Add minimize exposed interfaces requirement (120259b5) · Commits · STAN4CRA / EN 304 625 Network Interfaces

EN-304-625.md

+33 −4

Original line number	Diff line number	Diff line
		@@ -1054,6 +1054,35 @@ The device shall protect data transmitted by the device from unauthorized access
		\|---------------------\|----------------------\|
		\| any \| TCNF \|

		### 5.2.X TR-MINI: Minimize exposed interfaces

		The manufacturer shall minimize exposed interfaces in the default configuration of the product in all operating modes, including initial configuration, during initialization, while in use, while shutting down or paused, or after reset.

		#### 5.2.X.x MI-JSTY: Document and justify exposed interfaces

		All exposed interfaces on the product in any state that is part of its reasonably foreseeable use or misuse in its secure-by-default configuration shall be documented. Every interface shall have a documented rationale for why its exposure is necessary for the functioning of the product in its secure-by-default configuration.

		* Reference: TR-MINI

		* Objective: Limit attack surface

		* Preparation: List all types of interfaces on the product that may be exposed to an attacker, whether enabled or disabled. For each type of interface, identify a method to list all exposed interfaces of that type. List all states of the product with different exposed interfaces of the product in its secure-by-default configuration, including but not limited to initial configuration, startup, in use, idle, shutdown, and reset, if applicable. For each distinct exposed interface in each state, describe the interface and why it must be enabled by default.

		* Activities: Using the list of types of interfaces, the list of states of the product, and the method to list all exposed interfaces of that type, list all exposed interfaces in each state. Compare to the documented list.

		* Verdict: All discovered interfaces are documented, including rationale => PASS, otherwise => FAIL

		* Evidence: List of types of interfaces, list of product states, documentation of each exposed interface, output of methods to list all exposed interfaces, connection between each discovered interface to its documentation

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|---------------------\|----------------------\|
		\| any \| JSTY \|

		\| Security Profile \| Requires mitigations \|
		\|---------------------\|----------------------\|
		\| any \| JSTY \|

		### 5.2.X TR-XXXX: Encryption related stuff

		@@ -1126,17 +1155,17 @@ Suggested type of tests include, but are not limited to:

		\| CRA requirement \| Technical security requirements(s) \|
		\|-------------------------------------------------\|------------------------------------\|
		\| No known exploitable vulnerabilities \| \|
		\| No known exploitable vulnerabilities \| _waiting on cross-vertical_ \|
		\| Secure design, development, production \| IMEM \|
		\| Secure by default configuration \| ADEF \|
		\| Secure updates \| \|
		\| Authentication and access control mechanisms \| \|
		\| Secure updates \| _waiting on cross-vertical_ \|
		\| Authentication and access control mechanisms \| _waiting on cross-vertical_ \|
		\| Confidentiality protection \| SCNF, TCNF \|
		\| Integrity protection for data and configuration \| IMEM \|
		\| Data minimization \| \|
		\| Availability protection \| MDNF \|
		\| Minimize impact on other devices or services \| MDNF \|
		\| Limit attack surface \| \|
		\| Limit attack surface \| MINI \|
		\| Exploit mitigation by limiting incident impact \| MDNF, IMEM \|
		\| Logging and monitoring mechanisms \| MDNF \|
		\| Secure deletion and data transfer \| \|

Original line number	Diff line number	Diff line
		@@ -1054,6 +1054,35 @@ The device shall protect data transmitted by the device from unauthorized access
		\|---------------------\|----------------------\|
		\| any \| TCNF \|

		### 5.2.X TR-MINI: Minimize exposed interfaces

		The manufacturer shall minimize exposed interfaces in the default configuration of the product in all operating modes, including initial configuration, during initialization, while in use, while shutting down or paused, or after reset.

		#### 5.2.X.x MI-JSTY: Document and justify exposed interfaces

		All exposed interfaces on the product in any state that is part of its reasonably foreseeable use or misuse in its secure-by-default configuration shall be documented. Every interface shall have a documented rationale for why its exposure is necessary for the functioning of the product in its secure-by-default configuration.

		* Reference: TR-MINI

		* Objective: Limit attack surface

		* Preparation: List all types of interfaces on the product that may be exposed to an attacker, whether enabled or disabled. For each type of interface, identify a method to list all exposed interfaces of that type. List all states of the product with different exposed interfaces of the product in its secure-by-default configuration, including but not limited to initial configuration, startup, in use, idle, shutdown, and reset, if applicable. For each distinct exposed interface in each state, describe the interface and why it must be enabled by default.

		* Activities: Using the list of types of interfaces, the list of states of the product, and the method to list all exposed interfaces of that type, list all exposed interfaces in each state. Compare to the documented list.

		* Verdict: All discovered interfaces are documented, including rationale => PASS, otherwise => FAIL

		* Evidence: List of types of interfaces, list of product states, documentation of each exposed interface, output of methods to list all exposed interfaces, connection between each discovered interface to its documentation

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|---------------------\|----------------------\|
		\| any \| JSTY \|

		\| Security Profile \| Requires mitigations \|
		\|---------------------\|----------------------\|
		\| any \| JSTY \|

		### 5.2.X TR-XXXX: Encryption related stuff

		@@ -1126,17 +1155,17 @@ Suggested type of tests include, but are not limited to:

		\| CRA requirement \| Technical security requirements(s) \|
		\|-------------------------------------------------\|------------------------------------\|
		\| No known exploitable vulnerabilities \| \|
		\| No known exploitable vulnerabilities \| _waiting on cross-vertical_ \|
		\| Secure design, development, production \| IMEM \|
		\| Secure by default configuration \| ADEF \|
		\| Secure updates \| \|
		\| Authentication and access control mechanisms \| \|
		\| Secure updates \| _waiting on cross-vertical_ \|
		\| Authentication and access control mechanisms \| _waiting on cross-vertical_ \|
		\| Confidentiality protection \| SCNF, TCNF \|
		\| Integrity protection for data and configuration \| IMEM \|
		\| Data minimization \| \|
		\| Availability protection \| MDNF \|
		\| Minimize impact on other devices or services \| MDNF \|
		\| Limit attack surface \| \|
		\| Limit attack surface \| MINI \|
		\| Exploit mitigation by limiting incident impact \| MDNF, IMEM \|
		\| Logging and monitoring mechanisms \| MDNF \|
		\| Secure deletion and data transfer \| \|