Fill out interface protect/disable requirements

  * Verdict: If every interface discovered is listed in the documentation and has the required information => PASS, otherwise => FAIL

  * Evidence: Method to list all interfaces accessible from the host, list of interfaces discovered, documentation of assets

#### 5.2.X.x **MI-SDEE-1**: Physical access to debug interface

#### 5.2.X.x **MI-SDEE-1**: Document physical access to debug interfaces

All debug interfaces accessible to someone with physical access to the device shall be documented as to how to protect or disable them.

All debug/management interfaces accessible to someone with physical access to the device shall be documented as to how to protect or disable them.

Guidance: This is for the use case of selling to an integrator.

  * Applicability: Physical network interface

  * Reference: TR-SDEF

  * Objective: Secure by default

  * Preparation: Physically examine the device for interfaces

  * Activities: Compare the physical network interfaces of the device with the documentation

  * Verdict: All physical network interfaces are documented as to how to disable or protect them => PASS, otherwise => FAIL

  * Evidence: Pictures of the device, list of discovered interfaces, comparison with documentation, notes as to which are documented how to disable/protect

  * Preparation: Examine the documentation for how to protect or disable the physically accessible debug/management interfaces of the device

  * Activities: Examine the device for undocumented physical management interfaces, then follow the instructions in the documentation to disable or protect each documented interface, then attempt to access the interface without authorization

  * Verdict: All physical debug or management interfaces are documented as to how to disable or protect them, and no interfaces are accessible without authorization after following the documentation t protect or disable them => PASS, otherwise => FAIL

  * Evidence: Pictures of the device, list of discovered interfaces, comparison with documentation, notes as to which are documented how to disable/protect, logs of protect/disable actions, logs of attempts to access interfaces after protected or disabled

#### 5.2.X.x **MI-SDEE-2**: Physical access to debug interface

#### 5.2.X.x **MI-SDEE-2**: Protect or disable physical access to debug interfaces

All debug interfaces accessible to someone with physical access to the device shall be protected or disabled by default.

All debug/management interfaces accessible to someone with physical access to the device shall be protected or disabled by default, unless necessary for backward compatibility and use by an appropriately sophisticated user who has been sufficiently informed of the risk and how to mitigate it.

Guidance: This is for the use case of an end user in use cases where physical access is possible for a threat actor.

  * Applicability: Physical network interface

  * Reference: TR-SDEF

  * Objective: Secure by default

  * Preparation for the person testing the product, not the manufacturer: Physically examine the device for interfaces, read documentation

  * Activities: Attempt to use the interfaces without enabling the interface or otherwise removing protection

  * Verdict: No interface can be used => PASS, otherwise => FAIL

  * Evidence: List of interfaces, log of attempts to access

  * Preparation: Examine the documentation to find the physically accessible debug/management interfaces of the device

  * Activities: Examine the device for undocumented physical management interfaces, then attempt to access the documented interfaces without authorization

  * Verdict: No undocumented interfaces are found, no documented interfaces can be used without authorization other than those documented as necessary and the instructions to the user are sufficient => PASS, otherwise => FAIL

  * Evidence: List of interfaces, log of examinations, log of attempts to access

#### 5.2.X.x **MI-SDEE-3**: Network access to interfaces

#### 5.2.X.x **MI-SDEE-3**: Local software access to interfaces

All debug/remote management interfaces accessible via the network shall be protected or disabled by default.

All debug/remote management interfaces accessible via unprivileged users on the host system shall be protected or disabled by default, unless necessary for backward compatibility and use by an appropriately sophisticated user who has been sufficiently informed of the risk and how to mitigate it.

Guidance: For use case of end user depending on network access by threat actors.

Guidance: This is for the use case of an end user in use cases where local host system access is possible for a threat actor.

  * Applicability: Physical network interface

  * Reference: TR-SDEF

  * Objective: Secure by default

  * Preparation:

  * Activities:

  * Verdict: No interface can be used => PASS, otherwise => FAIL

  * Preparation: Examine the documentation of the network accessible interfaces of the product and follow the instructions to mitigate the risk of any necessary unprotected or enabled interfaces

  * Activities: Using a network scanner, scan the device for both documented and undocumented debug or remote management interfaces and determine whether they are enabled or protected

  * Verdict: No undocumented interfaces are found and no interfaces can be accessed without authorization other than those documented as necessary and the instructions to the user are sufficient => PASS, otherwise => FAIL

  * Evidence: List of interfaces, log of attempts to access

#### 5.2.X.x **MI-SDEE-4**: Network access to interfaces

All debug/remote management interfaces accessible via the network shall be protected or disabled by default FIXME.

All debug/remote management interfaces accessible via the network shall be protected or disabled by default, unless necessary for backward compatibility and use by an appropriately sophisticated user who has been sufficiently informed of the risk and how to mitigate it.

Guidance: For use case of end user for backwards compatibility with insecure protocols.

Guidance: This is for the use case of an end user in use cases where network access is possible for a threat actor.

  * Applicability: Physical network interface

  * Reference: TR-SDEF

  * Objective: Secure by default

  * Preparation:

  * Activities:

  * Verdict: No interface can be used => PASS, otherwise => FAIL

  * Preparation: Examine the documentation of the network accessible interfaces of the product and follow the instructions to mitigate the risk of any necessary unprotected or enabled interfaces

  * Activities: Using a network scanner, scan the device for both documented and undocumented debug or remote management interfaces and determine whether they are enabled or protected

  * Verdict: No undocumented interfaces are found and no interfaces can be accessed without authorization other than those documented as necessary and the instructions to the user are sufficient => PASS, otherwise => FAIL

  * Evidence: List of interfaces, log of attempts to access

#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

| Risk factors | Requires mitigations       |

|--------------|----------------------|

| FIXME        | ADEF, DPAH           |

| FIXME        | SDEE-1, ADEF, DPAH   |

| FIXME        | SDEE-2, ADEF, DPAH   |

|--------------|----------------------------|

| PHY > 0      | SDEE-1, SDEE-2, ADEF, DPAH |

| SFT > 0      | SDEE-1, SDEE-3, ADEF, DPAH |

| NET > 0      | SDEE-1, SDEE-4, ADEF, DPAH |

| Security Profile       | Requires mitigations       |

|------------------|----------------------|

| FIXME            | ADEF, DPAH           |

| FIXME integrator | ADEF, DPAH, SDEE-1   |

| all others       | ADEF, DPAH, SDEE-2   |

|------------------------|----------------------------|

| WD-1                   | none                       |

| WD-2, WL-1             | SDEE-1, SDEE-4, ADEF, DPAH |

| VI-\*                  | SDEE-1, SDEE-3, ADEF, DPAH |

| WD-3, WD-4, WL-2, WL-3 | SDEE-\*, ADEF, DPAH        |

### 5.2.X **TR-SCUD**: Secure updates