Cybersecurity requirements for telematics systems developed in collaboration with motor freight carriers, telematics service providers and cybersecurity experts.
[these actions were reviewed by the RFPCTL workgroup April 28th 2021]
There are several UL 1376 requirements which we think could easily be added as xrefs to the existing TSRM requirements.
UL 1376 1.1 Remote software updates supported: Software updates must be supported, using network or wireless interfaces where available
add (UL 1376 1.1👆) xref to (TSRM) SII-011
UL 1376 1.3 Software update authentication: Software updates must be cryptographically authenticated, and provide anti-roll back features
add xref to SII-011
UL 1376 2.3 Protect sensitive data: Sensitive data must be protected against exposure and unauthenticated modification
add xref to SCP-010
UL 1376 3.1 Protect communication and debug ports: Communication and debug ports must be protected against misuse
add xref to CM-030
UL 1376 3.5 Software free from known vulnerabilities: System software should be free of publicly disclosed vulnerabilities
add xref to SII-021
UL 1376 3.9 Least privilege: Systems must implement 'least privilege', or utilize hardware based features to protect sensitive code and data
add xref to AC-010
UL 1376 4.1 Sensitive services require authentication: Sensitive services must require authentication and ensure the confidentiality and integrity of data
add xref to AC-030
UL 1376 6.2 Industry standard Wi-Fi security: Device must support industry accepted wireless security defaults for any Wi-Fi connections
add xref to AC-061
UL 1376 7.1 Documented patch / update process: A documented process for the distribution of patches/updates must be maintained
add xref to SII-021
UL 1376 2.4 Industry-standard cryptography: Industry standard cryptographic algorithms must be used for security services.
add xref to IA-030. AND switch NIST 800-53 xref to NIST 800-57 on IA-030
UL 1376 2.5 RNG with sufficient entropy: Random number generation must ensure sufficient entropy
add xref to IA-030
UL 1376 3.8 Logs or errors do not expose sensitive data: Logging and error messages must not expose sensitive data without authentication
add xref to SCP-020 and call out logs explicitly in the remarks
UL 1376 4.4 No direct execution of commands / scripts: No direct execution of scripts / commands using system interfaces and or user-facing components
add xref to CM-030 and call out script exec as bad in the remarks
UL 1376 6.1 Communications robust against replay and MITM attacks: Security sensitive communications must be robust against replay and MITM attacks
add xref to SCP-010 and "naive implementations of TLS clients could still be susceptible to replay and MiTM" or similar should be added to the remarks and validation steps
UL 1376 6.3 Authentication for remote communications: Connections to remote services must implement cryptographic authentication
add xref to AC-030 and re-word AC-030 to include the word cryptographic
UL 1376 6.4 Secure defaults and downgrade prevention: Security protocols must implement secure defaults, and prevent downgrade attacks
add xref to SCP-010 and add the configuration hardening notes about secure default configuration or downgrades to the remarks
[these actions were reviewed by the RFPCTL workgroup April 28th 2021]
There are several UL 1376 requirements which we think could easily be added as xrefs to the existing TSRM requirements.