====== CIP Security working group ====== Our goal is to get suppliers for industrial component devices to be certified using IEC 62443-4-2 easily. For that, we are working to provide a high-affinity platform for the IEC 62443-4 series. We wish to support application development by our recommendation of open source-based component packages as your development platform. ===== Provides a development platform compatible with SL-3 ===== With the ever growing threat of cyber attacks and the accompanying expectations for the IEC 62443 certification series. CIP Security working group, started group activities and decided to provide a reference platform to develop component devices aiming at security level 3 (SL-3) of IEC 62443-4-2. We are confirming the conformity of the following architectures for certification: * ARM 64-bit MPU based * TPM 2.0 supported * X86_64 server We are confirming these representative architectures meet security functions which should be supported by hardware as enhancement for SL-3 of IEC 62443-4-2. So, our platform will be able to support a wide range of use cases for you. The above hardware solutions are validated and provided by members who provide their hardware environment for CIP activities. However, in the future, we will provide a platform including hardware abstraction layer not to depend on specific hardware architecture. In addition, we extract security functions that should be processed universally on base-layer, core competence of the CIP project, without depending on individual applications or systems from SL-3 requirements, and provide component package software that meet those requirements as [[cip-core|CIP Core]] Packages for minimal file system image for industry. ===== Covers 57 requirements to SL-3 ===== Our investigation has shown that it is possible to fully or partially support as many as 57 requirements to SL-3 using our platform (hardware solutions and security packages included in the CIP Core Packages). That investigation result covers approximately two-thirds to three-quarters of the security features required for SL-3 for embedded devices, network devices or host devices that make up an industrial automation and control system (IACS) as the target category of IEC 62443-4-2. {{:civilinfrastructureplatform:cip-security_coverage.jpg|}} ===== Documents supporting development of component devices ===== We will provide the following documents for suppliers who will develop secure component devices conforming to SL-3 for IACS using our platform: * The configuration manual for our platform to meet security features for SL-3 * Recommended implementation example as a use case for application or system cooperation developed by the supplier based on our platform * Various records to prove that our platform has conformed to SL-3 as evidences By using those documents, we expect to suppress the huge cost of investigation and design that was conventionally imposed on suppliers to develop secure component devices compatible with SL-3, and reduce the difficulty for achieving certification to improve the certainty of acquisition. ===== Proof of platform suitability ===== We will require a certification body to validate our documents we are planning to provide to prove that our platform is compliant with SL-3. We specifically plan to verify the following: * Security features of component package software that are provided as base layer for application development meet SL-3. * Reference hardware meets enhanced security requirements for hardware of SL-3. * Recommended implementation examples meet SL-3 * (T.B.D.)Component package software that are provided as base layer for application development meet development process requirements of IEC 62443-4-1. ===== Future plans and milestones ===== Currently, we have selected component package software to be provided as base layer for application development. Those component package software will be provided as CIP Core Packages for the industrial minimal file system image. And here after, we will install those CIP Core Packages on the reference hardware and create various documents to start verification of our conformity within 2019. Further, we will develop test cases based on open source software in order to be able to evaluate the conformity of security features of application by suppliers themselves. ===== CIP IEC-62443-4-x certification ===== There is a dedicated page which is periodically updated to reflect CIP IEC 62443-4-x certification progress. This information is available at [[cip-IEC-62443-4-x|CIP IEC-62443-4-x certification page]] ===== Conclusion ===== CIP Security working group will provide the optimized platform to support for suppliers to develop the component device for IACS that conforms with SL-3 of IEC 62443-4-2. If you are developing on IACS component device, please confirm the following points: * How do you implement security features to meet SL-3? * Is the linux distribution that you are implementing on the device optimized for SL-3? * How do you maintain an application after EOL of your linux kernel? * Do you know how many security requirements for SL-3 your hardware meets? We can provide clear solutions to these questions. {{:civilinfrastructureplatform:cip-security_features.jpg|}}