Commit 1f231272 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Moved security analysis to Annex B

Closes #160 HAS99
parent d3f10e16
Loading
Loading
Loading
Loading
+0 −31
Original line number Diff line number Diff line
@@ -1459,37 +1459,6 @@ The stored data can be, but is not limited to:
-   Not using sophisticated or expensive hardware snooping techniques
-   No secret hardware backdoors

# Annex D (informative): Risk evaluation guidance

For each network management system placed on the market, this document provides the grounds to develop a threat model and risk profile of the foreseeable use of the system that considers the interplay between:

-   Complexity of foreseeable use
-   Likelihood of an incident, given the foreseeable use
-   Impact of an incident, given the foreseeable use

Attack vectors that are the responsibility of the network management system:

-   Arbitrary commands from outside the system control boundaries
    -   Through APIs
    -   From GUI
    -   Context manipulation (DNS, TLS)
    -   Ingested data manipulation
-   Unprivileged actors inside the system control boundaries
    -   Malicious networking node
    -   Malicious 3rd. party integration
-   Privileged actors inside the system control boundaries
    -   Credential missuse

Out of scope attack vectors:

-   Anything the OS is responsible for
    -   Direct bit twiddling of registers

Refer to normative standards:

-   Device driver attack vectors
-   Physical interface specific attack vectors?

# Annex L (informative): Relationship between the present document and the requirements of EU Regulation 2024/2847

DRAFT ANNEX L - DO NOT CONSIDER THE CONTENT
+32 −0
Original line number Diff line number Diff line
@@ -1251,6 +1251,38 @@ This Annex applies state of the art methodology to identify assets, threats, ide

<mark>Use technical language and focus what is relevant from a product perspective</mark>


For each network management system placed on the market, this annex provides the grounds to develop a threat model and risk profile of the foreseeable use of the system that considers the interplay between:

-   Complexity of foreseeable use
-   Likelihood of an incident, given the foreseeable use
-   Impact of an incident, given the foreseeable use

Attack vectors that are the responsibility of the network management system:

-   Arbitrary commands from outside the system control boundaries
    -   Through APIs
    -   From GUI
    -   Context manipulation (DNS, TLS)
    -   Ingested data manipulation
-   Unprivileged actors inside the system control boundaries
    -   Malicious networking node
    -   Malicious 3rd. party integration
-   Privileged actors inside the system control boundaries
    -   Credential missuse

Out of scope attack vectors:

-   Anything the OS is responsible for
    -   Direct bit twiddling of registers

Refer to normative standards:

-   Device driver attack vectors
-   Physical interface specific attack vectors?

<mark>Is the following relevant? Above chapter is the old Annex D Risk evaluation guidance</mark>

## B.1 Asets

## B.2 Risk Factors