Share your suggestions for supporting session lock requirement in CIP

Dinesh Kumar

Hi All,


IEC-62443-4-2 has following two requirements related to session termination and session lock.

CR2.5 Req-1 Session lock: Component should support session lock after a configurable time period of inactivity.

CR2.6 Req-2 Remote session termination: Component should support terminating remote session after a configurable time of inactivity


CR2.6 Req-2 can be met by adding system variable TMOUT.


For meeting CR2.5 we need following changes in CIP.

1.       Systemd code changes

2.       Add deamon which subscribes to dbus notification(sample code attached)

3.       Add vlock Debian package which performs session lock

4.       Enable dbus in systemd


Systemd code change are as follows.


--- a/src/login/logind.c
+++ b/src/login/logind.c
@@ -1019,7 +1019,7 @@ static int manager_dispatch_idle_action(sd_event_source *s, uint64_t t, void *us
                     (m->idle_action_not_before_usec <= 0 || n >= m->idle_action_not_before_usec + m->idle_action_usec)) {
                         log_info("System idle. Taking action.");
-                        manager_handle_action(m, 0, m->idle_action, false, false);
+                        manager_handle_action(m, 0, m->idle_action, false, true);
                         m->idle_action_not_before_usec = n;


It means there are several changes required in CIP as well as it would be difficult to maintain for long term, if we chose this option.


My request is, if anyone has any better idea to achieve session lock, please share so we can evaluate it further.


Thanks & Regards,

Dinesh Kumar



Join to automatically receive all group messages.