Loading EN-304-621.md +47 −18 Original line number Diff line number Diff line Loading @@ -568,7 +568,7 @@ The chosen method shall follow the intent in the CRA by protecting the data tran Mutual trust is in plural form not exlucing IP Multicast or Anycast usage if implemented.   The figure above is an illustratoin of a simple TLS protected communication between NMS and the managed device. The device initiates the connection towards reachable endpoint based on a DNS address configured into the managed device. Loading Loading @@ -626,7 +626,7 @@ Reflecting to [List of Risk Factors](#451-list-of-risk-factors) defined in this | Name | ACC-L-0 | ACC-L-1 | ACC-L-2 | ACC-L-3 | | -------- | --------------- | ---------------------- | ------------------------ | -------------------------------------- | | Style | Air gapped | Single public endoint | Multiple endpoints | Everything else | | Network | Air gapped | Single public endoint | Multiple endpoints | Everything else | | [RQ-3] | Required | Required | Required | Required | | [RQ-4] | Required | Required | Required | Required | | [RQ-5] | Required | Required | Required | Required | Loading Loading @@ -659,6 +659,35 @@ Pull style configuration updates: - **[UPDT-1]** Verify integrity of the upddate before installation (hash checks). - **[UPDT-2]** Use secure channels for update delivery (e.g., TLS). ### 5.3.x High Availability Unwanted traffic in the interfaces can cause a denial of service from the managed elements. ### 5.3.x Logging - **[LOG-0]** All system components are synchronized to a same time. - **[LOG-1]** From the system perspective, logs and traces are stored into a write only service. - **[LOG-2]** The write only log or tracing storage is deployed outside of the system deployment context. - **[LOG-3]** NMS emits SIEM events from relevant changes. - **[LOG-4]** SIEM transfer format, field attributes and event descriptions are available as part of the technical documentation. | Name | [EXP-L-0] | [EXP-L-1] | [EXP-L-2] | | --------------------- | ------------- | -------------- | -------------- | | Entity classification | Undefined | NIS2 important | NIS2 critical | | [LOG-0] | Required | Required | Required | | [LOG-1] | Required | Required | Required | | [LOG-2] | Not required | Not required | Required | | [LOG-3] | Not required | Required | Required | | [LOG-4] | Not required | Required | Required | | Requirement | Assesment | | ----------- | ------------------------------------------------------------------------------------- | | [LOG-0] | All system clocks are synchronized into a NTP server or similar. | | [LOG-1] | From the process, it is impossible to overwrite the log output. | | [LOG-2] | Technical documentation specifies how to integrate into an external logging system. | | [LOG-3] | Detailed information of all emitted events is available. | | [LOG-4] | National MSAs are able to validate the system design comformity without a deployment. | # 6 Security Profiles ## 6.1 General Loading @@ -668,7 +697,7 @@ Pull style configuration updates: > Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements. | CRA requirement | Technical security requirements(s) | | ----------------------------------------------- | ---------------------------------- | | ----------------------------------------------- | ------------------------------------------------- | | No known exploitable vulnerabilities | | | Secure design, development, production | | | Secure by default configuration | | Loading @@ -678,10 +707,10 @@ Pull style configuration updates: | Integrity protection for data and configuration | [5.3.2],[5.3.3] | | Data minimization | | | Availability protection | | | Minimize impact on other devices or services | | | Minimize impact on other devices or services | [5.3.x High Availability](#53x-high-availability) | | Limit attack surface | | | Exploit mitigation by limiting incident impact | | | Logging and monitoring mechanisms | | | Logging and monitoring mechanisms | [5.3.x Logging](#53x-logging) | | Secure deletion and data transfer | | [5.3.1]: (#531-mitigations-for-user-identity-integrity) Loading Loading
EN-304-621.md +47 −18 Original line number Diff line number Diff line Loading @@ -568,7 +568,7 @@ The chosen method shall follow the intent in the CRA by protecting the data tran Mutual trust is in plural form not exlucing IP Multicast or Anycast usage if implemented.   The figure above is an illustratoin of a simple TLS protected communication between NMS and the managed device. The device initiates the connection towards reachable endpoint based on a DNS address configured into the managed device. Loading Loading @@ -626,7 +626,7 @@ Reflecting to [List of Risk Factors](#451-list-of-risk-factors) defined in this | Name | ACC-L-0 | ACC-L-1 | ACC-L-2 | ACC-L-3 | | -------- | --------------- | ---------------------- | ------------------------ | -------------------------------------- | | Style | Air gapped | Single public endoint | Multiple endpoints | Everything else | | Network | Air gapped | Single public endoint | Multiple endpoints | Everything else | | [RQ-3] | Required | Required | Required | Required | | [RQ-4] | Required | Required | Required | Required | | [RQ-5] | Required | Required | Required | Required | Loading Loading @@ -659,6 +659,35 @@ Pull style configuration updates: - **[UPDT-1]** Verify integrity of the upddate before installation (hash checks). - **[UPDT-2]** Use secure channels for update delivery (e.g., TLS). ### 5.3.x High Availability Unwanted traffic in the interfaces can cause a denial of service from the managed elements. ### 5.3.x Logging - **[LOG-0]** All system components are synchronized to a same time. - **[LOG-1]** From the system perspective, logs and traces are stored into a write only service. - **[LOG-2]** The write only log or tracing storage is deployed outside of the system deployment context. - **[LOG-3]** NMS emits SIEM events from relevant changes. - **[LOG-4]** SIEM transfer format, field attributes and event descriptions are available as part of the technical documentation. | Name | [EXP-L-0] | [EXP-L-1] | [EXP-L-2] | | --------------------- | ------------- | -------------- | -------------- | | Entity classification | Undefined | NIS2 important | NIS2 critical | | [LOG-0] | Required | Required | Required | | [LOG-1] | Required | Required | Required | | [LOG-2] | Not required | Not required | Required | | [LOG-3] | Not required | Required | Required | | [LOG-4] | Not required | Required | Required | | Requirement | Assesment | | ----------- | ------------------------------------------------------------------------------------- | | [LOG-0] | All system clocks are synchronized into a NTP server or similar. | | [LOG-1] | From the process, it is impossible to overwrite the log output. | | [LOG-2] | Technical documentation specifies how to integrate into an external logging system. | | [LOG-3] | Detailed information of all emitted events is available. | | [LOG-4] | National MSAs are able to validate the system design comformity without a deployment. | # 6 Security Profiles ## 6.1 General Loading @@ -668,7 +697,7 @@ Pull style configuration updates: > Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements. | CRA requirement | Technical security requirements(s) | | ----------------------------------------------- | ---------------------------------- | | ----------------------------------------------- | ------------------------------------------------- | | No known exploitable vulnerabilities | | | Secure design, development, production | | | Secure by default configuration | | Loading @@ -678,10 +707,10 @@ Pull style configuration updates: | Integrity protection for data and configuration | [5.3.2],[5.3.3] | | Data minimization | | | Availability protection | | | Minimize impact on other devices or services | | | Minimize impact on other devices or services | [5.3.x High Availability](#53x-high-availability) | | Limit attack surface | | | Exploit mitigation by limiting incident impact | | | Logging and monitoring mechanisms | | | Logging and monitoring mechanisms | [5.3.x Logging](#53x-logging) | | Secure deletion and data transfer | | [5.3.1]: (#531-mitigations-for-user-identity-integrity) Loading
