Welcome to CIP_documentation’s documentation!
CIP Documents
This repository is where keeps all documents at one place for all working groups of the CIP projects to meet secure development process definced at IEC 62443-4-1 which require to maintain documents and their versions.
Management policy
This repository will be maintained by a few security members to meet secure development process, thus branches in this repository will be protected by restricting members enabling to push and merge.
License
The license of all documentation in this repository follows the intellectual property policy in the CIP Charter. See section 14-e in the CIP Charter.
Guide
This section will give brief descriptions about each document to make navigating this repository easier. Non-document files will not be explained here. - cip-project - cip-documents - developer - event - process - security - testing - user
Developer
Name |
Description |
---|---|
Presentation on security increases in Debian over time. |
Event
Name |
Description |
---|---|
Presentation CIP Software Update WG. |
|
Presentation CIP Security WG. |
|
Threat modelling - Key methodologies and applications from OSS CIP(CIP) perspecti ve |
Presentation of CIP Security WG on Threat modeling in CIP. |
Process
Name |
Description |
---|---|
The primary objective of this document is to explain about how file integrity for CIP deliverables is achieved. |
|
The primary objective of this document is to show the roles in CIP with their responsibilities and accountabilities. It is also shwon which roles should be consulted and/or informed for certain actions and which qualifications, if any, are needed to fulfill a role. |
|
This document is based on IEC-62443-4-1 (Edition 1.0 2018-01) secure development process requirements.The Objective is to adhere IEC-62443-4-1 secure development process requirements in CIP development as much as possible. |
Security
Name |
Description |
---|---|
This document explains how CIP Project and its upstream projects are following security coding guidelines. |
|
This document explains how CIP Project executes SCA with some explanation on how to use some SCA software. |
|
The primary objective of this document is to document current development environment security, development flow and how security is maintained. |
|
The primary objective of this document is to provide guidelines to CIP users for meeting IEC-62443-4-2 security requirements. The document explains about each IEC-62443-4-2 requirements whether it has already been met by CIP. In addition this document also explains about iec security layer added in CIP to meet IEC-62443-4-2 security requirements. |
|
This document contains items identified during IEC-62443-4-1 and IEC-62443-4-2 Gap Assessment for user security manual. |
|
The primary objective of this document is to explain about how various OWASP. top 10 vulnerabilities are handled in CIP. |
|
`CIP Private Key Management cip-documents/-/blob/master/secur ity/private_key_management.md>`__ |
The primary objective of this document is to explain about how various private keys used in CIP development are maintained and kept secure and confidential. |
This document is intended to capture CIP security requirements based on IEC-62443-4-2 standard. |
|
The primary objective of this document is to create Threat Model for CIP reference platform. |
Testing
Name |
Description |
---|---|
Overview of the CIP 62443-4-2 test cases. |
|
The primary objective of this document is to identify suitable penetration testing tool and document the process how this can be re-used by CIP end users for their specific use cases. |
User
Name |
Description |
---|---|
This document is a user perspective overview and technical guide for CIP. |
- CIP Development process (SM-1)
- CIP Requirements
- Secure Design principles (SD-1)
- Configuration Management
- CIP CVE handling
- Traceability from CIP requirements to design and testing
- Management of security issues in CIP
- Description
- Objective
- Scope
- CIP File Integrity
- CIP Private Key Management
- CIP Release Security Checklist
- Security Design review and best practices in CIP
- CIP Secure Development Process
- 1. Overview
- 2. [SM-1] Secure Development Process
- 3. [SM-2] Identification of Responsibilities
- 4. [SM-3] CIP Software version
- 5 [SM-4] CIP Developer Security Expertise
- 6 [SM-5] Process Scoping
- 7. [SM-6] File Integrity
- 8. [SM-7] Development Environment Security
- 9. [SM-8] Private Key Protection
- 10. [SM-9] Security Risk for new or externally provided components
- 11. [SM-10] Custom Developed Components from third party
- 12. [SM-11] Security Issues Assessment
- 13. [SM-12] Documented Checklist Review
- 14. [SM-13] Define Review frequency
- 15. [SR-1, SR-3, SR-4] Product Security Context
- 16. [SR-2] Threat Model
- 17. [SR-5] Security Requirements Review and Approval
- 18. [SD-1] Secure Design Principles
- 19. [SD-2] Defense in depth design
- 20. [SD-3, SD-4] Security design review
- 21. [SI-1, SI-2] Security implementation review
- 22. [SVV-1] Security requirement testing
- 23. [SVV-2] Threat Mitigation testing
- 24. [SVV-3] Vulnerability testing
- 25. [SVV-4] Penetration testing
- 26. [SVV-5] Independence of testers
- 27. [DM-1 to DM-5] Receiving notifications of security issues
- 28. [DM-6] Periodic review of security defect management practice
- 29. [SUM-1] Security Update Qualification
- 30. [SUM-2, SUM-3] Security update documentation
- 31. [SUM-4] Security update delivery
- 32. [SUM-5] Timely delivery of security patches
- 33. [SG-1, SG-2] Product defense in depth
- 34. [SG-3] Security Hardening guidelines
- 35. [SG-4] Security disposable guidelines
- 36. [SG-5] Secure operation guidelines
- 37. [SG-6] Account management guidelines
- 38. [SG-7] Documentation Review
- 39. Acronyms
- 40. References
- CIP Testing
- 1. Introduction
- 2. Objective
- 3. Scope
- Use of Cryptography
- CIP-Security-CodingGuideLines
- Introduction
- CIP Project coding standards
- CIP Upstream projects coding standards
- Tools to assist security code review
- IEC-62443 Requirement for Static Code Analysis
- Coverity Scan
- Gitlab SAST
- Next Step
- CIP-Security-CodingGuideLines
- Introduction
- CIP Project coding standards
- CIP Upstream projects coding standards
- Tools to assist security code review
- CIP Security Hardening
- [CIP-Security] [CR2.10] Response to audit processing failure
- 1. Objective
- 2. Common Approach for Response to audit processing failure
- 2.1. Alert the allocated audit log storage volume is nearly full
- 2.2. Take the actions to response to audit log processing failure
- 3. CIP Features for Response to Audit Processing Failure
- 3.1. auditd
- 3.2. The log daemon not support the space left, error detection or max log file features
- Reference
- CIP Development Environment Security
- CIP Security Partitions
- Tests reference and CIP recommendation
- Tests reference and CIP recommendation
- Tests reference and CIP recommendation
- Tests reference and CIP recommendation
- Additional notes
- Tests reference and CIP recommendation
- Tests reference and CIP recommendation
- Tests reference and CIP recommendation
- IEC 62443-4-2 App & HW Guidelines
- OWASP Top 10 Vulnerabilities Monitoring
- CIP Private Key Management
- CIP Security Requirements
- CIP Threat Modeling
- 1. Objective
- 2. Assumptions
- 3. Scope
- 4. Security Requirements
- 5. Threat Modeling Strategy
- 6. Data Flow Diagrams(DFD)
- 7. Potential Threats To the System and Mitigation
- 8. Validation of Threats and Mitigation
- 9. CIP Core Packages for mitigation
- 10. CIP Kernel Threat Modeling
- 11. Updating CIP Threat Model
- 12. Further Guidelines for End Product owners
- 13. Acronyms
- 14. CIP Core CVE scanner
- 15. CIP Kernel CVE scanner
- 16. References
- 17. Pending Work and known issues
- User Security Manual