A project to explore automation of security verification and validation in IEC-62443-4-1
We are the producers of an imaginary component X. We want to certify it to IEC 62443-4-2 using ISASecure CSA or ICSA schemes.
Before we can do that, we must certify its development process to IEC 62443-4-1 using ISASecure SDLA. To achieve the SDLA certificate, we must demonstrate that we follow the 8 security practices defined in the IEC 62443-4-1 standard.
Security Verification and Validation (SVV) is one of the 8 practices. Its purpose is to verify that the product security functions meet the security requirements and that the product handles error scenarios and invalid input correctly.
This project explores how and the extent the SVV practice could be automated, while producing the required evidence to show to auditors.
The hypothesis is that we can define most tests using Robot framework and other tools, and run them regularly against X to have up-to-date view of its compliance status with the security requirements.
The automation part is implemented using DevOps principles. There are test suites that are run against X regularly, as it is updated. The test suites are developed Robot Framework.
Jenkins will be used as the automation hub.
- ansible
- make
- python3-pip
- php
apt install -y make python3-pip php7.4
pip install --user ansible
Given the IP of a server running Ubuntu 22.04, sets up Jenkins as an automation server and configures it to run the defined test suite(s) against X. You need to have SSH access to the host and sudo privileges.
make setup-ci HOST=<IP of the server>
SVV-1
make test-svv-1
The imaginary component X is as simple as possible, while still being useful for demostration purposes.
It is thus a simple web application, that generates greetings. User of the application provides their name and password, and the application will print "Greetings $NAME!". It also includes a modifiable system use notification, as required by the standard.
We aim to protect the component against unintentional or accidental misuse. Therefore we are aiming for Security Level 1 (SL1).
Usage:
export PASSWORD=<some password>
export USE_NOTICE=<some text for system use notification>
make run-component
# the application is now available at http://localhost:8000 and you can generate greetings with the password you entered as env
SVV contains the following requirements:
- Security requirements testing (SVV-1)
- Threat mitigation testing (SVV-2)
- Vulnerability testing (SVV-3)
- Penetration testing (SVV-4)
- Independence of testers (SVV-5)
Out of these, SVV-1, SVV-2, SVV-3 and perhaps SVV-4 have content that can be automated.