CIP IEC-62443-4-2 Foundational Requirement-2 Assessment details
Revision History
Revision No |
Date |
Change description |
Author |
Reviewed by |
|---|---|---|---|---|
001 |
2025-08-04 |
CIP IEC-62443-4-2 FR-2 assessment details |
Dinesh Kumar |
BV (Bureau Veritas) |
1. Overview
This document provides details of IEC-62443-4-2 FR-2 requirements for CIP assessment. The objective of the document is to share details with CIP users for requireements which are found Met and NA during CIP IEC-62443-4-2 assessment by BV.
This document can be used as reference by CIP users for IEC-62443-4-2 compliance for end products based on CIP.
Document Status
This document update is in progress.
4. CR-2.1 RE(2) Permission mapping to roles [Met]
4.1 How CR-2.1 RE(2) is Met
4.3 CIP User action
5. CR-2.1 RE(3) Supervisor override [NA]
5.1 Why CR-2.1 RE(3) is NA
5.3 CIP User action
6. CR-2.1 RE(4) Dual approval [NA]
6.1 Why CR-2.1 RE(4) is NA
6.3 CIP User action
7. CR-2.2 Wireless use control [NA]
7.1 Why CR-2.2 is NA
7.3 CIP User action
8. CR-2.3 Use control for portable and mobile devices [NA]
8.1 Why CR-2.3 is NA
8.3 CIP User action
9. CR-2.4 Mobile code [NA]
9.1 Why CR-2.4 is NA
9.3 CIP User action
10. EDR 2.4, HDR 2.4, NDR 2.4, SAR 2.4 Mobile code [NA]
10.1 Why mobile code requirements are NA
10.3 CIP User action
11. EDR 2.4 RE(1), HDR 2.4 RE(1), NDR 2.4 RE(1), SAR 2.4 RE(1) Mobile code authenticity check [NA]
11.1 Why mobile code authenticity check requirements are NA
11.3 CIP User action
12. CR-2.5 Session lock [Met]
12.1 How CR-2.5 is Met
12.3 CIP User action
13. CR-2.6 Remote session termination [Met]
13.1 How CR-2.6 is Met
13.3 CIP User action
14. CR-2.7 Concurrent session control [NA]
14.1 Why CR-2.7 is NA
14.3 CIP User action
15. CR-2.8 Auditable events [Met]
15.1 How CR-2.8 is Met
15.3 CIP User action
16. CR-2.9 Audit storage capacity [Met]
16.1 How CR-2.9 is Met
16.3 CIP User action
17. CR-2.9 RE(1) Warn when audit record storage capacity threshold reached[NA]
17.1 Why CR-2.9 RE(1) is NA
17.3 CIP User action
18. CR-2.10 Response to audit processing failures [TODO: Open]
18.1 How CR-2.10 RE(1) is ****
18.3 CIP User action
19. CR-2.11 Timestamps [Met]
19.1 How CR-2.11 is Met
19.3 CIP User action
20. CR-2.11 RE(1) Time synchronization [Met]
20.1 How CR-2.11 RE(1) is Met
20.3 CIP User action
21. CR-2.11 RE(2) Protection of time source integrity [NA]
21.1 Why CR-2.11 RE(2) is NA
21.3 CIP User action
22. CR-2.12 Non-repudiation [Met]
22.1 How CR-2.12 is Met
22.3 CIP User action
23. CR-2.12 RE(1) Non-repudiation for all users [NA]
23.1 Why CR-2.12 RA(1) is NA
23.3 CIP User action
23. CR-2.13 Use of physical diagnostic and test interfaces [NA]
23.1 Why CR-2.13 is NA
23.3 CIP User action
24. EDR-2.13 Use of physical diagnostic and test interfaces [Met]
24.1 How EDR-2.13 is Met
24.3 CIP User action
25. HDR-2.13 Use of physical diagnostic and test interfaces [NA]
25.1 Why HDR-2.13 is NA
25.3 CIP User action
26. NDR-2.13 Use of physical diagnostic and test interfaces [Met]
26.1 How NDR-2.13 is Met
26.3 CIP User action
27. EDR-2.13 RE(1), HDR-2.13 RE(1), NDR-2.13 RE(1) Activer Monitoring [NA]
27.1 Why Active Monitoring requirements NA
All these requirements are for SL-3 and were out of scope for CIP assessment. As these requirements expect active monitoring of device diagnostic and test interfaces hence purely specific to underlying hardware. CIP reference device (M-COM) does not have any such interface which can provide any diagnostic information for monitoring.
27.3 CIP User action
CIP users shall investigate their end device whether it supports any interfaces which can be used to monitor diagnostics. if there are any interfaces available on the device, evidence should be provided to meet these requirements.
TODO
All the incomplete requirements to be updated in future.