The primary objective of this page is to provide up to date information about CIP IEC-62443-4-x assessment. Recently CIP Security work group has engaged with one of the ANSI accredited ISO/IEC 17065 PRODUCT CERTIFICATION BODY. This page would be updated periodically as soon as there is some update about CIP assessment.

The primary objective of the CIP Security work group (WG) is to constantly investigate various industrial security standards that help to address burgeoning Cyber Security issues. Moreover, the Security WG constantly strives to closely monitor recent developments in Industrial security and evaluate them for their value add in the CIP platform. Additionally, when vulnerabilities are reported in Debian packages, the WG works with the Debian community to incorporate bug fixes in CIP source code as soon as possible. Some of the key goals of Security WG are highlighted in the following diagram.

The Security work group is currently focusing on how CIP can be certified for IEC-62443-4-x standards. This is being led by Renesas Electronics and strongly supported by other CIP member companies including Toshiba, Siemens, Cybertrust, Moxa and others. The main objective of the CIP Security work group activities is to significantly reduce overall certification effort, cost as well as maintenance cost for suppliers by leveraging a certified CIP platform. It is expected that the artifacts of a certified CIP such as Test cases, Application and Hardware rules and several others can be re-used by suppliers driving efficiency and costs savings.

Recently the CIP Security work group has initiated discussion with one of the most popular IEC/ISASecure scheme certification body. This section would be kept up to date in future as the CIP certification for IEC-62443-4-x progresses

CIP Security team members

Following members are currently working as part of the CIP security work group. All members regularly participate in weekly as well as bi-weekly meetings to discuss various security requirements. It is expected that more members will join this group in future.

1. Kento Yoshida, Renesas Electronics Corporation, Tokyo, Japan

2. Masashi Kudo, Cybertrust, Tokyo, Japan

3. SZ Lin (林上智), Moxa Inc, New Taipei City, Taiwan

4. Yasin Demirci, Siemens Mobility, Brunswick, Germany

5. Dinesh Kumar, Toshiba Software India, Bangalore

6. Venkata Pyla, Toshiba Software India, Bangalore

Objective of CIP IEC-62443-4-X certification

Generally, suppliers or end product owners prefer to use open source software in order to minimize overall product development cost. On the other hand, IEC certification cost is quite high where it becomes a key concern for suppliers for getting their products certified and while remaining competitive. For getting any product certified for IEC-62443-4-x one needs to spend a significant amount of money as it requires immense security domain knowledge as well as additional resources for creating required certification artifacts.

CIP already promises super long term support (SLTS) for both CIP Kernel as well as CIP Core, which is beyond usual upstream long term support. In order to further reduce certification costs for CIP based products, CIP member companies strive to get IEC-62443-4-x certification for the CIP platform. Since CIP is not an end product, full certification to CIP cannot be granted, instead CIP would be eligible for IEC-62443-4-X assessment.

Key goals of CIP certification are as follows

1. Leverage the experience and expertise of CIP member companies to certify CIP and pass the benefits of certified CIP platform to suppliers

2. Create certification artefacts which can be re-used by suppliers for end product certification

3. Share the know-how of entire certification process with suppliers and help them to achieve the certification goals with minimum effort

4. Many CIP member companies are also hardware manufacturer or supplier of reference boards which can also be used to validate IEC-62443-4-x security requirements

Documents required for IEC-62443-4-x certification

CIP members are working with the certification Body to know exactly what all documents are usually required for certification. However, there are many possible scenarios when required documents may vary e.g. targeted device category (There are four device categories defined in IEC-62443-4-2). As of now CIP members decided to apply for Networking and Embedded categories for certification and expected security level is three (SL-3). However, exact details will be known once gap assessment is completed by the Certification Body.

Initially, the following documents are expected to be available for gap assessment, though it’s not mandatory. This list would be revised as assessment processes over the period of time.

1. User Manual

2. Security feature document

3. Product features/product capabilities

4. Configuration Management

5. Development process document

After gap analysis, the Certification Body will point out additional documents required for actual certification as well as missing information in existing documents

How suppliers can leverage certified CIP

The CIP project is hosted under the Linux Foundation. At the time of writing this document there are eight CIP member companies who strongly support CIP development activities in all possible manners. All CIP member companies have direct access to CIP project resources such as CIP Kernel, CIP Core as well as documents and sample applications developed for IEC-62443-4-x certification. CIP members can directly participate during CIP certification and some of the reference devices can be certified for IEC-62443-4-x as reference devices which can be later used for developing end products by leveraging the certified CIP platform.

However, non CIP member companies have the option to join the CIP project and re-use CIP for developing final products. Detailed information of how to join CIP project is available at https://www.cip-project.org/about/join

Roadmap of CIP IEC-62443 certification

TBD: We are working to update this section soon.

Frequently Asked Questions(FAQs)

(Please note that following section has been written based on the discussion with a specific Certification Body, so it is quite likely that there might be some differences in policies or few things with respect to other Certification Body)*

What would be the security level as defined in IEC-62443-4-2 which can be achieved by CIP assessment/certification?

There are four security levels defined in IEC-62443-4-2 standard. SL-1 to SL-4 have different security requirements to meet. SL-1 requires basic security functionality support whereas SL-4 requires complex security requirements.

As per the CIP security WG investigation, CIP software + reference hardware can meet SL-3. However, it is not yet confirmed by the Certification body

What kind of products category is being addressed/covered as part of the CIP certification?

IEC-62443-4-2 covers the following four categories of devices from a certification standpoint. We did an internal survey and decided to apply for the “Embedded and Network” category certification for CIP, since most of the products developed using CIP would fall under these two categories.