@@ -1459,37 +1459,6 @@ The stored data can be, but is not limited to:
- Not using sophisticated or expensive hardware snooping techniques
- No secret hardware backdoors
# Annex D (informative): Risk evaluation guidance
For each network management system placed on the market, this document provides the grounds to develop a threat model and risk profile of the foreseeable use of the system that considers the interplay between:
- Complexity of foreseeable use
- Likelihood of an incident, given the foreseeable use
- Impact of an incident, given the foreseeable use
Attack vectors that are the responsibility of the network management system:
- Arbitrary commands from outside the system control boundaries
- Through APIs
- From GUI
- Context manipulation (DNS, TLS)
- Ingested data manipulation
- Unprivileged actors inside the system control boundaries
- Malicious networking node
- Malicious 3rd. party integration
- Privileged actors inside the system control boundaries
- Credential missuse
Out of scope attack vectors:
- Anything the OS is responsible for
- Direct bit twiddling of registers
Refer to normative standards:
- Device driver attack vectors
- Physical interface specific attack vectors?
# Annex L (informative): Relationship between the present document and the requirements of EU Regulation 2024/2847
@@ -1251,6 +1251,38 @@ This Annex applies state of the art methodology to identify assets, threats, ide
<mark>Use technical language and focus what is relevant from a product perspective</mark>
For each network management system placed on the market, this annex provides the grounds to develop a threat model and risk profile of the foreseeable use of the system that considers the interplay between:
- Complexity of foreseeable use
- Likelihood of an incident, given the foreseeable use
- Impact of an incident, given the foreseeable use
Attack vectors that are the responsibility of the network management system:
- Arbitrary commands from outside the system control boundaries
- Through APIs
- From GUI
- Context manipulation (DNS, TLS)
- Ingested data manipulation
- Unprivileged actors inside the system control boundaries
- Malicious networking node
- Malicious 3rd. party integration
- Privileged actors inside the system control boundaries
- Credential missuse
Out of scope attack vectors:
- Anything the OS is responsible for
- Direct bit twiddling of registers
Refer to normative standards:
- Device driver attack vectors
- Physical interface specific attack vectors?
<mark>Is the following relevant? Above chapter is the old Annex D Risk evaluation guidance</mark>