CIP IEC-62443-4-2 Foundational Requirement-6 & 7 Assessment details

Revision History

Revision No

Date

Change description

Author

Reviewed by

001

2025-08-13

CIP IEC-62443-4-2 FR-6 & FR-7 assessment details

Dinesh Kumar

BV (Bureau Veritas)

002

2025-08-13

Added details for CR-7.1(RE1) & CR-7.7

Pasquale Nieddu

BV (Bureau Veritas)

003

2025-11-12

Fix minor formatting issues to resolve CI warnings

Adithya Balakumar

BV (Bureau Veritas)

1. Overview

This document provides details of IEC-62443-4-2 FR-6 & FR-7 requirements for CIP assessment. The objective of the document is to share details with CIP users for requireements which are found Met and NA during CIP IEC-62443-4-2 assessment by BV.

This document can be used as reference by CIP users for IEC-62443-4-2 compliance for end products based on CIP.

2. CR-6.1 Audit log accessibility [Met]

2.1 How CR-6.1 is Met

Accessibility of audit logs needs to be controlled to meet this requirement. acl package is used to control the access. TC_CR6.1_1 CIP IEC layer test[1] is used to provide evidence for this requirement.

2.2 CIP User action

CIP users can also use acl for meeting this requirement.

3. CR-6.1 RE(1) Programmatic access to audit logs [NA]

3.1 Why CR-6.1 RE(1) is NA

This requirement will need support for application to use programmatic access of audit logs. In CIP, ausearch was used to meet this requirement, but it’s a SL-3 requirement hence was out of scope for assessment.

3.2 CIP User action

If the target security level is SL-3, use application support for programmatic access to meet this requirement.

4. CR-6.2 Continuous monitoring [Met]

4.1 How CR-6.2 is Met

This requirement is met in CIP by aide package which detects integrity failures in the system using an aide check. Any integrity failures found during the check are reported to journal logs subsequently user can take actions.

4.2 CIP User action

CIP user can use aide to meet this requirement. The main configuration file is typically located at /etc/aide.conf. It defines the files and directories to be monitored and the rules to apply.

5. FR-7 Resource Availability

Following sections share details of FR-7 requirements and assessment results for CIP.

6. CR-7.1 Denial of service protection [Met]

6.1 How was CR-7.1 Met

Testing by BV was carried out by simulating DoS environment using licensed tool. Nessus was used to simulate DoS events for testing this requirement. Details of testing was not shared with CIP.

BV simulated DoS environment and verified CIP essential function was available even during the attack period.

Refer CIP essential function

6.2 CIP User action

Preparation for this requirement involves the following steps.

  1. Identify essential function of the end device, it should be related to business goals or some function which is always available.

  2. Simulate DoS environment by using available tools e.g. BV used Nessus Tool for testing this requirement

  3. Verify under DoS condition when device is under attack, essential function of the device remains available

7. CR-7.1 RE(1) Manage communication load from component [Met]

7.1 How was CR-7.1 RE(1) Met

The CIP security image provides tools to manage communication load. The nftables package is included, which allows for restricting network traffic by port and protocol. This helps components maintain essential functions even during a Denial of Service (DoS) event. Additionally, tools like tcpdump are available for monitoring network traffic.

7.2 CIP User action

CIP users can utilize nftables to configure communication restrictions, such as blocking or allowing specific ports and protocols. They can also use tcpdump to monitor network traffic. These tools help manage communication load and ensure that essential functions remain available.

8. CR-7.2 Resource Management [NA]

8.1 Why CR-7.2 is NA

This requires support from application by reusing platform support. CIP does not meet this requirement.

8.2 CIP User action

CIP users should verify any security function provided by the device does not impact normal function or essential function of the device. Refer details of this requirement for understanding examples of security functions which may impact essential function.

9. CR-7.3, CR-7.03 RE(1), CR-7.4 Control system backup, integrity verification [NA]

9.1 Why CR-7.3, CR-7.03 RE(1), CR-7.4 are NA

CIP Security Work Group investigated about supporting backup and restore feature in CIP reference image. There were two potential debian packages which can help to meet this requirement.

  1. rsync

  2. duplicity

There was a survey conducted among CIP members to understand if there are any use cases which require support for backup and restore feature. It was concluded that supporting backup and restore is not an essential. Hence the support was not added to keep lower cost of maintenance.

9.2 CIP User action

CIP users can enable support for backup and restore either by using any third party component or some Debian package like rsync or duplicity.

10. CR-7.5 Emergency Power [NA]

This requirement is not for any component, it’s for complete system therefore no fucrther action needed.

11. CR-7.6 Network and security configuration settings [Met]

11.1 How CR-7.6 is Met

CIP supports basic security configurations e.g. password policies, user management etc. These policies can be configured by following CIP Security Configuration document

11.2 CIP User action

CIP users can customize security configuration provided by CIP reference image. Additional security configurations can be added based on the use cases.

12. CR-7.6 RE(1) Machine-readable reporting of current security settings [NA]

12.1 Why CR-7.6 RE(1) is NA

Application support is required to meet this requirement as in reference image this function is not feasible to support.

12.2 CIP User action

CIP users should add this capability by additional application. It requires reading security configuration in machine-readable format and report.

13. CR-7.7 Least functionality [Met]

13.1 How CR-7.7 is Met

The CIP base platform meets this requirement by providing a minimal system image with only essential services installed. To further restrict functionality, CIP includes the nftables package, which allows for blocking unnecessary ports and protocols. Additionally, users can manage and disable services using systemd commands, ensuring that only required functions are active.

13.2 CIP User action

CIP users can ensure “least functionality” for their end products by:

  • Utilizing nftables to restrict network ports and protocols that are not essential for their application.

  • Using systemd (systemctl) to disable any services that are not required for their specific use case.

These capabilities allow users to tailor the system to run only the necessary functions, enhancing security.

14. CR-7.8 Control system component inventory [Met]

14.1 How CR-7.8 is Met

CIP supports providing information of components like

  1. List of packages installed their versions and dependencies. `` /usr/share/immutable-data/var/lib/dpkg/status``

  2. List of devices attached to it lsblk

14.2 CIP User action

CIP users can reuse tools installed in the reference image and can enhance further by adding additional tools like

  1. hwinfo

  2. lscpu

References

  1. CIP IEC layer test.

  2. IEC-62443-4-2 FR details.

  3. Secure Ciphers document.

  4. audit information protection guidelines.