on the device. Some of the important areas to consider for protection includes. - USB host access - Detect integrity violation of application binaries and data files Depending upon the end product various techniques can be adopted e.g. no execute bit (NX), data execution prevention (EDP), address space layout randomization (ASLR), stack corruption detection etc. 4.2 IEC-62443-4-2 (NDR-3.2) Protection from malicious code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CIP platform does not support this requirement and hence CIP user should consider the use of white listing or signing the software binaries in order to meet this requirement. Other options could be to use suitable IPS/IDS packages provided by CIP platform. 4.3 IEC-62443-4-2 (CR-7.1) Denial of service protection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CIP platform meets this requirement by providing several security packages for ensuring device security. However, denial of service protection is very wide and requires measures to be taken by CIP end users as well. CIP users should do CRT(Communication Robustness Testing) testing on end devices to conform device meets robustness testing requirements. pam, openssh and acl packages can help to achieve Denial of service protection. 4.4 IEC-62443-4-2 (CR-7.3) Control System Backup ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CIP members are investigating to include suitable package which can support this requirement. However, CIP users need to configure data which need to be taken as remote backup. In addition to taking backup CIP users should also check and confirm data can be restored on regular basis. 4.5 IEC-62443-4-2 (CR-6.2) Continuous Monitoring ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CIP provides capabilities to monitor system continuously. CIP provides packages like aide, syslog-ng which can be configured to monitor system continuously depending upon the use case. For more information, refer other related `documents `__. 4.6 IEC-62443-4-1 (SD-1 (i)) Documentation of externally accessible interfaces ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The documentation shall provide instructions about externally accessible interfaces. Since all services offered on a CIP system are provided by third-party packages, the respective documentation of the underlying third-party packages shall be consulted. During the hardening process it shall be ensured that no unnecessary interfaces are exposed. 5. CIP System Monitoring ------------------------ CIP as platform provides various techniques for system monitoring. However, it is left to CIP users to select appropriate methods for their use cases. e.g. aide, syslog-ng, auditd are some of the examples. Various logs to monitor are > /var/log/syslog > /var/log/auth.log > /var/log/boot.log > /var/log/dmesg > /var/log/faillog 6. Generating CVE report for the installed packages --------------------------------------------------- CIP provides a tool named [debian-cve-checker](https://gitlab.com/cip-project/cip-core/debian-cve-checker) which helps the user to generate a CVE report for the packages installed in the system. The report provides CVE ID, package which is affected, package carrying the vulnerability, advisory information, severity level and score. The later version in which the vulnerability is fixed is also reported if applicable. For steps to use **debian-cve-checker**, refer this `manual `__ document.