CIP IEC-62443-4-2 CIP Essential function and verification details ================================================================== .. contents:: Revision History .. list-table:: :header-rows: 1 * - Revision No - Date - Change description - Author - Reviewed by * - 001 - 2025-08-15 - CIP essential function and it's tests details - Dinesh Kumar - BV (Bureau Veritas) 1. Overview ----------- Few IEC-62443-4-2 requirements depend upon essential function of the component. It means in any adverse circumstances component should be capable of providing essential function. Verification of essential function availability is conducted while testing few requirements such as CR-7.1. `Definition of essential function `__ ``An 'Essential Function' refers to a business function that falls between mission-critical and important. It may include functions like payroll or supply chain systems, which are not immediately necessary for getting the business back up and running, but are vital for the company's overall functioning beyond the disaster recovery stage`` As part of IEC-62443-4-2 assessment it is mandatory to identify and document essential function of the component. This document provides CIP essential function details used during CIP IEC-62443-4-2 assessment. CIP essential function is generic as platform does not have any business requirement function as esential function. However, it should serve as reference for CIP users to identify essential function for CIP based end devices. 2. CIP essential function ------------------------- #. Provide audit logs for tracking user actions and events #. Networking services which will be available via ethernet port, and it is essential for any data transfer from/to the device, as well as for remotely accessing the device. a. Remote connection remains available b. Data transfer from/to the device 3. Verification of essential function ------------------------------------- 3.1 Prerequisites ~~~~~~~~~~~~~~~~~~ #. A non-root user must be available to execute and check the audit logs related to non-root user actions #. curl binary installed on the device 3.2 Essential function - Audit logs verification ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Audit logs serve as a comprehensive record of system and user activities, crucial for security, compliance, and troubleshooting. They provide a detailed history of events, including who performed actions, when they occurred, and what the outcome was, enabling organizations to monitor, analyze, and respond to potential issues. +----------------+-------------------------------------+----------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ | User type | Actions | Test steps | Expected results | +================+=====================================+================================================================================================================+======================================================================================+ | root | Manage services(Start/stop/restart) | 1. Restart nftables service with the below command | Events related to start/stop/restart of services are logged by auditd | | | | systemctl restart nftables.service | | | | | | | | | | 2. Check the audit logs with the below command | | | | | ausearch -m SERVICE_START -m SERVICE_STOP -ui 0 | | +----------------+-------------------------------------+----------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ | root | Access system critical file | 1. Add the following audit rules | Events related to access/modification of tracked files are logged by auditd | | | | auditctl -w /etc/passwd -p r -k control-system-event | | | | | | | | | | 2. Read the /etc/passwd file with the below command | | | | | cat /etc/passwd | | | | | | | | | | 3. Check the audit logs with the below command | | | | | ausearch -i -k "control-system-event" | | +----------------+-------------------------------------+----------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ | root | Remote login(SSH) | 1. Login as root user with ssh | Events related to failed user logins are logged by auditd | | | | ssh root@ | | | | | | | | | | 2. Check the audit logs with the below command | | | | | ausearch -m USER_LOGIN -sv no -ui 0 | | +----------------+-------------------------------------+----------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ | non root users | Access privileged file | 1. Add the following audit rules | Events related to access failures due to privilege restrictions are logged by auditd | | | | auditctl -a always,exit -S openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -k file_access_denied | | | | | | | | | | 2. Read the /etc/passwd file as a non-root user with the below command (replace password and user accordingly) | | | | | echo "" \| su - -c "cat /etc/shadow \| cat" | | | | | | | | | | 3. Check the audit logs with the below command | | | | | ausearch -i -k "file_access_denied" | | +----------------+-------------------------------------+----------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ | non root users | Remote login(SSH) | 1. Login as root user with ssh (replace user accordingly) | Events related to successful user logins are logged by auditd | | | | ssh @ | | | | | | | | | | 2. Check the audit logs with the below command | | | | | ausearch -m USER_LOGIN -sv no -ui 0 | | +----------------+-------------------------------------+----------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ | non root users | Privilege escalation | 1. After logging in as non-root user, try escalating privilege with sudo | Events related to privilege escalations(usage of sudo) are logged by auditd | | | | sudo systemctl status networking.service | | | | | | | | | | 2. Check the audit logs with the below command | | | | | ausearch -i -ui | | +----------------+-------------------------------------+----------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ 3.3 Essential function - Networking verification ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------+ | Test Case | Test steps | Expected result | +================================================================+=========================================================================================================================+==============================================================+ | Check the status of networking service | Run the following command | Networking service is enabled and running | | | # systemctl status networking | | +----------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------+ | Test remote connection(SSH) to the device from another host PC | Run the following command | Remote connection service remains available | | | # ssh @ | | +----------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------+ | Test data transfer with SCP to the device from another host PC | Run the following commands: | Data transfer to/from device remains available | | | echo "test file" > test_file | | | | scp test_file @: | | +----------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------+ | HTTPS connection with curl | 1. Setup a Apache HTTPS server in a host PC | Ability to establish a HTTPS connection and do data transfer | | | | | | | 2. Host a file in /var/www/html directory in the server host PC | | | | | | | | 3. Install curl binary into the device | | | | | | | | 4. Fetch the file with the below command. Run the command in the device user directory where user has write permissions | | | | /path/to/curl -k https://:443/ | | +----------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------+