Cyber Security In User Documentation
User documentation should provide the necessary information to help the customer ensure that the site is as secure as possible.
The documentation should contain relevant cyber security information for the product and also describe necessary additional actions that the user needs to take to build a defense in depth for the whole system or industrial plant.
Security disclaimer (ABB-SDLC-10)
The end-user documentation shall have a legal disclaimer regarding Cyber Security, typically in a notice chapter at the beginning of the document. The security disclaimer shall shortly explain the end-user’s responsibility for supplying and configuring a secure environment for the system/product.
Product defense in depth (IEC 62443-4-1 SG-1)
To make the product less vulnerable to threats, hardening of the product (reducing the vulnerability surface) at the customer site should be supported and the documentation should describe various aspects of the defense in depth strategy necessary to harden the product during installation and keep it hardened during its lifetime of use.
It should include:
- a description of threats that are addressed by the defense in depth strategy.
- the security capabilities of the product to safeguard it against known security threats.
- residual threats that are expected to be present and capable of attacking the product, identified during threat modeling, attack surface reduction, or security design reviews.
- any compensating security controls/mitigations that can be used with the product to further protect the product.
Defense in depth measures expected in the environment (IEC 62443-4-1 SG-2)
Describe the security defense in depth measures expected to be provided by the external environment in which the product is to be used, e.g. network configuration, malware prevention solutions, and patch management and how the product should be integrated in its intended environment.
Security hardening guidelines (IEC 62443-4-1 SG-3)
Describe hardening guidelines for
- integrating the product and 3rd party components - instructions and recommendations that should be adhered to when installing the product or system.
- product API - if the product has any Application Interface (API) that can be accessed by other components/products, the user documentation shall describe the secure usage of the API.
- applying and maintaining the product’s defense in depth strategy - describe the user's responsibility for operating and maintaining the defense in depth strategy defined for the product or system.
- security configuration - describe all security configuration options including default and recommended settings.
- security related tools - describe tools and utilities (if any exist) that support administration, monitoring, incident handling, and evaluation of the security of the product. If the tools are not secure, the end-user documentation shall indicate that these tools should be removed from the system prior to completing the integration.
- periodic security maintenance - includes recommendations for periodic security maintenance activities to be done on the product.
- reporting security vulnerabilities - describe how to report security incidents.
- maintenance and administration - describe best practices for the maintenance and administration of the product.
Secure disposal guidelines (IEC 62443-4-1 SG-4)
The end-user documentation shall describe the procedure of secure disposal of the product, for example when the product has reached the end of life, e.g.
- removing the product from its intended environment
- removing references and configuration data stored within the environment
- secure removal of data stored in the product
- secure disposal of the product to prevent potential disclosure of data contained in the product that could not be removed as described above
Secure operation guidelines (IEC 62443-4-1 SG-5)
Describe the secure use of the product during its operation and administration, i.e. best practices or recommended behavior of users and administrators while operating the product.
Account management guidelines (IEC 62443-4-1 SG-6)
The user documentation shall describe the management of user accounts, user groups and permissions (access control), privileges (user rights), and password handling, including, but not limited to operating system accounts, control system accounts, and database accounts.
If the product has any default password, the end-user documentation shall describe that the default password must be changed during the initial use of the product.
If the product has any default accounts consider if the user should be recommended to change the name of the accounts.
Security functionality verification (IEC 62443-4-2 CR 3.3)
Provide the information needed for the user to verify the security functionality that can be configured by the user. For each security capability of the product, the end-user documentation shall describe:
- the security threat that is mitigated by the capability.
- how to configure the security capability.
- how the end user can test (e.g., SAT/FAT phase) that the security capability works as expected, e.g. antivirus countermeasures, authentication, audit logging, storm filter. This applies only to capabilities that can be enabled and configured by the user, Example: The end user makes a configuration change and then verifies that the change is visible in an event log. The end-user documentation shall describe what change triggers an audit and how to find the audit in the audit trail/event log.
Note! Make the end-user aware of the possible ramifications of running these verification tests during normal operations. Details of the execution of these verifications need to be specified with careful consideration of the requirements for continuous operations (for example, scheduling or prior notification).
Secure Boot (ABB-SDLC-11)
For ABB products that are purely software applications intended to be connected to the Internet, the end-user documentation shall recommend the usage of secure boot.