CIP IEC-62443-4-2 Foundational Requirement-2 Assessment details
===============================================================

.. contents::

Revision History

.. list-table::
   :header-rows: 1
                              
   * - Revision No 
     - Date
     - Change description 
     - Author  
     - Reviewed by

   * - 001
     - 2025-08-04
     - CIP IEC-62443-4-2 FR-2 assessment details 
     - Dinesh Kumar 
     - BV (Bureau Veritas)

   
1. Overview 
-----------

This document provides details of IEC-62443-4-2 FR-2 requirements for CIP assessment.
The objective of the document is to share details with CIP users for requireements which are found **Met** and **NA** during
CIP IEC-62443-4-2 assessment by BV.

This document can be used as reference by CIP users for IEC-62443-4-2 compliance for end products based on CIP.

**Document Status**

*This document update is in progress.*

2. CR-2.1 Authorization enforcement [PASS] 
----------------------------------------

2.1 How CR-2.1 is Met
~~~~~~~~~~~~~~~~~~~~

2.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

3. CR-2.1 RE(1) Authorization enforcement for all users (humans, software processes and devices) [Met] 
------------------------------------------------------------------------------------------------------

3.1 How CR-2.1 RE(1) is Met
~~~~~~~~~~~~~~~~~~~~~~~~~~~

3.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

4. CR-2.1 RE(2) Permission mapping to roles [Met] 
-------------------------------------------------

4.1 How CR-2.1 RE(2) is Met
~~~~~~~~~~~~~~~~~~~~~~~~~~~

4.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

5. CR-2.1 RE(3) Supervisor override [NA] 
----------------------------------------

5.1 Why CR-2.1 RE(3) is NA
~~~~~~~~~~~~~~~~~~~~~~~~~~

5.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

6. CR-2.1 RE(4) Dual approval [NA] 
----------------------------------

6.1 Why CR-2.1 RE(4) is NA
~~~~~~~~~~~~~~~~~~~~~~~~~~

6.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

7. CR-2.2 Wireless use control [NA] 
----------------------------------

7.1 Why CR-2.2 is NA
~~~~~~~~~~~~~~~~~~~~

7.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

8. CR-2.3 Use control for portable and mobile devices [NA] 
-----------------------------------------------------------

8.1 Why CR-2.3 is NA
~~~~~~~~~~~~~~~~~~~~

8.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

9. CR-2.4 Mobile code [NA] 
--------------------------

9.1 Why CR-2.4 is NA
~~~~~~~~~~~~~~~~~~~~

9.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

10. EDR 2.4, HDR 2.4, NDR 2.4, SAR 2.4 Mobile code [NA] 
-------------------------------------------------------

10.1 Why mobile code requirements are NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

10.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

11. EDR 2.4 RE(1), HDR 2.4 RE(1), NDR 2.4 RE(1), SAR 2.4 RE(1) Mobile code authenticity check [NA] 
--------------------------------------------------------------------------------------------------

11.1 Why mobile code authenticity check requirements are NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

11.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

12. CR-2.5 Session lock [Met] 
------------------------------

12.1 How CR-2.5 is Met
~~~~~~~~~~~~~~~~~~~~~~

12.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

13. CR-2.6 Remote session termination [Met] 
------------------------------

13.1 How CR-2.6 is Met
~~~~~~~~~~~~~~~~~~~~~~

13.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

14. CR-2.7 Concurrent session control [NA] 
------------------------------------------

14.1 Why CR-2.7 is NA
~~~~~~~~~~~~~~~~~~~~~

14.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

15. CR-2.8 Auditable events [Met] 
---------------------------------

15.1 How CR-2.8 is Met
~~~~~~~~~~~~~~~~~~~~~

15.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

16. CR-2.9 Audit storage capacity [Met] 
---------------------------------------

16.1 How CR-2.9 is Met
~~~~~~~~~~~~~~~~~~~~~

16.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

17. CR-2.9 RE(1) Warn when audit record storage capacity threshold reached[NA] 
-------------------------------------------------------------------------------

17.1 Why CR-2.9 RE(1) is NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~

17.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

18. CR-2.10 Response to audit processing failures [TODO: Open] 
--------------------------------------------------------------

18.1 How CR-2.10 RE(1) is ****
~~~~~~~~~~~~~~~~~~~~~~~~~~~

18.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

19. CR-2.11 Timestamps [Met] 
----------------------------

19.1 How CR-2.11 is Met
~~~~~~~~~~~~~~~~~~~~~~~

19.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

20. CR-2.11 RE(1) Time synchronization [Met] 
--------------------------------------------

20.1 How CR-2.11 RE(1) is Met
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

20.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

21. CR-2.11 RE(2) Protection of time source integrity [NA] 
-----------------------------------------------------------

21.1 Why CR-2.11 RE(2) is NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

21.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

22. CR-2.12 Non-repudiation [Met] 
---------------------------------

22.1 How CR-2.12 is Met
~~~~~~~~~~~~~~~~~~~~~~~

22.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

23. CR-2.12 RE(1) Non-repudiation for all users [NA] 
----------------------------------------------------

23.1 Why CR-2.12 RA(1) is NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

23.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

23. CR-2.13 Use of physical diagnostic and test interfaces [NA] 
---------------------------------------------------------------

23.1 Why CR-2.13 is NA
~~~~~~~~~~~~~~~~~~~~~~

23.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

24. EDR-2.13 Use of physical diagnostic and test interfaces [Met] 
-----------------------------------------------------------------

24.1 How EDR-2.13 is Met
~~~~~~~~~~~~~~~~~~~~~~~~

24.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

25. HDR-2.13 Use of physical diagnostic and test interfaces [NA] 
-----------------------------------------------------------------

25.1 Why HDR-2.13 is NA
~~~~~~~~~~~~~~~~~~~~~~~

25.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

26. NDR-2.13 Use of physical diagnostic and test interfaces [Met] 
-----------------------------------------------------------------

26.1 How NDR-2.13 is Met
~~~~~~~~~~~~~~~~~~~~~~~~

26.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

27. EDR-2.13 RE(1), HDR-2.13 RE(1), NDR-2.13 RE(1) Activer Monitoring [NA] 
--------------------------------------------------------------------------

27.1 Why Active Monitoring requirements NA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

All these requirements are for SL-3 and were out of scope for CIP assessment.
As these requirements expect active monitoring of device diagnostic and test interfaces hence purely specific to underlying hardware.
CIP reference device (M-COM) does not have any such interface which can provide any diagnostic information for monitoring. 

27.3 CIP User action
~~~~~~~~~~~~~~~~~~~~

CIP users shall investigate their end device whether it supports any interfaces which can be used to monitor diagnostics.
if there are any interfaces available on the device, evidence should be provided to meet these requirements.

======================================================================================================================================

**TODO** 

All the incomplete requirements to be updated in future.


**References**
--------------

#. `CIP IEC layer test <https://gitlab.com/cip-project/cip-testing/cip-security-tests/-/tree/master/iec-security-tests/singlenode-testcases?ref_type=heads/>`__.

#. `IEC-62443-4-2 FR details <https://s3.us-east-1.amazonaws.com/fonteva-customer-media/00D1I000002JB6nUAG/DjlHJQVf_S_62443_4_2_TOC_pdf/>`__.