CIP IEC-62443-4-2 CIP Essential function and verification details 

Revision History

Revision No	Date	Change description	Author	Reviewed by
001	2025-08-15	CIP essential function and it’s tests details	Dinesh Kumar	BV (Bureau Veritas)

1. Overview 

Few IEC-62443-4-2 requirements depend upon essential function of the component. It means in any adverse circumstances component should be capable of providing essential function. Verification of essential function availability is conducted while testing few requirements such as CR-7.1.

Definition of essential function

An 'Essential Function' refers to a business function that falls between mission-critical and important. It may include functions like payroll or supply chain systems, which are not immediately necessary for getting the business back up and running, but are vital for the company's overall functioning beyond the disaster recovery stage

As part of IEC-62443-4-2 assessment it is mandatory to identify and document essential function of the component.

This document provides CIP essential function details used during CIP IEC-62443-4-2 assessment. CIP essential function is generic as platform does not have any business requirement function as esential function. However, it should serve as reference for CIP users to identify essential function for CIP based end devices.

2. CIP essential function 

Provide audit logs for tracking user actions and events
Networking services which will be available via ethernet port, and it is essential for any data transfer from/to the device, as well as for remotely accessing the device. a. Remote connection remains available b. Data transfer from/to the device

3. Verification of essential function 

3.1 Prerequisites 

A non-root user must be available to execute and check the audit logs related to non-root user actions
curl binary installed on the device

3.2 Essential function - Audit logs verification 

Audit logs serve as a comprehensive record of system and user activities, crucial for security, compliance, and troubleshooting. They provide a detailed history of events, including who performed actions, when they occurred, and what the outcome was, enabling organizations to monitor, analyze, and respond to potential issues.

User type	Actions	Test steps	Expected results
root	Manage services(Start/stop/restart)	1. Restart nftables service with the below command systemctl restart nftables.service 2. Check the audit logs with the below command ausearch -m SERVICE_START -m SERVICE_STOP -ui 0	Events related to start/stop/restart of services are logged by auditd
root	Access system critical file	1. Add the following audit rules auditctl -w /etc/passwd -p r -k control-system-event 2. Read the /etc/passwd file with the below command cat /etc/passwd 3. Check the audit logs with the below command ausearch -i -k “control-system-event”	Events related to access/modification of tracked files are logged by auditd
root	Remote login(SSH)	1. Login as root user with ssh ssh root@<DEVICE_IP_ADDRESS> 2. Check the audit logs with the below command ausearch -m USER_LOGIN -sv no -ui 0	Events related to failed user logins are logged by auditd
non root users	Access privileged file	1. Add the following audit rules auditctl -a always,exit -S openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -k file_access_denied 2. Read the /etc/passwd file as a non-root user with the below command (replace password and user accordingly) echo “<user-password>” \| su - <user> -c “cat /etc/shadow \| cat” 3. Check the audit logs with the below command ausearch -i -k “file_access_denied”	Events related to access failures due to privilege restrictions are logged by auditd
non root users	Remote login(SSH)	1. Login as root user with ssh (replace user accordingly) ssh <USER>@<DEVICE_IP_ADDRESS> 2. Check the audit logs with the below command ausearch -m USER_LOGIN -sv no -ui 0	Events related to successful user logins are logged by auditd
non root users	Privilege escalation	1. After logging in as non-root user, try escalating privilege with sudo sudo systemctl status networking.service 2. Check the audit logs with the below command ausearch -i -ui <USER_ID>	Events related to privilege escalations(usage of sudo) are logged by auditd

3.3 Essential function - Networking verification 

Test Case	Test steps	Expected result
Check the status of networking service	Run the following command # systemctl status networking	Networking service is enabled and running
Test remote connection(SSH) to the device from another host PC	Run the following command # ssh <USER>@<DEVICE_IP_ADDRESS>	Remote connection service remains available
Test data transfer with SCP to the device from another host PC	Run the following commands: echo “test file” > test_file scp test_file <USER>@<DEVICE-IP-ADDRESS>:<user-dir>	Data transfer to/from device remains available
HTTPS connection with curl	Setup a Apache HTTPS server in a host PC Host a file in /var/www/html directory in the server host PC Install curl binary into the device 4. Fetch the file with the below command. Run the command in the device user directory where user has write permissions /path/to/curl -k https://<SERVER_IP>:443/<FILENAME>	Ability to establish a HTTPS connection and do data transfer

CIP IEC-62443-4-2 CIP Essential function and verification details

1. Overview

2. CIP essential function

3. Verification of essential function

3.1 Prerequisites

3.2 Essential function - Audit logs verification

3.3 Essential function - Networking verification