iec62443-4-2-FR-1
Req ID |
Requirement name |
Supported by CIP |
Need application support |
Need HW solution |
Status if supported by CIP |
|---|---|---|---|---|---|
CR-1.1 |
Human user identification and authe ntication |
TRUE |
FALSE |
FALSE |
CompletedAdded packages passwd, login |
CR-1.1 RE(2) |
Multi-factor authentication for all interfaces |
TRUE |
FALSE |
FALSE |
CompletedAdding package libpam-go ogle-auth enticator |
CR 1.2-RE(1) |
Unique identification and authentication |
FALSE |
TRUE |
FALSE |
N.A. |
CR-1.3 |
Account management |
TRUE |
FALSE |
FALSE |
CompletedAdded usermod package |
CR-1.4 |
Identifier management |
TRUE |
FALSE |
FALSE |
CompletedAdded package adduser |
CR-1.5 |
Authenticator management- initialize authenticator content |
TRUE |
FALSE |
FALSE |
CompletedAdded package tpm2-tools, tpm2-abrmd |
CR- 1.5-RE(1) |
The authenticators on which the company rely shall be protected via hardware mechanism |
TRUE |
FALSE |
TRUE |
Completed |
NDR-1.6 |
Wireless access management |
TRUE |
TRUE |
FALSE |
In-progress Wireless drivers to be included in CIP kernel |
NDR-1.6 RE(1) |
Unique identification and authentication |
TRUE |
TRUE |
FALSE |
In-progress Wireless drivers to be included in CIP kernel |
CR-1.7 |
Strength of passw ord-based authe ntication |
TRUE |
FALSE |
FALSE |
Completed libpam-cracklib |
CR-1.7 RE(1) |
Password generation and lifetime restrictions for human users |
TRUE |
FALSE |
FALSE |
CompletedAdded packages passwd, login |
CR-1.7 RE(2) |
Password lifetime restrictions for all users (human, software process, or device) |
FALSE |
FALSE |
FALSE |
N.A. |
CR-1.8 |
Public key infra structure (PKI) cer tificates |
TRUE |
FALSE |
FALSE |
CompletedAdded package openssl |
CR-1.9 |
Strength of public key-based authe ntication - check validity of signature of a given certificate |
TRUE |
FALSE |
FALSE |
CompletedAdded package openssl |
CR-1.9 RE(1) |
Hardware security for public key-based authe ntication |
TRUE |
FALSE |
TRUE |
Completed |
CR-1.10 |
Authenticator feedback |
TRUE |
TRUE |
FALSE |
CompletedAdded package openssl |
CR-1.11 |
Unsuccessful login attempts - limit number |
TRUE |
FALSE |
FALSE |
Completed, added package libpam-mo dules-bin |
CR-1.12 |
System use notification |
FALSE |
TRUE |
FALSE |
N.A. |
NDR-1.13 |
Access via untrusted networks |
FALSE |
TRUE |
FALSE |
N.A. |
NDR-1.13 RE(1) |
Explicit access request approval |
FALSE |
TRUE |
FALSE |
N.A. |
CR-1.14 |
Strength of symmetric key-based authentication |
TRUE |
FALSE |
FALSE |
CompletedAdded openssl package |
CR-1.14 RE(1) |
Hardware security for symmetric key-based authe ntication |
TRUE |
FALSE |
TRUE |
N.A. |
Tests reference and CIP recommendation
Req ID |
Status if supported by CIP |
IEC-62443-4-2 tests reference |
CIP recommendation |
|---|---|---|---|
CR-1.1 |
CompletedAdded packages passwd, login |
1. TC_CR1.1_1 2. TC_CR1. 1_2 |
The CIP platform complies with this requirement. Users can login through various interfaces (e.g. serial console, http etc).CIP based CIP based products may use variety of interfaces, this requirement mandates on each interface user or process or device should be uniquely identified and authenticated. |
CR-1.1 RE(1) |
CompletedAdded package libpam-cracklib |
Same as CR-1.1 |
|
CR-1.1 RE(2) |
CompletedAdding package libpam-googl e-authenticator |
None |
The CIP platform complies with this requirement by adding google MFA Debian package. However, CIP users can use their own way to achieve this MFA. |
CR-1.2 |
N.A. |
None |
The CIP platform can’t meet this requirement, CIP users should use their applications to meet this requirementAll components need to identify themselves. We recommend the usage of TPM generated id or certificates for device id, a process pid and the addition of the active user account. The pid must be logged in the processes lifetime as it changes after a process restart. |
CR1.2-RE(1) |
Unique identification and authentication |
FALSE |
TRUE |
CR-1.3 |
CompletedAdded usermod package |
1. TC_CR1.3_1 2. TC_CR1.3_2 3. TC_CR1. 3_3 |
|
CR-1.4 |
CompletedAdded package adduser |
||
CR-1.5 |
CompletedAdded package tpm2-tools, tpm2-abrmd |
1. TC_CR1.5_2 2. TC_CR1. 5_3 |
|
CR-1.5-RE(1) |
Completed |
None |
This requirement expects a secure storage, CIP added TPM tools. However, secure storage and any other tools needed should be met by CIP users based on their requirements. |
NDR-1.6 |
In-p rogressWireless drivers to be included in CIP kernel |
None |
|
NDR-1.6 RE(1) |
In-p rogressWireless drivers to be included in CIP kernel |
None |
|
CR-1.7 |
Completed libpam-cracklib |
||
CR-1.7 RE(1) |
CompletedAdded packages passwd, login |
||
CR-1.7 RE(2) |
N.A. |
None |
This is for SL-4 |
CR-1.8 |
CompletedAdded package openssl |
||
CR-1.9 |
CompletedAdded package openssl |
1. TC_CR1.9_1 2. TC_CR1.9_2 3. TC_CR1.9_3 4. TC_CR1.9_4 5. TC_CR1.9_5 6. TC_CR1.9_6 |
|
CR-1.9 RE(1) |
Completed |
None |
It requires HW support, should be met by CIP users |
CR-1.10 |
CompletedAdded package openssl |
||
CR-1.11 |
Completed, added package lib pam-modules-bin |
||
CR-1.12 |
N.A. |
None |
CIP does not support this requirement, CIP users should implement notifications based on their require ments.Following are some guidelinesAPP: If the device has a HMI for an application requiring authentication, the application shall be able to display a configurable use notification message before the credentials are requested from the user. |
NDR-1.13 |
N.A. |
None |
CIP does not support this req uirement.Access of networks should be monitored using network security software and tools, only used ports should be open and unused ports should be blocked to avoid unauthorized access. |
NDR-1.13 RE(1) |
Explicit access request approval |
FALSE |
TRUE |
CR-1.14 |
CompletedAdded openssl package |
||
CR-1.14 RE(1) |
N.A. |
None |
Requires HW support |
Default action
Here default action means use CIP provided package or equivalent to meet the requirement. Even though CIP as platform provides several packages, CIP users need to re-use capabilities provided by the packages to meet specific security requirements.