Risk factors determine which mitigation(s) satisfy each of the technical requirements in clause 5.2. The manufacturer determines the level of each risk factor via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the operating system.
Risk factors may increase the likelihood of an incident, increase the impact of an incident, or both. As a result, different mitigation strategies may be more or less relevant to different risk factors.
The overall risk related to each use case should be considered as a result of combining risk factors affecting both likelihood and impact of an incident.
**[LOC]** Degree of local access to the host system
Description: How many agents have unprivileged access to the host system.
Rationale: More agents with access on the host increase the likelihood of an attack originating from the host.
Type: Affects likelihood of attacks originating from the host system.
***[LOC-L-0]** Foreseeable use is effectively no agents on the host
***[LOC-L-1]** Foreseeable use is only trusted agents with a formal approval system
***[LOC-L-2]** Foreseeable use is trusted agents with an informal approval system
***[LOC-L-3]** Foreseeable use includes untrusted agents
**[NET]** Degree of public access to attached network
Description: How pubicly accessible the attached network is.
Rationale: The more unrestricted the access to the attached network is, the more likely a threat actor can send packets to the device.
Type: Affects likelihood of attacks originating from the network and impact of attacks on other systems.
***[NET-L-0]** Foreseeable use is in an isolated private network
***[NET-L-1]** Foreseeable use is in a private network with filtered connection to public network
***[NET-L-2]** Foreseeable use is in a public network
**[COM]** Complexity of product functions
Description: How complex the available product functions are in its secure-by-default configuration.
Rationale: More complex functions means increased likelihood of errors in the implementation and more attack surface.
Type: Affects likelihood of all attacks.
***[COM-L-0]** Product implements minimal features necessary to send/recv packets
***[COM-L-1]** Product implements some simple performance features
***[COM-L-2]** Product implements encryption functions on interface
***[COM-L-3]** Product implements RTOS managing radio, PXE boot, remote management, or similar
**[LIS]** Ease of reading from transmission media of directly attached network by unauthorized agents
Description: Likelihood that unauthorized agents can read data from the transmission media on the directly attached network. For example, a wireless network in an apartment that is accessible from the shared hallway or another apartnement, or a wired network with exposed jacks in a public library.
Rationale: While confidentiality of data transmitted across public networks is usually handled by the system the network interface is integrated into, the network interface is usually responsible for confidentiality on the local directly attached network.
Type: Affects likelihood of attack.
***[LIS-L-0]** Foreseeable use is only authorized agents with access to directly attached network
***[LIS-L-1]** Foreseeable use includes occasional access by unauthorized agents to directly attached network
***[LIS-L-2]** Foreseeable use includes frequent access by unauthorized agents to directly attached network
**[ADM]** Availability and skill of administration
Description: What the availability and skill of administration is for the product.
Rationale: Skilled, fully resourced administration allows more risk transfer and can reduce the impact of incidents.
Type: Affects likelihood and impact of all attacks.
***[ADM-L-0]** Foreseeable use includes skilled administration, fully resourced
***[ADM-L-1]** Foreseeable use includes unskilled and/or under-resourced administration
**[SYS]** Access to host system assets
Description: Measures the degree of access to the host system assets, such as memory, other devices, and system management functions. This is usually a property of the communications bus used to connect to the host system. E.g., a network interface connected by USB versions below 4.0 can only access system resources via the host USB stack software, but a network interface on a PCIe bus (including tunneled over USB 4.0) or a virtual network interface that has privileged access to the host system can write any part of host system memory.
Rationale: Access to host systems assets increases the impact of attacks.
Type: Affects impact of all attacks.
***[SYS-L-0]** Limited access or access mediated by host software to host system resources
***[SYS-L-1]** Extensive access to host system resources
**[SDS]** Sensitivity of data stored
Description: Sensitivity of data stored on the product.
Rationale: The more sensitive the data stored, the higher the impact of compromise of that data.
Type: Affects impact of attack.
***[SDS-L-0]** Foreseeable use stores unimportant or no data
***[SDS-L-1]** Foreseeable use stores moderately sensitive data
***[SDS-L-2]** Foreseeable use stores highly sensitive data
**[SDT]** Sensitivity of data transmitted
Description: Sensitivity of data transmitted on the product.
Rationale: The more sensitive the data transmitted, the higher the impact of compromise of that data.
Type: Affects impact of attack.
***[SDT-L-0]** Foreseeable use transmits unimportant or no data
***[SDT-L-1]** Foreseeable use transmits moderately sensitive data
***[SDT-L-2]** Foreseeable use transmits highly sensitive data
**[FUN]** Sensitivity of functions
Description: Sensitivity of functions of the product.
Rationale: The more sensitive the functions of the product, the higher the impact of denial-of-service or corruption of the functions.
Type: Affects impact of attack.
***[SDT-L-0]** Foreseeable use is for unimportant functions
***[SDT-L-1]** Foreseeable use is for moderately sensitive functions, such as encrypting transmitted data
***[SDT-L-2]** Foreseeable use is for highly sensitive functions, such as primary management interface of host system
**[INT]** Integration in host system
Description: How difficult it is to remove the product from the host system.
Rationale: The more integrated a product is in the host system, the harder it is to disable, remove, or replace it if it has an exploitable unpatched vulnerability or is no longer supported.
Type: Affects impact of attack.
***[INT-L-0]** Product is connected to host system via external adapter
***[INT-L-1]** Product is connected to host system via internal adapter requiring disassembly to change
***[INT-L-2]** Product is fully integrated into and cannot be removed from host system
**[DOS]** Cumulative network bandwidth
Description: The estimated cumulative network bandwidth of deployed products that are similar enough to be similarly affected by most security problems in this product.
Rationale: The more bandwidth that can be used for a DDOS attack by exploiting a vulnerability in the product, the higher the level of security that should be required.
Type: Affects impact of attack.
***[DOS-L-0]** Foreseeable deployment includes little or no cumulative network bandwidth
***[DOS-L-1]** Foreseeable deployment includes enough bandwidth to provide 10% of a major DDoS attack
***[DOS-L-2]** Foreseeable deployment includes enough bandwidth to provide more than 10% of a major DDoS attack
## C.3 Assumptions
### C.3.1 Proper host system
**[AS-PH]:** The host system the product is attached to is trustworthy.
### C.3.2 Proper administrator
**[AS-PA]:** The product administrator is not intentionally hostile and is engaging in good faith efforts to administer the product properly.
### C.3.3 Attacker has limited physical access to product
**[AS-LP]:** An attacker will have only temporary physical access to the product.
### C.3.4 Attacker has limited resources
**[AS-LR]:** An attacker has the resources available to a small group of skilled individuals, without the backing of large corporations, nation-states, or immense wealth.
## C.4 Threats and risk assessment of threats
### C.4.1 General
The approach to listing threats is to separate them by attack vector so that they may be associated with risk factors more directly.
@@ -1677,7 +1837,7 @@ Impact: SYS SDS SDT FUN INT DOS
For each threat, a table shows how to use the risk factors to calculate the level of likelihood or impact. The levels are Low, Medium, or High.
### C.2.3 List of threats
### C.4.3 List of threats and risk assessments
**[TH-KEVU]:** Attacker may use known exploitable vulnerabilities in the network interface implementation to get unauthorized access to product assets.
**[AS-PH]:** The host system the product is attached to is trustworthy.
### C.3.2 Proper administrator
**[AS-PA]:** The product administrator is not intentionally hostile and is engaging in good faith efforts to administer the product properly.
### C.3.3 Attacker has limited physical access to product
**[AS-LP]:** An attacker will have only temporary physical access to the product.
### C.3.4 Attacker has limited resources
**[AS-LR]:** An attacker has the resources available to a small group of skilled individuals, without the backing of large corporations, nation-states, or immense wealth.
## C.4 Risk assessments of threats
> For each threat identified above, use likelihood and magnitude of the threat to assess its risk in the context of use cases. The results should be consistent with the mapping of use cases to security profiles.
> Guidance from latest PT1 draft:
>
> An analysis in terms of likelihood and magnitude of a product’s threats is required to be able to determine the product’s risks.
> NOTE 1 The present document does not require a specific methodology for a cybersecurity risk analysis as long as the cybersecurity risk estimation is based on the likelihood of occurrence and magnitude of loss or disruption of cybersecurity risks. Thus, different approaches and models such as the fishbone model, event tree analysis or fault tree models can be used within the analysis of cybersecurity risks.
> NOTE 2 A qualitative estimation of the cybersecurity risks can be performed using risk matrices that map qualitative categories of the likelihood of occurrence and qualitative categories of magnitude of loss or disruption to cybersecurity risk categories.
> NOTE 3 A quantitative estimation of the cybersecurity risks can be performed using scoring systems that map qualitative categories of the likelihood of occurrence and qualitative categories of magnitude of loss or disruption to certain values.
> FIXME pick methodology
## C.5 Risk factors
### C.5.1 List of risk factors
Risk factors determine which mitigation(s) satisfy each of the technical requirements in clause 5.2. The manufacturer determines the level of each risk factor via the development of a threat model and risk profile based on the intended and foreseeable use and misuse of the operating system.
Risk factors may increase the likelihood of an incident, increase the impact of an incident, or both. As a result, different mitigation strategies may be more or less relevant to different risk factors.
The overall risk related to each use case should be considered as a result of combining risk factors affecting both likelihood and impact of an incident.
**[LOC]** Degree of local access to the host system
Description: How many agents have unprivileged access to the host system.
Rationale: More agents with access on the host increase the likelihood of an attack originating from the host.
Type: Affects likelihood of attacks originating from the host system.
***[LOC-L-0]** Foreseeable use is effectively no agents on the host
***[LOC-L-1]** Foreseeable use is only trusted agents with a formal approval system
***[LOC-L-2]** Foreseeable use is trusted agents with an informal approval system
***[LOC-L-3]** Foreseeable use includes untrusted agents
**[NET]** Degree of public access to attached network
Description: How pubicly accessible the attached network is.
Rationale: The more unrestricted the access to the attached network is, the more likely a threat actor can send packets to the device.
Type: Affects likelihood of attacks originating from the network and impact of attacks on other systems.
***[NET-L-0]** Foreseeable use is in an isolated private network
***[NET-L-1]** Foreseeable use is in a private network with filtered connection to public network
***[NET-L-2]** Foreseeable use is in a public network
**[COM]** Complexity of product functions
Description: How complex the available product functions are in its secure-by-default configuration.
Rationale: More complex functions means increased likelihood of errors in the implementation and more attack surface.
Type: Affects likelihood of all attacks.
***[COM-L-0]** Product implements minimal features necessary to send/recv packets
***[COM-L-1]** Product implements some simple performance features
***[COM-L-2]** Product implements encryption functions on interface
***[COM-L-3]** Product implements RTOS managing radio, PXE boot, remote management, or similar
**[LIS]** Ease of reading from transmission media of directly attached network by unauthorized agents
Description: Likelihood that unauthorized agents can read data from the transmission media on the directly attached network. For example, a wireless network in an apartment that is accessible from the shared hallway or another apartnement, or a wired network with exposed jacks in a public library.
Rationale: While confidentiality of data transmitted across public networks is usually handled by the system the network interface is integrated into, the network interface is usually responsible for confidentiality on the local directly attached network.
Type: Affects likelihood of attack.
***[LIS-L-0]** Foreseeable use is only authorized agents with access to directly attached network
***[LIS-L-1]** Foreseeable use includes occasional access by unauthorized agents to directly attached network
***[LIS-L-2]** Foreseeable use includes frequent access by unauthorized agents to directly attached network
**[ADM]** Availability and skill of administration
Description: What the availability and skill of administration is for the product.
Rationale: Skilled, fully resourced administration allows more risk transfer and can reduce the impact of incidents.
Type: Affects likelihood and impact of all attacks.
***[ADM-L-0]** Foreseeable use includes skilled administration, fully resourced
***[ADM-L-1]** Foreseeable use includes unskilled and/or under-resourced administration
**[SYS]** Access to host system assets
Description: Measures the degree of access to the host system assets, such as memory, other devices, and system management functions. This is usually a property of the communications bus used to connect to the host system. E.g., a network interface connected by USB versions below 4.0 can only access system resources via the host USB stack software, but a network interface on a PCIe bus (including tunneled over USB 4.0) or a virtual network interface that has privileged access to the host system can write any part of host system memory.
Rationale: Access to host systems assets increases the impact of attacks.
Type: Affects impact of all attacks.
***[SYS-L-0]** Limited access or access mediated by host software to host system resources
***[SYS-L-1]** Extensive access to host system resources
**[SDS]** Sensitivity of data stored
Description: Sensitivity of data stored on the product.
Rationale: The more sensitive the data stored, the higher the impact of compromise of that data.
Type: Affects impact of attack.
***[SDS-L-0]** Foreseeable use stores unimportant or no data
***[SDS-L-1]** Foreseeable use stores moderately sensitive data
***[SDS-L-2]** Foreseeable use stores highly sensitive data
**[SDT]** Sensitivity of data transmitted
Description: Sensitivity of data transmitted on the product.
Rationale: The more sensitive the data transmitted, the higher the impact of compromise of that data.
Type: Affects impact of attack.
***[SDT-L-0]** Foreseeable use transmits unimportant or no data
***[SDT-L-1]** Foreseeable use transmits moderately sensitive data
***[SDT-L-2]** Foreseeable use transmits highly sensitive data
**[FUN]** Sensitivity of functions
Description: Sensitivity of functions of the product.
Rationale: The more sensitive the functions of the product, the higher the impact of denial-of-service or corruption of the functions.
Type: Affects impact of attack.
***[SDT-L-0]** Foreseeable use is for unimportant functions
***[SDT-L-1]** Foreseeable use is for moderately sensitive functions, such as encrypting transmitted data
***[SDT-L-2]** Foreseeable use is for highly sensitive functions, such as primary management interface of host system
**[INT]** Integration in host system
Description: How difficult it is to remove the product from the host system.
Rationale: The more integrated a product is in the host system, the harder it is to disable, remove, or replace it if it has an exploitable unpatched vulnerability or is no longer supported.
Type: Affects impact of attack.
***[INT-L-0]** Product is connected to host system via external adapter
***[INT-L-1]** Product is connected to host system via internal adapter requiring disassembly to change
***[INT-L-2]** Product is fully integrated into and cannot be removed from host system
**[DOS]** Cumulative network bandwidth
Description: The estimated cumulative network bandwidth of deployed products that are similar enough to be similarly affected by most security problems in this product.
Rationale: The more bandwidth that can be used for a DDOS attack by exploiting a vulnerability in the product, the higher the level of security that should be required.
Type: Affects impact of attack.
***[DOS-L-0]** Foreseeable deployment includes little or no cumulative network bandwidth
***[DOS-L-1]** Foreseeable deployment includes enough bandwidth to provide 10% of a major DDoS attack
***[DOS-L-2]** Foreseeable deployment includes enough bandwidth to provide more than 10% of a major DDoS attack
### C.5.2 Mapping of use cases to risk factors and security profiles
