CIP IEC-62443-4-2 Foundational Requirement-6 & 7 Assessment details
=============================================================================================

.. contents::
    :depth: 2

Revision History

.. list-table::
   :header-rows: 1
                              
   * - Revision No 
     - Date
     - Change description 
     - Author  
     - Reviewed by

   * - 001
     - 2025-08-13
     - CIP IEC-62443-4-2 FR-6 & FR-7 assessment details 
     - Dinesh Kumar 
     - BV (Bureau Veritas)

   * - 002
     - 2025-08-13
     - Added details for CR-7.1(RE1) & CR-7.7
     - Pasquale Nieddu
     - BV (Bureau Veritas)

   * - 003
     - 2025-11-12
     - Fix minor formatting issues to resolve CI warnings
     - Adithya Balakumar
     - BV (Bureau Veritas)

1. Overview 
-----------

This document provides details of IEC-62443-4-2 FR-6 & FR-7 requirements for CIP assessment.
The objective of the document is to share details with CIP users for requireements which are found **Met** and **NA** during
CIP IEC-62443-4-2 assessment by BV.

This document can be used as reference by CIP users for IEC-62443-4-2 compliance for end products based on CIP.

2. CR-6.1 Audit log accessibility [Met] 
---------------------------------------

2.1 How CR-6.1 is Met
~~~~~~~~~~~~~~~~~~~~~

Accessibility of audit logs needs to be controlled to meet this requirement. acl package is used to control the access.
TC_CR6.1_1 CIP IEC layer test[1] is used to provide evidence for this requirement.

2.2 CIP User action
~~~~~~~~~~~~~~~~~~~

CIP users can also use acl for meeting this requirement.

3. CR-6.1 RE(1) Programmatic access to audit logs [NA]
------------------------------------------------------

3.1 Why CR-6.1 RE(1) is NA
~~~~~~~~~~~~~~~~~~~~~~~~~~

This requirement will need support for application to use programmatic access of audit logs.
In CIP, ausearch was used to meet this requirement, but it's a SL-3 requirement hence was out of scope for assessment.

3.2 CIP User action
~~~~~~~~~~~~~~~~~~~

If the target security level is SL-3, use application support for programmatic access to meet this requirement. 

4. CR-6.2 Continuous monitoring [Met]
-------------------------------------

4.1 How CR-6.2 is Met
~~~~~~~~~~~~~~~~~~~~~

This requirement is met in CIP by aide package which detects integrity failures in the system using an aide check. Any integrity failures found during the check are reported to journal logs subsequently user can take actions.

4.2 CIP User action
~~~~~~~~~~~~~~~~~~~

CIP user can use ``aide`` to meet this requirement. The main configuration file is typically located at ``/etc/aide.conf``. It defines the files and directories to be monitored and the rules to apply. 

5. FR-7 Resource Availability
-----------------------------

Following sections share details of FR-7 requirements and assessment results for CIP.

6. CR-7.1 Denial of service protection [Met]
--------------------------------------------

6.1 How was CR-7.1 Met
~~~~~~~~~~~~~~~~~~~~~~

Testing by BV was carried out by simulating DoS environment using licensed tool. `Nessus <https://www.tenable.com/products/nessus>`__ was used to simulate DoS events for testing this requirement.
Details of testing was not shared with CIP.

BV simulated DoS environment and verified CIP essential function was available even during the attack period.

Refer `CIP essential function <https://gitlab.com/cip-project/cip-documents/-/blob/92cd476918f3faf198bf15ac4618e34ea9916424/iec-62443-assessment/iec-62443-4-2/essential-function.rst#cr-7-1-denial-of-service-protection-met>`__

6.2 CIP User action
~~~~~~~~~~~~~~~~~~~

Preparation for this requirement involves the following steps.

#. Identify ``essential function`` of the end device, it should be related to business goals or some function which is always available.
#. Simulate DoS environment by using available tools e.g. BV used Nessus Tool for testing this requirement
#. Verify under DoS condition when device is under attack, essential function of the device remains available

7. CR-7.1 RE(1) Manage communication load from component [Met]
--------------------------------------------------------------

7.1 How was CR-7.1 RE(1) Met
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The CIP security image provides tools to manage communication load. The `nftables` package is included, which allows for restricting network traffic by port and protocol. This helps components maintain essential functions even during a Denial of Service (DoS) event. Additionally, tools like `tcpdump` are available for monitoring network traffic.

7.2 CIP User action
~~~~~~~~~~~~~~~~~~~

CIP users can utilize `nftables` to configure communication restrictions, such as blocking or allowing specific ports and protocols. They can also use `tcpdump` to monitor network traffic. These tools help manage communication load and ensure that essential functions remain available.

8. CR-7.2 Resource Management [NA]
----------------------------------

8.1 Why CR-7.2 is NA
~~~~~~~~~~~~~~~~~~~~

This requires support from application by reusing platform support. CIP does not meet this requirement.

8.2 CIP User action
~~~~~~~~~~~~~~~~~~~

CIP users should verify any security function provided by the device does not impact normal function or essential function of the device.
Refer details of this requirement for understanding examples of security functions which may impact essential function.

9. CR-7.3, CR-7.03 RE(1), CR-7.4 Control system backup, integrity verification [NA]
-----------------------------------------------------------------------------------

9.1 Why CR-7.3, CR-7.03 RE(1), CR-7.4 are NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CIP Security Work Group investigated about supporting backup and restore feature in CIP reference image.
There were two potential debian packages which can help to meet this requirement.

#. `rsync <https://packages.debian.org/bookworm/rsync>`__
#. `duplicity <https://packages.debian.org/bookworm/duplicity>`__

There was a survey conducted among `CIP members <https://www.cip-project.org/members>`__ to understand if there are any use cases
which require support for backup and restore feature. It was concluded that supporting backup and restore is not an essential.
Hence the support was not added to keep lower cost of maintenance.

9.2 CIP User action
~~~~~~~~~~~~~~~~~~~

CIP users can enable support for backup and restore either by using any third party component or some Debian package like 
rsync or duplicity.

10. CR-7.5 Emergency Power [NA]
-------------------------------

This requirement is not for any component, it's for complete system therefore no fucrther action needed.

11. CR-7.6 Network and security configuration settings [Met]
------------------------------------------------------------

11.1 How CR-7.6 is Met
~~~~~~~~~~~~~~~~~~~~~~

CIP supports basic security configurations e.g. password policies, user management etc.
These policies can be configured by following `CIP Security Configuration document  <https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/blob/master/docs/usage.md?ref_type=heads#configuration>`__


11.2 CIP User action
~~~~~~~~~~~~~~~~~~~~

CIP users can customize security configuration provided by CIP reference image. Additional security configurations can be added based on the use cases.

12. CR-7.6 RE(1) Machine-readable reporting of current security settings [NA]
-----------------------------------------------------------------------------

12.1 Why CR-7.6 RE(1) is NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application support is required to meet this requirement as in reference image this function is not feasible to support.

12.2 CIP User action
~~~~~~~~~~~~~~~~~~~~

CIP users should add this capability by additional application. It requires reading security configuration in machine-readable format and report.

13. CR-7.7 Least functionality [Met]
------------------------------------

13.1 How CR-7.7 is Met
~~~~~~~~~~~~~~~~~~~~~~

The CIP base platform meets this requirement by providing a minimal system image with only essential services installed. To further restrict functionality, CIP includes the `nftables` package, which allows for blocking unnecessary ports and protocols. Additionally, users can manage and disable services using `systemd` commands, ensuring that only required functions are active.

13.2 CIP User action
~~~~~~~~~~~~~~~~~~~~

CIP users can ensure "least functionality" for their end products by:

*   Utilizing `nftables` to restrict network ports and protocols that are not essential for their application.
*   Using `systemd` (`systemctl`) to disable any services that are not required for their specific use case.

These capabilities allow users to tailor the system to run only the necessary functions, enhancing security.

14. CR-7.8 Control system component inventory [Met]
---------------------------------------------------

14.1 How CR-7.8 is Met
~~~~~~~~~~~~~~~~~~~~~~

CIP supports providing information of components like

#. List of packages installed their versions and dependencies. `` /usr/share/immutable-data/var/lib/dpkg/status``
#. List of devices attached to it ``lsblk``

14.2 CIP User action
~~~~~~~~~~~~~~~~~~~~

CIP users can reuse tools installed in the reference image and can enhance further by adding additional tools like

#. ``hwinfo``
#. ``lscpu``


**References**
--------------

#. `CIP IEC layer test <https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/tree/master/iec-security-tests/singlenode-testcases?ref_type=heads/>`__.

#. `IEC-62443-4-2 FR details <https://s3.us-east-1.amazonaws.com/fonteva-customer-media/00D1I000002JB6nUAG/DjlHJQVf_S_62443_4_2_TOC_pdf/>`__.

#. `Secure Ciphers document <https://gitlab.com/cip-project/cip-documents/-/blob/dinesh/secure-cipher/iec-62443-assessment/iec-62443-4-2/secure-ciphers.rst?ref_type=heads>`__.

#. `audit information protection guidelines <https://gitlab.com/cip-project/cip-documents/-/blob/master/security/CR3.9_Audit_info_protection_guidelines.rst?ref_type=heads>`__.