IEC 62443-4-2 and security requirements for Workloads
Nerve provides a solid basis for IEC62443-4-2 certification of a complete application, but some
aspects remain under the responsibility of the application developer. The tables below
provide a summary of the requirements to fulfill.
Note
Docker and docker-compose workloads rely on the same context and security mechanisms. The tables below they are grouped under the same type "docker".
FR 1 – Identification and authentication control
CR1.1, CR1.1 RE1, CR 1.3, CR 1.4, CR 1.5, CR 1.10, CR 1.11
| Workload |
Comment |
| Docker |
- If no human user is needed, the requirement is not applicable.
- For simple user interface, the Remote screens of Nerve can be used. In such a case the UI of the workload is only available after authentication in the MS or in the local UI.
- For complex UI or for UI with a user group decoupled from the Nerve users, the user management shall be developed by the user.
|
| VM |
- If no human user is needed, the requirement is not applicable.
- If human users need access, the user management shall be developed by the user
|
| Codesys |
Use Codesys online user management. |
CR 1.2
| Workload |
Comment |
| Docker, VM |
The user shall implement a mechanism to authenticate toward external components. |
| Codesys |
Enforce CODESYS Online UserManagement and encrypted communication by CODESYS Control runtime configuration/ security settings.Enforce CODESYS Online User Management and encrypted communication by CODESYS Control runtime configuration/security settings. |
CR 1.7
| Workload |
Comment |
| Docker, VM |
If user management is needed, the user shall implement a configurable mechanism to to enforce password strength and password policy. |
| Codesys |
Configure password strength and policy (password expiration, number of invalid login attempts, …) according your requirements by CODESYS Control runtime configuration/security settings. |
CR 1.8, CR 1.9, CR 1.14
| Workload |
Comment |
| Docker, VM |
If needed, a mechanism shall be implemented by the user. |
| Codesys |
If an HMI / Web Visu is used, the system notification shall be considered during development. |
CR 1.12
| Workload |
Comment |
| Docker, VM |
If cryptographic authentication is required, the user is responsible to fulfill all requirements. |
| Codesys |
Codesys provides a local PKI and ensures that symmetric keys are used in a compliant way. The user shall provide a valid Root CA certificate or access to a root CA. |
CR 1.13
The security context is defined to avoid such situation and thus protects all workloads.
FR2 – Use control
CR2.1, CR 2.1(RE1), CR 2.1(RE2)
| Workload |
Comment |
| Docker, VM |
The user is responsible to fulfill all requirements. |
| Codesys |
Use only fieldbus with security properties (e.g. OPC-UA). Enforce Codesys User Management |
CR 2.4
| Workload |
Comment |
| Docker |
The application shall prevent the transfer of mobile code to the application. For web application, the code shall be built using SRI to force an integrity check in the browser. Nerve enforce an integrity check before running the container. |
| VM |
The user is responsible to fulfill all requirements. |
| Codesys |
The application shall prevent the use of mobile code. Nerve checks the integrity of the Codesys application during deployment. |
CR 2.5
| Workload |
Comment |
| Docker-compose |
If the web application is accessed through the local UI Web UI, it is compliant. If direct access is required, the user is responsible to implement this requirement. |
| Docker, VM |
The user is responsible to fulfill all requirements. |
| Codesys |
If visualization is used and accessed directly, an inactivity lock out should be considered. All access to the Codesys application managed by Nerve are compliant. |
CR 2.6
| Workload |
Comment |
| Docker, VM |
If the application is accessed through Nerve remote connection, it is compliant. If a direct access is required, the user is responsible to implement this requirement. |
| Codesys |
Nerve enforce all requirements for remote sessions. |
CR 2.8, CR 2.9, CR 2.10, CR 2.11
| Workload |
Comment |
| Docker |
If the application generates audit logs according to the method proposed in this documentation, Nerve fulfills all audit logs requirements, including time synchronization. If a different method is selected, the user is responsible to implement this requirement. Audit Logs Workloads |
| VM |
The user is responsible to implement this requirement. |
| Codesys |
The audit logging is covered by Codesys, the logger-capacity shall be adapted by the customer. Nerve provides the time synchronization. |
CR 2.12
| Workload |
Comment |
| Docker |
The user is responsible to implement this requirement. |
| VM |
The user is responsible to implement this requirement. |
| Codesys |
Covered by Codesys if the user management is enforced. |
FR3 – System integrity
CR 3.1, CR 3.1 (RE1)
| Workload |
Comment |
| Docker, VM |
When using a remote connection to access the workload, Nerve fulfills the requirements. For all other communication channels, the user shall implement a mechanism to fulfill this requirement. |
| Codesys |
When using a remote connection to access the workload, Nerve fulfills the requirements. Use secure communication for fieldbuses (e.g. OPC-UA). Enforce encrypted communication by CODESYS Control runtime configuration/security settings. |
CR 3.2
| Workload |
Comment |
| Docker, Codesys |
Nerve protects the integrity at rest by using disk encryption and starting the original file after boot. |
| VM |
The user shall ensure sufficient protection of the VM against malicious code. |
CR 3.3
| Workload |
Comment |
| All |
The user shall provide documentation on how check the security mechanism. |
CR3.4, CR 3.4 (RE1)
| Workload |
Comment |
| Docker, Codesys |
Nerve protects the integrity of the code and checks it before starting the workload. For the integrity of the configuration, the user shall implement his own mechanism. |
| VM |
The user shall implement a mechanism to ensure the integrity of the VM. |
Currently authenticity check are not supported.
CR 3.5
| Workload |
Comment |
| All |
The user shall implement adequate input validation on all interfaces. |
CR 3.6
| Workload |
Comment |
| Docker, VM |
The user shall implement adequate state for the outputs on all interfaces. |
| Codesys |
On exceptions, the IO-Manager of CODESYS Control runtime system enters the configured safe state. |
CR 3.7
| Workload |
Comment |
| Docker, VM |
The user shall implement adequate error handling. |
| Codesys |
Codesys fulfills this requirement for the runtime. The application still needs to avoid leaking information through logging. |
CR 3.8
| Workload |
Comment |
| Docker, VM |
The user shall implement adequate adequate session management if needed. |
| Codesys |
Codesys fulfills this requirement for communication with the IDE. |
CR 3.9
| Workload |
Comment |
| Docker |
If the audit log mechanism from Nerve is used, the audit logs are protected adequately. If not, the user shall implement adequate adequate protection of the audit logs.Audit Logs Workloads |
| VM |
The user shall implement a mechanism to protect the audit logs. |
| Codesys |
Codesys fulfills this requirement by limiting access to the audit logs to authorized users. |
CR 3.10, CR 3.11, CR 3.12, CR 3.13, CR 3.14
The requirements are not relevant for the application.
Depending on the setup, they are covered by Nerve or by a combination of Nerve and custom setup of the hardware.
FR 4 – Data confidentiality
CR 4.1
| Workload |
Comment |
| All |
Nerve ensure protection at rest of the binaries and all related configuration by using disk encryption. |
| All |
When using additional interfaces, the user is responsible for the confidentiality in transit. |
CR 4.2
| Workload |
Comment |
| All |
When offboarding the node from the Management System, Nerve delete all information from all workloads. No further action is needed |
CR 4.3
| Workload |
Comment |
| Docker, VM |
The cryptography used by the application shall be based on recognized practices and recommendations. |
| Codesys |
For IDE access and OPC-UA Codesys uses standard cryptography components. No further action required. |
FR 5 – Restricted data flow
No requirement apply to the application on this level.
FR 6 – Timely response to events
CR 6.1
| Workload |
Comment |
| Docker |
If the audit logs mechanism from Nerve is used for docker workloads, no further action is needed. Otherwise the user shall ensure that the audit logs are accessible. |
| VM |
The user shall ensure that the audit logs are accessible. |
| Codesys |
Audit logs are available through the Codesys IDE. |
CR 6.2
| Workload |
Comment |
| All |
Nerve provides the capability to send the metrics to a central OpenSearch instance and apply monitoring and alerting based on these metrics. |
FR 7 – Resource availability
CR 7.1
| Workload |
Comment |
| All |
Nerve Provides the possibility to limit resource use per workload. The user shall review the actual resource consumption of each workload and apply resource limitation accordingly. |
CR 7.1 RE1
| Workload |
Comment |
| Docker, VM |
If the workload accepts incoming connection, the user shall implement a rate limitation to mitigate the effect of DoS attacks. |
| Codesys |
Codesys is protected by design. No further action necessary. |
CR 7.2
| Workload |
Comment |
| Docker, VM |
Nerve protects the resources allocated to the workloads. Still within the workload, the user shall ensure that security functions(e.g. logging) does not interfere with normal operations. |
| Codesys |
Codesys is protected by design. No further action necessary. |
CR 7.3, CR 7.3 RE1, CR 7.4
| Workload |
Comment |
| Docker |
Docker images are normally deployed from the Management System, so no backup is needed. Docker volumes can be exported and deployed as needed. |
| VM |
Nerve provides the capability to periodically backup a VM. The backup can be restored after an integrity check. The backup is not encrypted so any sensitive information inside the VM should be protected. |
| Codesys |
The Codesys application can be exported if needed, but usually no backup is necessary, a redeployment from the Management System is sufficient to restore the status. |
CR 7.5, CR 7.8
These requirements are not applicable on this level.
CR 7.7
| Workload |
Comment |
| Docker, VM |
The user shall ensure that only necessary packages are installed in the workload, only necessary services are running and only the necessary ports are exposed to the network. |
| Codesys |
The user shall only open the ports which are absolutely needed for the application. |
Workload Development and Configuration
| Product aspect |
Description & measures |
| Skilled users for workload configuration |
Workload configuration is considered to be of the same complexity as software development.
- Implementers of security shall ensure that only personnel with sufficient know-how of security are allowed to configure Nerve workloads.
- Implementers of security shall ensure that security implications of the Docker Compose YAML and virtual machine XML configurations are suitable for the given system. Such implications are, for example, a service being directly reachable from an external network or user credentials being contained in parameters such as environment variables.
|
| Resource consumption |
Nerve provides the capability to reserve resources for a workload. This reduces the probability of interference and therefore the availability of the system.
- Implementers of security shall make use of the option to reserve and limit resources for each Nerve workloads.
|
| Configuration of remote connections |
The Nerve remote access feature, per design, permits the traversing of zones. Users shall consider undesired piercing of security zones when configuring remote connections.
- Implementers of security shall configure remote access routes only in line with their security concept.
- Implementers of security shall allow remote access configuration only for users with sufficient know-how of the security concept.
|
| Configuration of networks |
Nerve devices can have multiple networks. In order to minimize the attack surface, users shall configure only those networks which are needed for operation.
- Implementers of security shall configure only those networks on a Nerve node which are needed for operation.
- If some workloads provide access to additional ports, the workloads should be hardened to prevent unauthorized access and the firewall configuration should be adapted. Only the necessary ports should be exposed.
|
| Acknowledging remote connections |
Nerve nodes provide the option to require acknowledgement of remote connections. If this option is not enabled, users with access to remote connections can establish remote connections to the device anytime.
- Implementers of security shall activate the feature to require local acknowledgement for remote access where possible.
|
| Following a secure development process |
Nerve is a system where customer applications are executed. Developers of customer applications may rely on the security features provided by Nerve. However, they do need to develop their applications in a secure way to achieve an overall secure system. Note that this requirement actually has quite big implications on the application development team and process throughout the whole lifecycle. Even though Nerve comes with a security certification, it does not mean that all applications running on Nerve are secure.
- Implementers of applications on Nerve shall follow a secure life-cycle process for their applications running on Nerve.
|