CIP IEC-62443-4-2 Foundational Requirement-4 & 5 Assessment details

Revision History

Revision No

Date

Change description

Author

Reviewed by

001

2025-08-12

CIP IEC-62443-4-2 FR-4 & FR-5 assessment details

Dinesh Kumar

BV (Bureau Veritas)

1. Overview

This document provides details of IEC-62443-4-2 FR-4 & FR-5 requirements for CIP assessment. The objective of the document is to share details with CIP users for requireements which are found Met and NA during CIP IEC-62443-4-2 assessment by BV.

This document can be used as reference by CIP users for IEC-62443-4-2 compliance for end products based on CIP.

Document Status This document update is in progress. Look for TODO for incomplete sections

2. CR-4.1 Information confidentiality [TBD]

2.1 How CR-4.1 is Met

This requirement is under discussion with BV, once BV review is over,, this section will be updated.

TODO: Update once BV discussion is over

2.2 CIP User action

Pending for update

3. CR-4.2 Information persistence [Met]

3.1 How CR-4.2 is Met

When a device or component is decommissioned from active services. It may have crirical information in it’s persistent memory. To meet this requirement, evidence needs to be produced so all critical information is removed from the device so it’s not recoverables by anyone later.

The requirement is fullfilled with following tools

  1. shred: It securely overwrites files multiple times; data recovery practically impossible;

  2. dd: Built-in Linux command low-level block device operations; can overwrite entire storage devices Standard utility

These two tools provide the capability to erase information from components. These standard tools ensures that users (root/sudo) can permanently remove data if needed.

3.2 CIP User action

No action by CIP users required, same tools can be used as evidece to meet this requirement.

4. CR-4.2 RE(1), CR-4.2 RE(2) Erase of shared memory resources, Erase verification [NA]

4.1 Why CR-4.2 RE(1), CR-4.2 RE(2) are NA

These requirements are not evaluated due to SL-3 security level.

4.2 CIP User action

Investigate and suuport required tools which supports erasing shared memory resources on the device. Once any shared memory resource is deleted, verification of erasure should be supported as well.

5. CR-4.3 Use of cryptography [Met]

5.1 How CR-4.3 is Met

CIP uses openssl <https://packages.debian.org/bookworm/source/openssl>’__ package as primary tool to meet cryptographic requirements. In addition, there are NIST standard which recommend various cryptographic practices. There is a summary of practices in NIST standards in CIP `use of Cryptography document.

5.2 CIP User action

CIP users are recommended to follow NIST standards for more detailed undertanding.

  1. NIST SP 800-57 Part 1

  2. NIST SP 800-57 Part 2

  3. NIST SP 800-57 Part 3

Use Secure Cipher document. for more detailed information for using secure ciphers and TLS usage.

6. FR-5 Restricted Data Flow

All the requirements in this Foundational Requirement have beenn found NA for CIP. Following are the key reasons for the same.

  1. Need for support from user application

  2. Majority of the requirements need network device hardware capabilities

TODO

  1. All the incomplete requirements to be updated in future.

References

  1. CIP IEC layer test.

  2. IEC-62443-4-2 FR details.

  3. Secure Ciphers document.

  4. audit information protection guidelines.