iec62443-4-2-FR-2
Req ID |
Re quirement name |
Supported by CIP |
Need ap plication support |
Need HW solution |
Status if supported by CIP |
|---|---|---|---|---|---|
CR-2.1 |
Auth orization en forcement |
TRUE |
TRUE |
FALSE |
Compl etedAdded acl package |
CR-2.1 RE(1) |
Auth orization en forcement for all users (humans, software processes and devices) |
TRUE |
TRUE |
FALSE |
Compl etedAdded acl package |
CR-2.1 RE(2) |
P ermission mapping to roles |
TRUE |
TRUE |
FALSE |
Compl etedAdded acl package |
CR-2.1 RE(3) |
S upervisor override |
TRUE |
TRUE |
FALSE |
Compl etedAdded sudo package |
CR-2.1 RE(4) |
Dual approval |
FALSE |
FALSE |
FALSE |
N.A. |
CR-2.2 |
Wireless use control |
FALSE |
TRUE |
FALSE |
N.A. |
CR-2.3 |
Use control for portable and mobile devices |
FALSE |
FALSE |
FALSE |
N.A. |
SAR-2.4 |
Mobile code |
FALSE |
FALSE |
FALSE |
N.A. |
SAR-2.4 RE(1) |
Mobile code - aut henticity check |
FALSE |
TRUE |
FALSE |
N.A. |
EDR-2.4 |
Mobile code |
FALSE |
TRUE |
FALSE |
N.A. |
EDR-2.4 RE(1) |
Mobile code - aut henticity check |
FALSE |
TRUE |
FALSE |
N.A. |
HDR-2.4 |
Mobile code |
FALSE |
TRUE |
FALSE |
N.A. |
HDR-2.4 RE(1) |
Mobile code - aut henticity check |
FALSE |
TRUE |
FALSE |
N.A. |
NDR-2.4 |
Mobile code |
FALSE |
TRUE |
FALSE |
N.A. |
NDR-2.4 RE(1) |
Mobile code - aut henticity check |
FALSE |
TRUE |
FALSE |
N.A. |
CR-2.5 |
Session lock |
TRUE |
TRUE |
FALSE |
Compl etedAdded package openssh |
CR-2.6 |
Remote session te rmination |
TRUE |
TRUE |
FALSE |
Compl etedAdded package openssh |
CR-2.7 |
C oncurrent session control |
TRUE |
TRUE |
FALSE |
Completed Added pam and openssh package |
CR-2.8 |
Auditable events |
TRUE |
TRUE |
FALSE |
Compl etedAdded package auditd |
CR-2.9 RE(1) |
Warn when audit record storage capacity threshold reached |
TRUE |
TRUE |
FALSE |
Compl etedAdded package auditd and rsyslog |
CR-2.10 |
Response to audit p rocessing failures |
TRUE |
TRUE |
FALSE |
In -progress |
CR-2.11 |
Timestamp |
TRUE |
FALSE |
FALSE |
Compl etedAdded package chrony |
CR-2.11 RE(1) |
Time synchr onization |
TRUE |
FALSE |
FALSE |
Compl etedAdded package chrony |
CR-2.11 RE(2) |
P rotection of time source integrity |
FALSE |
FALSE |
FALSE |
N.A. |
CR-2.12 |
Non-re pudiation |
TRUE |
TRUE |
FALSE |
Compl etedAdded packages audits and syslog-ng |
CR-2.12 RE(1) |
Non-re pudiation for all users |
FALSE |
FALSE |
FALSE |
N.A. |
EDR-2.13 |
Use of physical d iagnostic and test i nterfaces |
FALSE |
FALSE |
TRUE |
N.A. |
EDR-2.13 RE(1) |
Active m onitoring |
TRUE |
TRUE |
TRUE |
Compl etedAdded packages s yslog-ng, auditd |
HDR-2.13 |
Use of physical d iagnostic and test i nterfaces |
FALSE |
FALSE |
TRUE |
N.A. |
HDR-2.13 RE(1) |
Active m onitoring |
TRUE |
FALSE |
TRUE |
N.A. |
Tests reference and CIP recommendation
Req ID |
Status if supported by CIP |
IEC-62443-4-2 tests reference |
CIP recommendation |
|---|---|---|---|
CR-2.1 |
CompletedAdded acl package |
For local interface, file and directory access control must be configured using ACL, chmod or a similar effective mechanism.For network interface, user should create user groups for each protocols, e.g. apache(web server), and configure file and directory access control using ACL or a similar effective mechanism for each users in these groups. Access permissions and ACL shall be reviewed periodically. |
|
CR-2.1 RE(1) |
CompletedAdded acl package |
||
CR-2.1 RE(2) |
CompletedAdded acl package |
||
CR-2.1 RE(3) |
CompletedAdded sudo package |
Since the privil eges/supervisor overrides are application specific, this requirement must be implemented at application level |
|
CR-2.1 RE(4) |
N.A. |
None |
This is for SL-4 |
CR-2.2 |
N.A. |
None |
This requirement can not be supported by CIP. However, CIP has following recommendations for meeting this requirement SYSTEM:1. Every interface needs to use pam or similar a uthentication2. Network control on a system level needs to adhere to security best practi cesAPP:1. Support the ability to disable SSID broadcast function2. Support client white-list function3. Support alarm on known vulnerable encryption (e.g., WEP)4. Record client connection events5. Support ACL integration6. Application should not use vulnerable protocols underneath |
CR-2.3 |
N.A. |
None |
There is no component level |
SAR-2.4 |
N.A. |
None |
This requirement only applies to Software |
SAR-2.4 RE(1) |
N.A. |
None |
This requirement only applies to Software Applications |
EDR-2.4 |
N.A. |
None |
This requirement is not supported by CIP.Embedded devices only need to support this requirement if they utilize mobile code technologies such as Java, USB ports (autorun) |
EDR-2.4 RE(1) |
N.A. |
None |
Same as EDR-2.4 |
HDR-2.4 |
N.A. |
None |
It’s for host devices |
HDR-2.4 RE(1) |
N.A. |
None |
It’s for host devices |
NDR-2.4 |
N.A. |
None |
It’s not applicable to CIP same as EDR-2.4 |
NDR-2.4 RE(1) |
N.A. |
None |
It’s not applicable to CIP same as EDR-2.4 |
CR-2.5 |
CompletedAdded package openssh |
None |
CIP added openssh package to meet this requi rement.However, it’s application developer’s responsibility to configure timeout period for the session as well as terminating the session after timeout.This can be implemented in many ways hence it’s left to CIP users. |
CR-2.6 |
CompletedAdded package openssh |
None |
Same as CR-2.5 |
CR-2.7 |
Completed Added pam and openssh package |
None |
Same as CR-2.5 |
CR-2.8 |
CompletedAdded package auditd |
None |
This requirement is supported by CIP.However, application needs to configure applicable types of events for audit, all such events should be recorded which should be made available |
CR-2.9 |
None |
This requirement is supported by CIP.However, application needs to configure log storage capacity, and when logs should be discarded after reaching certain configured storage limit. |
|
CR-2.9 RE(1) |
CompletedAdded package auditd and rsyslog |
Same as CR-2.9 |
|
CR-2.10 |
In-progress |
CIP supports this requirement by adding packages auditd and rsysl og.Applications need to harness capabilities of these packages and demonstrate to meet this requirement. |
|
CR-2.11 |
CompletedAdded package chrony |
||
CR-2.11 RE(1) |
CompletedAdded package chrony |
CIP supports this requirement by chrony p ackage.However, application needs to configure logs in such a way that logs are generated with system time synchronized |
|
CR-2.11 RE(2) |
N.A. |
None |
This is for SL-4 |
CR-2.12 |
CompletedAdded packages audits and syslog-ng |
||
CR-2.12 RE(1) |
N.A. |
None |
This is for SL-4 |
EDR-2.13 |
N.A. |
None |
SYSTEM and HW: Physical diagnostic and test interfaces need to be protected from unauthorized access, if they provide the ability to execute commands on the system, affect its core functionality or read out non public data. Protection could be done by physical access restriction and/or an authorization method similar to the productive authorization methods described in this document. The Level of protection needed has to be assessed via a threat and risk analysis. Also, it needs to carefully consider the necessity of installing test interfaces. In particular, it is desirable to remove the JTAG interface in the final production because it may cause unexpected behavior for even supplier due to non-public instructions to the processor for hardware debugging. |
EDR-2.13 RE(1) |
CompletedAdded packages syslog-ng, auditd |
CIP supports this requirement by adding required packages.In order to meet this requirement application needs to do logging when diagnostic and test interfaces are accessed. All such interfaces should be considered as part of application or system threat model. If there are some interfaces which are used only during design and development , such interfaces should be removed before devices are shipped out. |
|
HDR-2.13 |
N.A. |
None |
This requirement is for host devices |
HDR-2.13 RE(1) |
N.A. |
None |
Same as HDR-2.13 |