Welcome to CIP_documentation’s documentation!

CIP Documents

This repository is where keeps all documents at one place for all working groups of the CIP projects to meet secure development process definced at IEC 62443-4-1 which require to maintain documents and their versions.

Management policy

This repository will be maintained by a few security members to meet secure development process, thus branches in this repository will be protected by restricting members enabling to push and merge.

License

The license of all documentation in this repository follows the intellectual property policy in the CIP Charter. See section 14-e in the CIP Charter.

Guide

This section will give brief descriptions about each document to make navigating this repository easier. Non-document files will not be explained here. - cip-project - cip-documents - developer - event - process - security - testing - user

Developer

Name	Description
FOSS_Security_S tudy_Summary	Presentation on security increases in Debian over time.

Event

Name	Description
Introduction of CIP Software Updates Working Group	Presentation CIP Software Update WG.
CIP Security towards achieving industrial grade security	Presentation CIP Security WG.
Threat modelling - Key methodologies and applications from OSS CIP(CIP) perspecti ve	Presentation of CIP Security WG on Threat modeling in CIP.

Process

Name	Description
CIP File Integrity	The primary objective of this document is to explain about how file integrity for CIP deliverables is achieved.
CIP Roles and Responsibility Matrix	The primary objective of this document is to show the roles in CIP with their responsibilities and accountabilities. It is also shwon which roles should be consulted and/or informed for certain actions and which qualifications, if any, are needed to fulfill a role.
CIP Secure Development Process	This document is based on IEC-62443-4-1 (Edition 1.0 2018-01) secure development process requirements.The Objective is to adhere IEC-62443-4-1 secure development process requirements in CIP development as much as possible.

Security

Name	Description
CIP Security Coding Guide Lines	This document explains how CIP Project and its upstream projects are following security coding guidelines.
Static analysis tools for CIP packages	This document explains how CIP Project executes SCA with some explanation on how to use some SCA software.
CIP Development Environment Security	The primary objective of this document is to document current development environment security, development flow and how security is maintained.
IEC 62443-4-2 App & HW Guidelines	The primary objective of this document is to provide guidelines to CIP users for meeting IEC-62443-4-2 security requirements. The document explains about each IEC-62443-4-2 requirements whether it has already been met by CIP. In addition this document also explains about iec security layer added in CIP to meet IEC-62443-4-2 security requirements.
User Security Manu al	This document contains items identified during IEC-62443-4-1 and IEC-62443-4-2 Gap Assessment for user security manual.
OWASP Top 10 Vulnerabilities Monitoring	The primary objective of this document is to explain about how various OWASP. top 10 vulnerabilities are handled in CIP.
`CIP Private Key Management <https://gitlab.com/cip-project/ cip-documents/-/blob/master/secur ity/private_key_management.md>`__	The primary objective of this document is to explain about how various private keys used in CIP development are maintained and kept secure and confidential.
CIP Security Requirement s	This document is intended to capture CIP security requirements based on IEC-62443-4-2 standard.
CIP Threat Mo deling	The primary objective of this document is to create Threat Model for CIP reference platform.

Testing

Name	Description
CIP_IEC-62443-4-2 _Security_TestCases	Overview of the CIP 62443-4-2 test cases.
CIP Penetration Testin g	The primary objective of this document is to identify suitable penetration testing tool and document the process how this can be re-used by CIP end users for their specific use cases.

User

Name	Description
CIP User Man ual	This document is a user perspective overview and technical guide for CIP.

process

• CIP Development process (SM-1)
  • Table of contents
  • Revision History
  • Introduction
  • Scope
  • SM-1 : Development process
• CIP Requirements
  • Table of contents
  • Revision History
  • Introduction
  • CIP Functional Requirements
  • CIP Non-Functional Requirements
  • CIP Security Requirements
• Secure Design principles (SD-1)
  • Table of contents
  • Revision History
  • Introduction
  • Scope
  • SD-1 : Secure Design principles
• Table of contents
• Revision History
• Description
• Objective
• Scope
  • DM-1: Receiving notifications of security-related issues
  • DM-2: Reviewing security-related issues
  • DM-3: Assessing security-related issues
  • DM-4: Addressing security-related issues
  • DM-5: Disclosing security-related issues

security

• Introduction
• CIP Project coding standards
• CIP Upstream projects coding standards
• Tools to assist security code review
• Table of contents
• IEC-62443 Requirement for Static Code Analysis
• Coverity Scan
  • How to use Coverity scan
• Gitlab SAST
  • How to use Gitlab SAST
  • Key points:
• Next Step

user

• Table of contents
• Overview
  • Civil Infrastructure Platform
  • Reference Hardware
• Open Source Base Layer (OSBL)
  • CIP Kernel
  • CIP core
• How to Create CIP Images
  • ISAR CIP Core
  • Deby CIP Core
• Default User Accounts
• Porting CIP for New Hardware
• CIP Testing
  • LAVA Testing
  • Kernel CI Testing
  • CIP Core Testing
• CIP Software Updates
• CIP System Monitoring
• References