Req ID |
Re quirement name |
Supported by CIP |
Need ap plication support |
Need HW solution |
Status if supported by CIP |
|---|---|---|---|---|---|
CR-3.1 |
Comm unication integrity |
TRUE |
TRUE |
FALSE |
Compl etedAdded openssl package |
CR 3.1 RE(1) |
Comm unication authe ntication |
TRUE |
TRUE |
FALSE |
Compl etedAdded openssl package |
SAR-3.2 |
P rotection from malicious code |
FALSE |
FALSE |
FALSE |
N.A. |
EDR-3.2 |
P rotection from malicious code |
FALSE |
TRUE |
FALSE |
N.A. |
HDR-3.2 |
P rotection from malicious code |
FALSE |
FALSE |
FALSE |
N.A. |
HDR-3.2 RE(1) |
Report version of code p rotection |
FALSE |
FALSE |
FALSE |
N.A. |
NDR-3.2 |
P rotection from malicious code |
FALSE |
TRUE |
FALSE |
N.A. |
CR-3.3 |
Security func tionality ver ification |
FALSE |
TRUE |
FALSE |
N.A. |
CR-3.3 RE(1) |
Security func tionality ver ification during normal operation |
FALSE |
FALSE |
FALSE |
N.A. |
CR-3.4 |
Software and in formation integrity |
TRUE |
TRUE |
FALSE |
Compl etedAdded packages openssl, aide, ai de-common |
CR-3.4 RE(1) |
Aut henticity of software and in formation |
TRUE |
TRUE |
FALSE |
Same as CR-3.4 |
CR 3.4 RE(2) |
Automated not ification of integrity v iolations |
TRUE |
TRUE |
FALSE |
Compl etedAdded syslog-ng package |
CR-3.5 |
Input v alidation |
TRUE |
TRUE |
FALSE |
N.A. |
CR-3.6 |
Dete rministic output |
FALSE |
TRUE |
FALSE |
N.A. |
CR-3.7 |
Error handling |
TRUE |
TRUE |
FALSE |
Added syslog-ng |
CR-3.8 |
Session integrity |
TRUE |
TRUE |
FALSE |
Compl etedAdded package openssl |
CR-3.9 |
P rotection of audit in formation |
TRUE |
FALSE |
FALSE |
Compl etedAdded package acl |
CR-3.9 RE(1) |
Audit records on w rite-once media |
FALSE |
FALSE |
FALSE |
N.A. |
EDR-3.10 |
Support for updates |
TRUE |
TRUE |
FALSE |
in -progress |
EDR-3.10 RE(1) |
Update aut henticity and integrity |
TRUE |
TRUE |
FALSE |
in -progress |
HDR-3.10 |
Support for updates |
FALSE |
TRUE |
FALSE |
N.A. |
HDR-3.10 RE(1) |
Update aut henticity and integrity |
FALSE |
TRUE |
FALSE |
N.A. |
NDR-3.10 |
Support for updates |
TRUE |
TRUE |
FALSE |
in -progress |
NDR-3.10 RE(1) |
Update aut henticity and integrity |
TRUE |
TRUE |
FALSE |
in -progress |
EDR-3.11 |
Physical tamper r esistance and detection |
FALSE |
FALSE |
TRUE |
N.A. |
EDR-3.11 RE(1) |
Not ification of a tampering attempt |
FALSE |
TRUE |
TRUE |
N.A. |
HDR-3.11 |
Physical tamper r esistance and detection |
FALSE |
FALSE |
TRUE |
N.A. |
HDR-3.11 RE(1) |
Not ification of a tampering attempt |
FALSE |
FALSE |
TRUE |
N.A. |
NDR-3.11 |
Physical tamper r esistance and detection |
FALSE |
FALSE |
TRUE |
N.A. |
NDR-3.11 RE(1) |
Not ification of a tampering attempt |
FALSE |
FALSE |
TRUE |
N.A |
EDR-3.12 |
Pro visioning product supplier roots of trust - p rotection |
FALSE |
FALSE |
TRUE |
N.A. |
HDR-3.12 |
Pro visioning product supplier roots of trust - p rotection |
FALSE |
FALSE |
TRUE |
N.A. |
NDR-3.12 |
Pro visioning product supplier roots of trust - p rotection |
FALSE |
FALSE |
TRUE |
N.A. |
EDR-3.13 |
Pro visioning asset owner roots of trust - p rotection |
FALSE |
TRUE |
TRUE |
N.A. |
HDR-3.13 |
Pro visioning asset owner roots of trust - p rotection |
FALSE |
FALSE |
TRUE |
N.A. |
NDR-3.13 |
Pro visioning asset owner roots of trust - p rotection |
FALSE |
TRUE |
TRUE |
N.A. |
EDR-3.14 |
Integrity of the boot process |
FALSE |
TRUE |
TRUE |
in -progress |
EDR-3.14 RE(1) |
Aut henticity of the boot process |
FALSE |
TRUE |
TRUE |
in -progress |
HDR-3.14 |
Integrity of the boot process |
FALSE |
FALSE |
TRUE |
N.A. |
HDR-3.14 RE(1) |
Aut henticity of the boot process |
FALSE |
FALSE |
TRUE |
N.A. |
NDR-3.14 |
Integrity of the boot process |
FALSE |
FALSE |
TRUE |
in -progress |
NDR-3.14 RE(1) |
Aut henticity of the boot process |
FALSE |
FALSE |
TRUE |
in -progress |
Tests reference and CIP recommendation
Req ID |
Status if supported by CIP |
IEC-62443-4-2 tests reference |
CIP recommendation |
|---|---|---|---|
CR-3.1 |
CompletedAdded openssl package |
Refer CR1.9 tests for openssl |
The platform provides capabilities for secure communication, application needs to use them |
CR 3.1 RE(1) |
CompletedAdded openssl package |
Refer CR1.9 tests for openssl |
Same as CR-3.1 |
SAR-3.2 |
N.A. |
None |
This requirement is only for Software application |
EDR-3.2 |
N.A. |
None |
CIP does not support this requ irement.SYSTEM: Use a combination of detection and prevention techniques to protect the system from installation and execution of unauthorized software. We recommend all software to be signed by its trusted source and to use whitelisting and ACL to prevent execution of unknown software. Secure boot can also be useful to ensure system integrity. Disabling portable storage device auto-mount function in default is recommended. |
HDR-3.2 |
N.A. |
None |
SYSTEM: Use a combination of detection and prevention techniques to protect the system from installation and execution of unauthorized software. We recommend all software to be signed by its trusted source and to use whitelisting and ACL to prevent execution of unknown software. Secure boot can also be useful to ensure system integrity. Disabling portable storage device auto-mount function in default is recommended. |
HDR-3.2 RE(1) |
N.A. |
None |
APP: Need to automatically report the version of signatures of software for protection from malicious code.However, this requirement assumes the installation of anti-virus software provided for general-purpose operating systems such as Windows. If you install a specific anti-virus software, you need to log also its version. |
NDR-3.2 |
N.A. |
None |
CIP does not support this requ irement.SYSTEM: Network devices need to either be protected from malicious code by external compensation control or need internal protection from malicious code like in HDR 3.2/EDR 3.2.However, even if the network device itself takes measures, it is recommended to keep it lightweight so that the throughput is not affected. |
CR-3.3 |
N.A. |
None |
CIP does not support this requirement.CIP users should verify the security functionality supported by the product according to this requirement |
CR-3.3 RE(1) |
N.A. |
None |
This is for SL-4 |
CR-3.4 |
CompletedAdded packages openssl, aide, aide-common |
CIP supports this requi rement.However, application developer need to verify the integrity of software and configuration |
|
CR-3.4 RE(1) |
Same as CR-3.4 |
Same as CR-3.4 |
|
CR 3.4 RE(2) |
CompletedAdded syslog-ng package |
Same as CR-3.4Any mismatch in integrity data such as hash or checksum should be notified to other layers as well as logged for audit purpose. Once checksum or digital verification is failed, depending upon which layer it failed, the system needs to determine how to handle it, |
|
CR-3.5 |
N.A. |
None |
CIP users to make sure all the interfaces do input validation such as input for industrial process control, input via external interfaces |
CR-3.6 |
N.A. |
None |
CIP does not support this requirement.CIP user should make sure it is met by application. Meeting this requirement is full responsibility of CIP user |
CR-3.7 |
Added syslog-ng |
None |
CIP ensures no confidential information is exposed in logs which can be exploited by adversaries.CIP users should ensure any sensitive information is not printed in the logs. |
CR-3.8 |
CompletedAdded package openssl |
Refer openssl tests in CR1.9 |
CIP platform provides low level package for session integrity. Application developers should use platform capabilities to protect application sessions. |
CR-3.9 |
CompletedAdded package acl |
||
CR-3.9 RE(1) |
N.A. |
None |
For SL-4 |
EDR-3.10 |
in-progress |
None |
CIP provides reference implementation for software updates. However, CIP does not provide any software update for CIP users or devices.CIP users can use CIP software update as reference implementation and develop software updates based on their requirements. |
EDR-3.10 RE(1) |
in-progress |
None |
Same as EDR-3.10 |
HDR-3.10 |
N.A. |
None |
This is for host devices not supported by CIP |
HDR-3.10 RE(1) |
N.A. |
None |
This is for host devices not supported by CIP |
NDR-3.10 |
in-progress |
None |
Same as EDR-3.10 |
NDR-3.10 RE(1) |
in-progress |
None |
Same as EDR-3.10 |
EDR-3.11 |
N.A. |
None |
Requires HW support |
EDR-3.11 RE(1) |
N.A. |
None |
CIP does not support this requirement.CIP users should support this requirement. |
HDR-3.11 |
N.A. |
None |
This is for host devices |
HDR-3.11 RE(1) |
N.A. |
None |
This is for host devices |
NDR-3.11 |
N.A. |
None |
Requires HW support |
NDR-3.11 RE(1) |
N.A |
None |
CIP does not support this requirement This requirement should be supported by CIP users |
EDR-3.12 |
N.A. |
None |
CIP does not support this r equirement.This will be supported by CIP users |
HDR-3.12 |
N.A. |
None |
It’s for host devices |
NDR-3.12 |
N.A. |
None |
Same as EDR-3.12 |
EDR-3.13 |
N.A. |
None |
CIP platform does not support this requirement.CIP users should support this requirement by using CIP capability. |
HDR-3.13 |
N.A. |
None |
This is only applicable to host devices |
NDR-3.13 |
N.A. |
None |
Same as EDR-3.13 |
EDR-3.14 |
in-progress |
None |
CIP provides reference implementation of secure boot.CIP users should meet it it based on their secure hardware support. |
EDR-3.14 RE(1) |
in-progress |
None |
CIP provides reference implementation of secure boot imp lementation.CIP users should meet it it based on their secure hardware support. |
HDR-3.14 |
N.A. |
None |
It’s for host devices |
HDR-3.14 RE(1) |
N.A. |
None |
It’s for host devices |
NDR-3.14 |
in-progress |
None |
CIP provides reference implementation of secure boot imp lementation.CIP users should meet it it based on their secure hardware support. |
NDR-3.14 RE(1) |
in-progress |
None |
CIP provides reference implementation of secure boot imp lementation.CIP users should meet it it based on their secure hardware support. |