@@ -692,6 +692,35 @@ The manufacturer shall follow the CRAs pricibles of implementing high level of c
# Annex D (informative): Risk evaluation guidance
For each network management system placed on the market, the manufacturer shall develop a threat model and risk profile of the foreseeable use of the system, and shall consider the interplay between:
- Complexity of foreseeable use
- Likelihood of an incident, given the foreseeable use
- Impact of an incident, given the foreseeable use
Attack vectors that are the responsibility of the network management system:
- Arbitrary commands from outside the system control boundaries
- Through APIs
- From GUI
- Context manipulation (DNS, TLS)
- Ingested data manipulation
- Unprivileged actors inside the system control boundaries
- Malicious networking node
- Malicious 3rd. party integration
- Privileged actors inside the system control boundaries
- Credential missuse
Out of scope attack vectors:
- Anything the OS is responsible for
- Direct bit twiddling of registers
Refer to normative standards:
- Device driver attack vectors
- Physical interface specific attack vectors?
## D.1 Mapping of risks to requirements
> Table mapping the identified risks to requirements
