Add vulnerability handling requirement (49d06a9f) · Commits · STAN4CRA / EN 304 625 Network Interfaces

EN-304-625.md

+47 −17

Original line number	Diff line number	Diff line
		@@ -1463,35 +1463,64 @@ If the product provides a method to transfer data and settings to another produc
		\| WL-\*, VI-1 \| SDRF \|
		\| VI-2 \| SDRF, SDTR \|

		### 5.2.X TR-VULH:

		#### 5.2.X.x Requirement

		The product shall have vulnerability handling processes compliant with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling".

		#### 5.2.X.x MI-VULH:

		The product shall have vulnerability handling processes compliant with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling".

		* Applicability: (for requirements that depend on a feature)
		* Reference: TR-VULH
		* Objective: Vulnerability handling
		* Activities: Review documentation associated with vulnerability handling.
		* Verdict: Vulnerability handling documentation is compliant with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling" => PASS, otherwise FAIL
		* Evidence: Vulnerability handling documentation, comparison with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling"

		\| Risk factors \| Requires mitigations \|
		\|--------------\|----------------------\|
		\| any \| VULH \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|----------------------\|
		\| all \| VULH \|

		### 5.2.X Additional requirements

		> TODO: Look at the [notes.md](notes.md) document for ideas for requirements to write.

		## 5.3 Risk Mitigation Sets

		### 5.3.1 Introduction

		This section lists all the mitigations necessary to meet requirements for each security profile.

		### 5.3.1 Wired network interface risk mitigation sets

		SP-WD-1: KEVD, SCFS, SUDC, (SUVP or SUOE), NTFY or WDOG, LOGG
		SP-WD-1: KEVD, SCFS, SUDC, (SUVP or SUOE), NTFY or WDOG, LOGG, VULH

		SP-WD-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SDEE-1, SDEE-4, ADEF, DPAH, SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG
		SP-WD-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SDEE-1, SDEE-4, ADEF, DPAH, SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG, VULH

		SP-WD-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, NTFY or WDOG, JSTY, LOGG
		SP-WD-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, NTFY or WDOG, JSTY, LOGG, VULH

		SP-WD-4: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG
		SP-WD-4: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG, VULH

		### 5.3.2 Wireless network interface risk mitigation sets

		SP-WL-1: KEVD, SCFS, SSCA, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-WL-1: KEVD, SCFS, SSCA, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		SP-WL-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-WL-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		SP-WL-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-WL-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		### 5.3.3 Virtual network interface risk mitigation sets

		SP-VI-1: KEVD, SCFS, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-VI-1: KEVD, SCFS, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		SP-VI-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCST, DCTX, DJST, WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, SDTR
		SP-VI-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCST, DCTX, DJST, WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, SDTR, VULH

		# 6 Conformity Assessment

		@@ -1515,6 +1544,7 @@ SP-VI-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF
		\| Exploit mitigation by limiting incident impact \| AVAI, SSDD, MSAF \|
		\| Logging and monitoring mechanisms \| LOGG \|
		\| Secure deletion and data transfer \| SCDL, SDTR \|
		\| Vulnerability handling \| VULH \|

		\* _waiting on cross-vertical_

		@@ -1806,7 +1836,7 @@ For each threat, a table shows how to use the risk factors to calculate the leve
		\| max(SYS, SDS, SDT, FUN, DOS) = 1 \| Medium \|
		\| max(SYS, SDS, SDT, FUN, DOS) = 0 \| Low \|

		Requirements: NKEV, SCUD, SSDD, MSAF, LMAS, LOGG
		Requirements: NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, VULH

		[TH-UEVU]: Attacker may use unknown exploitable vulnerabilities in the network interface implementation to get unauthorized access to product assets.

		@@ -1885,7 +1915,7 @@ Requirements: CDTX, DMIN, LMAS
		\| max(SDS, SDT, FUN) = 1 \| Medium \|
		\| max(SDS, SDT, FUN) = 0 \| Low \|

		Requirements: AVAI, MSAF, LMAS, LOGG
		Requirements: AVAI, MSAF, LMAS, LOGG, VULH

		[TH-FDOS]: Attacker may use host system or network access for a denial-of-service attack on product functions.

		@@ -1917,7 +1947,7 @@ Requirements: AVAI, MSAF, LMAS, LOGG
		\| DOS = 1 \| Medium \|
		\| DOS = 0 \| Low \|

		Requirements: AVAI, MSAF, LMAS, LOGG
		Requirements: AVAI, MSAF, LMAS, LOGG, VULH

		[TH-MQSE]: Attacker may masquerade as an authorized server to get unauthorized access to product assets.

		@@ -2048,14 +2078,14 @@ This section describes the metholodogy followed in the current text.

		\| Threat \| Requirements \|
		\|--------\|------------------------------------------\|
		\| KEVU \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG \|
		\| KEVU \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, VULH \|
		\| UEVU \| SSDD, MSAF, DMIN, LMAS, LOGG \|
		\| PHYS \| SDEL, SDEF \|
		\| CONF \| SDEF \|
		\| UADT \| CDTX, DMIN, LMAS \|
		\| AVAI \| AVAI, MSAF, LMAS, LOGG \|
		\| FDOS \| AVAI, MSAF, LMAS, LOGG, \|
		\| DDOS \| AVAI, MSAF, LMAS, LOGG \|
		\| AVAI \| AVAI, MSAF, LMAS, LOGG, VULH \|
		\| FDOS \| AVAI, MSAF, LMAS, LOGG \|
		\| DDOS \| AVAI, MSAF, LMAS, LOGG, VULH \|
		\| MQSE \| CDTX, IDTX, SCUD, LOGG \|
		\| AHHS \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, SDEF \|

		@@ -2075,7 +2105,7 @@ No risks are untreated by the requirements.

		## E.1 Introduction

		This is a short introduction to how standareds work, how CRA vertical standards work in general, and how this standard specifically works.
		This is a short introduction to how standards work, how CRA vertical standards work in general, and how this standard specifically works.

		## E.2 How to understand a vertical standard

Original line number	Diff line number	Diff line
		@@ -1463,35 +1463,64 @@ If the product provides a method to transfer data and settings to another produc
		\| WL-\*, VI-1 \| SDRF \|
		\| VI-2 \| SDRF, SDTR \|

		### 5.2.X TR-VULH:

		#### 5.2.X.x Requirement

		The product shall have vulnerability handling processes compliant with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling".

		#### 5.2.X.x MI-VULH:

		The product shall have vulnerability handling processes compliant with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling".

		* Applicability: (for requirements that depend on a feature)
		* Reference: TR-VULH
		* Objective: Vulnerability handling
		* Activities: Review documentation associated with vulnerability handling.
		* Verdict: Vulnerability handling documentation is compliant with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling" => PASS, otherwise FAIL
		* Evidence: Vulnerability handling documentation, comparison with <a ref="_ref_3">[3] prEN 40000-1-3: "Cybersecurity requirements for products with digital elements – Vulnerability Handling"

		\| Risk factors \| Requires mitigations \|
		\|--------------\|----------------------\|
		\| any \| VULH \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|----------------------\|
		\| all \| VULH \|

		### 5.2.X Additional requirements

		> TODO: Look at the [notes.md](notes.md) document for ideas for requirements to write.

		## 5.3 Risk Mitigation Sets

		### 5.3.1 Introduction

		This section lists all the mitigations necessary to meet requirements for each security profile.

		### 5.3.1 Wired network interface risk mitigation sets

		SP-WD-1: KEVD, SCFS, SUDC, (SUVP or SUOE), NTFY or WDOG, LOGG
		SP-WD-1: KEVD, SCFS, SUDC, (SUVP or SUOE), NTFY or WDOG, LOGG, VULH

		SP-WD-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SDEE-1, SDEE-4, ADEF, DPAH, SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG
		SP-WD-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SDEE-1, SDEE-4, ADEF, DPAH, SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG, VULH

		SP-WD-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, NTFY or WDOG, JSTY, LOGG
		SP-WD-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, NTFY or WDOG, JSTY, LOGG, VULH

		SP-WD-4: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG
		SP-WD-4: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDTX, DCTX, DJST, WDOG, JSTY, LOGG, VULH

		### 5.3.2 Wireless network interface risk mitigation sets

		SP-WL-1: KEVD, SCFS, SSCA, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-WL-1: KEVD, SCFS, SSCA, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		SP-WL-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-WL-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		SP-WL-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-WL-3: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		### 5.3.3 Virtual network interface risk mitigation sets

		SP-VI-1: KEVD, SCFS, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF
		SP-VI-1: KEVD, SCFS, IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, IDST, DCTX, NTFY or WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, VULH

		SP-VI-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCST, DCTX, DJST, WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, SDTR
		SP-VI-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF-\, MZRO-\), SUDC, (SUVP or SUOE), CDST, CDTX, IDST, DCST, DCTX, DJST, WDOG, JSTY, LOGG, RSET or INST or DELE, SDRF, SDTR, VULH

		# 6 Conformity Assessment

		@@ -1515,6 +1544,7 @@ SP-VI-2: KEVD, (KEVL or SCAN), SCFS, SSCA, (FZ95 or ETIN or IMSL), IMSL or (MSAF
		\| Exploit mitigation by limiting incident impact \| AVAI, SSDD, MSAF \|
		\| Logging and monitoring mechanisms \| LOGG \|
		\| Secure deletion and data transfer \| SCDL, SDTR \|
		\| Vulnerability handling \| VULH \|

		\* _waiting on cross-vertical_

		@@ -1806,7 +1836,7 @@ For each threat, a table shows how to use the risk factors to calculate the leve
		\| max(SYS, SDS, SDT, FUN, DOS) = 1 \| Medium \|
		\| max(SYS, SDS, SDT, FUN, DOS) = 0 \| Low \|

		Requirements: NKEV, SCUD, SSDD, MSAF, LMAS, LOGG
		Requirements: NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, VULH

		[TH-UEVU]: Attacker may use unknown exploitable vulnerabilities in the network interface implementation to get unauthorized access to product assets.

		@@ -1885,7 +1915,7 @@ Requirements: CDTX, DMIN, LMAS
		\| max(SDS, SDT, FUN) = 1 \| Medium \|
		\| max(SDS, SDT, FUN) = 0 \| Low \|

		Requirements: AVAI, MSAF, LMAS, LOGG
		Requirements: AVAI, MSAF, LMAS, LOGG, VULH

		[TH-FDOS]: Attacker may use host system or network access for a denial-of-service attack on product functions.

		@@ -1917,7 +1947,7 @@ Requirements: AVAI, MSAF, LMAS, LOGG
		\| DOS = 1 \| Medium \|
		\| DOS = 0 \| Low \|

		Requirements: AVAI, MSAF, LMAS, LOGG
		Requirements: AVAI, MSAF, LMAS, LOGG, VULH

		[TH-MQSE]: Attacker may masquerade as an authorized server to get unauthorized access to product assets.

		@@ -2048,14 +2078,14 @@ This section describes the metholodogy followed in the current text.

		\| Threat \| Requirements \|
		\|--------\|------------------------------------------\|
		\| KEVU \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG \|
		\| KEVU \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, VULH \|
		\| UEVU \| SSDD, MSAF, DMIN, LMAS, LOGG \|
		\| PHYS \| SDEL, SDEF \|
		\| CONF \| SDEF \|
		\| UADT \| CDTX, DMIN, LMAS \|
		\| AVAI \| AVAI, MSAF, LMAS, LOGG \|
		\| FDOS \| AVAI, MSAF, LMAS, LOGG, \|
		\| DDOS \| AVAI, MSAF, LMAS, LOGG \|
		\| AVAI \| AVAI, MSAF, LMAS, LOGG, VULH \|
		\| FDOS \| AVAI, MSAF, LMAS, LOGG \|
		\| DDOS \| AVAI, MSAF, LMAS, LOGG, VULH \|
		\| MQSE \| CDTX, IDTX, SCUD, LOGG \|
		\| AHHS \| NKEV, SCUD, SSDD, MSAF, LMAS, LOGG, SDEF \|

		@@ -2075,7 +2105,7 @@ No risks are untreated by the requirements.

		## E.1 Introduction

		This is a short introduction to how standareds work, how CRA vertical standards work in general, and how this standard specifically works.
		This is a short introduction to how standards work, how CRA vertical standards work in general, and how this standard specifically works.

		## E.2 How to understand a vertical standard

Admin message