@@ -228,7 +228,7 @@ The following referenced documents may be useful in implementing an ETSI deliver
*<aname="_ref_i.4">[i.4]</a> EN 18031-3 (2024): “Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value".
<mark> FIXME add or delete informative references as work progresses</mark>
> FIXME add or delete informative references as work progresses
# 3 Definition of terms, symbols and abbreviations
@@ -269,7 +269,7 @@ For the purposes of the present document, the following abbreviations apply:
|**IT** | Information Technology |
|**OS** | Operating System |
<mark> FIXME add more abbreviations as necessary</mark>
> FIXME add more abbreviations as necessary
# 4 Product context
@@ -309,7 +309,7 @@ A physical network interface consists of:
It also includes the following parts if they are sold with the interface:
* Device driver
* Removable/changable antenna
* Removable/changeable antenna
* Daughter boards/add-on hardware modules
A virtual network interface consists of a device driver only.
@@ -528,7 +528,7 @@ Security levels are an informative resource to the manufacturer. Each security l
Each security level will consist of the security requirements necessary to mitigate the threats related to the associated levels of risk factors.
<mark> FIXME add security requirements when they exist</mark>
<mark> FIXME random unsorted notes, to be updated</mark>
> FIXME random unsorted notes, to be updated
Where is the manufacturer the best place to mitigate the risks? Those should be the ones the manufacturer treats, otherwise they are documented for the integrator.
@@ -666,7 +666,7 @@ Problems with the implementation of the protocols by the interface are in scope.
> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.
<mark> FIXME add requirements when they exist</mark>
> List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases.
<mark> FIXME more assumptions, associate with risk factors and security requirements</mark>
> FIXME more assumptions, associate with risk factors and security requirements
- Not being attacked by a state actor
- Not using sophisticated or expensive hardware snooping techniques
@@ -760,19 +761,19 @@ For wireless - operating environment of standard applies
> NOTE 3 A quantitative estimation of the cybersecurity risks can be performed using scoring systems that map qualitative categories of the likelihood of occurrence and qualitative categories of magnitude of loss or disruption to certain values.
<mark> FIXME pick methodology</mark>
> FIXME pick methodology
# Annex D (informative): Risk evaluation guidance
<mark> FIXME random notes below, should be rewritten or deleted when no longer necessary</mark>
> FIXME random notes below, should be rewritten or deleted when no longer necessary
For each network interface placed on the market, the manufacturer shall develop a threat model and risk profile of the forseeable use of the operating system, and shall consider the interplay between:
For each network interface placed on the market, the manufacturer shall develop a threat model and risk profile of the foreseeable use of the operating system, and shall consider the interplay between:
*complexity of forseeable use
*likelihood of an incident, given the forseeable use
*impact of an incident, given the forseeable use
*Complexity of foreseeable use
*Likelihood of an incident, given the foreseeable use
*Impact of an incident, given the foreseeable use
Attack vectors that are the responsiblity of the network interface:
Attack vectors that are the responsibility of the network interface:
* Arbitrary packets from outside the system
* OS-validated packets from unprivileged users inside the system
