WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -156,6 +156,7 @@ The present document describes how to demonstrate compliance with requirements i
## 1.2 Products in scope
Products in scope include products whose core purpose is to serve as a network management systems intended to manage the network devices.
This standard applies to Network management systems Products with digital elements that manage IP-connected network elements, such as servers, routers, switches, workstations, printers or mobile devices, by tracking them and controlling their network configuration.
This category includes but is not limited to end-to-end management systems and dedicatedconfiguration management systems, such as controllers for software-defined networking.
@@ -215,10 +216,11 @@ This section provides terms and definitions based on CEN/CLC JTC13 WG09's work o
For the purposes of the present document, the following terms apply:
1.**Operating System (OS)**: Software products with digital elements that provide an abstract interface of the underlying hardware and control the execution of software, and that may provide services such as computing resource management and configuration, scheduling, input-output control, managing data, and providing an interface through which applications interact with system resources and peripherals. This category includes but is not limited to real-time operating systems, general-purpose and special-purpose operating systems.
1.**Identity Provider**:
1.**Service Requesting Users (<a name="_term_.SRU">SRU</a>)**: These users rely on the correct functioning of the NEs that are controlled and maintained from the NMS. SRUs do not care about the connected NEs and have no interface to login to the NMS. SRUs can be both, humans or devices and all are dependent to the connected NEs. The number of NE-connected SRUs can vary from a single person up to thousands per NE device, and is in principle not limited. For clarification of the risk factors, and as regulators define the criticality of a facility operation by the number of affected SRUs for the case a NE ceased its service, its relevant for the present document.
1.**Identity Provider (IDP)**: System that creates, maintains and manages identity information for principals like natural humans. Providers authentication services.
1.**Service Requesting Users (<span name="_term_.SRU">SRU</span>)**: These users rely on the correct functioning of the NEs that are controlled and maintained from the NMS. SRUs do not care about the connected NEs and have no interface to login to the NMS. SRUs can be both, humans or devices and all are dependent to the connected NEs. The number of NE-connected SRUs can vary from a single person up to thousands per NE device, and is in principle not limited. For clarification of the risk factors, and as regulators define the criticality of a facility operation by the number of affected SRUs for the case a NE ceased its service, its relevant for the present document.
1.**User**: This is the person having the credentials to login to the NMS to operate administrative actions to control and maintain the NE.
1.**Machine User**: A virtual user used to access the system programming interfaces. Often attached with a role based access that is tailored for the need.
1.**Component**: software or hardware intended for integration into an electronic information system
## 3.2 Abbreviations
@@ -235,6 +237,7 @@ For the purposes of the present document, the following abbreviations apply:
| 2FA | Two Factor Authentication |
| CSP | Communication System Provider |
| SDN | Software Defined Networks |
| GUI | Graphical User Interface |
# 4 Product context
@@ -314,7 +317,7 @@ Devices are limited in functionality like:
[4.4.1.1 IoT network with monitoring data collection]:#4411-iot-network-with-monitoring-data-collection
[4.4.1.2 Home network deployment]:#4412-home-network-deployment
[4.4.2.1 Office network]:#4421-office-network
[4.4.2.2 Waste management]:#4422-waste-management
[4.4.2.3 Telecom network]:#4423-telecom-network
## 4.6 Security levels
@@ -624,13 +633,10 @@ In accordance with Article 13 (8) of the CRA<a href="#_ref_i.1">[i.1]</a>, the m
| [CVE-2022-48469](https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-7015cbae-en) | There is a traffic hijacking vulnerability in routers | Auth spoofing? |
| [CVE-2025-27212](https://cybersecuritynews.com/ubiquiti-unifi-devices-vulnerability/) | Device command injection | No authentication required and no user interaction needed |
> List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough, but what risks can this product mitigate, and what must it delegate to other components or the operational environment? Some potential examples:
