Cybersecurity requirements for telematics systems developed in collaboration with motor freight carriers, telematics service providers and cybersecurity experts.
Other
4
stars
3
forks
source link
add UL 1376 xrefs, remarks and more to the matrix #40
All of the changes included in this pull request are in answer to issue #33, and thus the description of this issue contains a list of all the changes. Most of them are related to the UL 1376 document by either addition of new xrefs for certain requirements and/or additions in the Remarks and Verification columns of the matrix. One change was related to switching an xref from NIST 800-53 to NIST 800-57 (for requirement IA-030). Other small syntaxic corrections were also made (e.g. addition of a space between two words where one was forgotten).
Here is a text diff of the TCRM xlsx:
diff --git a/PRE-MOD_TCRM.csv b/POST-MOD_TCRM.csv
index 49be237..ead620e 100755
--- a/PRE-MOD_TCRM.csv
+++ b/POST-MOD_TCRM.csv
@@ -26,7 +26,9 @@ NIST 800-53 r5 SC-2 (1) - SEPARATION OF SYSTEM AND USER FUNCTIONALITY | INTERFAC
Prevent the presentation of system management functionality at interfaces to nonprivileged users.
NIST 800-53 r5 AC-25 – REFERENCE MONITOR
-Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.","Inspection of vendor-supplied design documentation detailing the privilege separation of the device. Ensure that 1) a Mandatory Access Control scheme is employed 2) there are separate domains/users/roles (whichever is applicable to the MAC) for dealing with the sensitive information (vendor defined, see SCP-030) and finally 3) accounts for running system tasks (e.g. crond, portmap, systemd) are not in the separate domains/users/roles for dealing with sensitive information.",Medium,e.g. a Linux system with MAC configured to deny access to the processes dealing with protected data and also denying debugger access to the memory space of those processes.,"AC-010 (Protecting Data on Devices) - Vendor devices will implement least privilege for the memory spaces of processes handling protected data. i.e. data in-use, of the categories of sensitive protected data above, or shall be segmented from software components which do not handle such data. Acceptable segmentations include Mandatory Filesystem Access Controls and Mandatory Volatile Memory Access Controls.",Yes,Yes,Yes,Yes
+Implement a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.
+
+UL 1376 3.9 Least privilege: Systems must implement 'least privilege', or utilize hardware based features to protect sensitive code and data","Inspection of vendor-supplied design documentation detailing the privilege separation of the device. Ensure that 1) a Mandatory Access Control scheme is employed 2) there are separate domains/users/roles (whichever is applicable to the MAC) for dealing with the sensitive information (vendor defined, see SCP-030) and finally 3) accounts for running system tasks (e.g. crond, portmap, systemd) are not in the separate domains/users/roles for dealing with sensitive information.",Medium,e.g. a Linux system with MAC configured to deny access to the processes dealing with protected data and also denying debugger access to the memory space of those processes.,"AC-010 (Protecting Data on Devices) - Vendor devices will implement least privilege for the memory spaces of processes handling protected data. i.e. data in-use, of the categories of sensitive protected data above, or shall be segmented from software components which do not handle such data. Acceptable segmentations include Mandatory Filesystem Access Controls and Mandatory Volatile Memory Access Controls.",Yes,Yes,Yes,Yes
"Mobile App;
Physical In-Cab Device;
Connectivity/Communications;
@@ -50,17 +52,21 @@ OWASP E5 – Identity Management","Inspection of vendor documentation or a demon
"Mobile App;
Physical In-Cab Device;
Connectivity/Communications;
-Cloud or Back-end;",AC-030,Access Control,The vendor's system shall employ authentication to prevent unauthorized access to telematics systems and data.,"NIST 800-53 r5 AC-6 – LEAST PRIVILEGE
+Cloud or Back-end;",AC-030,Access Control,The vendor's system shall employ cryptographic authentication to prevent unauthorized access to telematics systems and data.,"NIST 800-53 r5 AC-6 – LEAST PRIVILEGE
Employ the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) that are necessary to accomplish assigned organizational tasks.
NIST 800-53 r5 AC-3 – ACCESS ENFORCEMENT
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
-FMCSA GDL 32 Make sure local wireless interfaces like Bluetooth or Wi-Fi don't provide admin access without authentication.","Inspection of vendor documentation detailing the methods used to authenticate users. Ensure that an acceptable method of authentication is available for all components which be interfaced-to by carrier staff and systems.
+FMCSA GDL 32 Make sure local wireless interfaces like Bluetooth or Wi-Fi don't provide admin access without authentication.
+
+UL 1376 4.1 Sensitive services require authentication: Sensitive services must require authentication and ensure the confidentiality and integrity of data
+
+UL 1376 6.3 Authentication for remote communications: Connections to remote services must implement cryptographic authentication","Inspection of vendor documentation detailing the methods used to authenticate users. Ensure that an acceptable method of authentication is available for all components which be interfaced-to by carrier staff and systems.
In the case of single-sign-on delegation, ensure that your (carrier) system requirements are met with respect to security assertions (e.g. SAML is supported).",High," Identity management is critical
-e.g. PINs, single-sign on with carrier’s identity provider (SAML or other), vendor managed identity provider (SAML or other)",AC-030 (Access Control) - The vendor's system shall employ authentication to prevent unauthorized access to telematics systems and data.,Yes,Yes,Yes,Yes
+e.g. PINs, single-sign on with carrier’s identity provider (SAML or other), vendor managed identity provider (SAML or other)",AC-030 (Access Control) - The vendor's system shall employ cryptographic authentication to prevent unauthorized access to telematics systems and data.,Yes,Yes,Yes,Yes
"Mobile App;
Physical In-Cab Device;
Connectivity/Communications;
@@ -87,7 +93,9 @@ Connectivity/Communications;",AC-060,Access Control,"For all components of the s
a. Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and
b. Authorize each type of wireless access to the system prior to allowing such connections.","Inspection of vendor-supplied documentation detailing what wireless communications hardware is present, which wireless communications methods can be disabled, and how wireless communications enablement or disablement is managed.",Medium,"e.g. Bluetooth, cellular, satellite, Wi-Fi hotspot, Wi-Fi client, infrared, NFC, RFID","AC-060 (Access Control) - For all components of the system, the vendor shall provide a listing of all wireless communication interfaces to the system and specify how the interfaces can be configured and/or disabled.",No,Yes,Yes,No
"Physical In-Cab Device;
-Connectivity/Communications;",AC-061,Access Control,"The vendor shall not use any deprecated encryption+authentication on any WiFi interface of the device. At the time of drafting this includes WEP, WPS or open/none.","FMCSA GDL 39 Only use WPA2 authentication / encryption. Never use WEP, WPS, or “open” Wi-Fi.","Test that the device will not connect to WEP, WPS or open Wi-Fi hotspots.",Medium,,"AC-061 (Access Control) - The vendor shall not use any deprecated encryption+authentication on any WiFi interface of the device. At the time of drafting this includes WEP, WPS or open/none.",No,Yes,Yes,No
+Connectivity/Communications;",AC-061,Access Control,"The vendor shall not use any deprecated encryption+authentication on any WiFi interface of the device. At the time of drafting this includes WEP, WPS or open/none.","FMCSA GDL 39 Only use WPA2 authentication / encryption. Never use WEP, WPS, or “open” Wi-Fi.
+
+UL 1376 6.2 Industry standard Wi-Fi security: Device must support industry accepted wireless security defaults for any Wi-Fi connections","Test that the device will not connect to WEP, WPS or open Wi-Fi hotspots.",Medium,,"AC-061 (Access Control) - The vendor shall not use any deprecated encryption+authentication on any WiFi interface of the device. At the time of drafting this includes WEP, WPS or open/none.",No,Yes,Yes,No
"Physical In-Cab Device;
Connectivity/Communications;",AC-062,Access Control,"The vendor shall implement, for all bluetooth interfaces, pairing that must be specifically allowed by physical controls on the device and be time-limited. Furthermore, pairing will not use legacy pairing or passkey entry.","FMCSA GDL 44 Make sure Bluetooth devices support and use Secure Simple Pairing (SSP) rather than legacy pairing.
@@ -151,9 +159,15 @@ FMCSA GDL 54 Disable unnecessary debugging interfaces in production.
FMCSA GDL 55 Authenticate debugging and diagnostic interfaces.
-OWASP E7 – Usage of Debug Code and Interfaces","Inspection of vendor-supplied documentation detailing all service (listening ports or outbound connections) available on deployed devices.
+OWASP E7 – Usage of Debug Code and Interfaces
+
+UL 1376 3.1 Protect communication and debug ports: Communication and debug ports must be protected against misuse
-Ensure that there are no services for test or debug active in the device. Ideally, look for assurances that any test or debug executables cannot be run on the device.",High, Deploying with test or debug facilities enabled is egregious,CM-030 (Configuration Management) - Vendor ensures that any and all interfaces used for testing or debug are unavailalbe in production builds of the devices,Yes,Yes,Yes,Yes
+UL 1376 4.4 No direct execution of commands / scripts: No direct execution of scripts / commands using system interfaces and or user-facing components","Inspection of vendor-supplied documentation detailing all service (listening ports or outbound connections) available on deployed devices.
+
+Ensure that there are no services for test or debug active in the device. Ideally, look for assurances that any test or debug executables cannot be run on the device.",High,"Deploying with test or debug facilities enabled is egregious.
+
+Functionality that allows for the direct execution of scripts or commands by the device or system can often be exploited by a malicious party and therefore must be disabled.",CM-030 (Configuration Management) - Vendor ensures that any and all interfaces used for testing or debug are unavailalbe in production builds of the devices,Yes,Yes,Yes,Yes
"Mobile App;
Physical In-Cab Device;
Connectivity/Communications;
@@ -180,14 +194,12 @@ Where public information is any information that is visible (externally or inter
"Mobile App;
Physical In-Cab Device;
Connectivity/Communications;
-Cloud or Back-end;",IA-030,Identification and Authentication,Cryptographic modules used in the vendors system shall be compliant with Federal Information Processing Standards (FIPS) 140-2: Level 1.,"NIST 800-53 r5 IA-7 – CRYPTOGRAPHIC MODULE AUTHENTICATION
-Implement mechanisms for authentication to a cryptographic module that meet the requirements of applicable laws, executive orders, directives, policies, regulations, standards, and guidelines for such authentication.
-
+Cloud or Back-end;",IA-030,Identification and Authentication,Cryptographic modules used in the vendors system shall be compliant with Federal Information Processing Standards (FIPS) 140-2: Level 1.,"NIST 800-57 Part 3 r1 - 2.3.3 Cryptographic Modules
+3. Ensure that relying party and user cryptographic modules are validated as meeting FIPS 140-2 Level 1 or higher.
+UL 1376 2.4 Industry-standard cryptography: Industry standard cryptographic algorithms must be used for security services.
-
-
-","Inspection of vendor-supplied documentation detailing their procurement requirements for cryptographic modules.
+UL 1376 2.5 RNG with sufficient entropy: Random number generation must ensure sufficient entropy","Inspection of vendor-supplied documentation detailing their procurement requirements for cryptographic modules.
Ensure that their procurement processes require that all cryptographic modules are FIPS 140-2 compliant.",Medium,"e.g.
• For each attempt to use the authentication mechanism, the probability shall be less than one in 1,000,000 that a random attempt will succeed, or a false acceptance will occur (e.g., guessing a password or PIN, false acceptance error rate of a biometric device, or some combination of authentication methods)
@@ -387,7 +399,7 @@ CAIQ GRM-04.2 Do you review your Information Security Management Program (ISMP)
ISO/IEC 27001 ISMS","Inspection of vendor-supplied documentation detailing their ISMP/ISMS.
-Note that an ISMP is broad and includes aspects which are covered by other requirements in this document. In cases where there is both a requirement here and in the ISMP, ensure that the requirement in this document is satisfied over what is stated in an ISMP.",High,"Sometimes referred to as ISMS as inISO/IEC 2700.
+Note that an ISMP is broad and includes aspects which are covered by other requirements in this document. In cases where there is both a requirement here and in the ISMP, ensure that the requirement in this document is satisfied over what is stated in an ISMP.",High,"Sometimes referred to as ISMS as in ISO/IEC 2700.
May include any of the following:
System interconnections, System monitoring plan,
@@ -448,9 +460,21 @@ FMCSA GDL 47 Use authentication on all wireless interfaces
FMCSA GDL 25 Assume satellite communication channels have unknown security vulnerabilities and might become compromised at any time.
-OWASP E8 – Transport Layer Security","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the confidentiality and integrity of all external communications channels. The cryptographic protections must be industry standard.
+OWASP E8 – Transport Layer Security
+
+UL 1376 2.3 Protect sensitive data: Sensitive data must be protected against exposure and unauthenticated modification
-(rationale: cryptography must be validated by experts in the subject)",High,Underpins device functionality and security,SCP-010 (Protecting Communications paths for systems) - Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,Yes,Yes,Yes,Yes
+UL 1376 6.1 Communications robust against replay and MITM attacks: Security sensitive communications must be robust against replay and MITM attacks
+
+UL 1376 6.4 Secure defaults and downgrade prevention: Security protocols must implement secure defaults, and prevent downgrade attacks","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the confidentiality and integrity of all external communications channels. The cryptographic protections must be industry standard.
+
+Ensure that any implementations of TLS clients are not still susceptible to replay and MiTM attacks.
+
+(rationale: cryptography must be validated by experts in the subject)",High,"Underpins device functionality and security.
+
+Naive implementations of TLS clients could still be susceptible to replay and MiTM attacks.
+
+The default configuration must be secure in order to prevent downgrade attacks. ",SCP-010 (Protecting Communications paths for systems) - Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,Yes,Yes,Yes,Yes
"Mobile App;
Vehicle Connection;
Connectivity/Communications;
@@ -469,7 +493,11 @@ Implement cryptographic mechanisms to prevent unauthorized disclosure and modifi
NIST 800-53 r5 SC-28 (2) - PROTECTION OF INFORMATION AT REST | OFFLINE STORAGE
Remove the following information from online storage and store offline in a secure location: [Assignment: organization-defined information].
-OWASP E4 – Securing Sensitive Information","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic confidentiality protections on storage of sensitive data (class defined by vendor, see SCP-030). The protections must be industry standard and keys must be managed to protect them from leaks as well. (rationale: cryptography must be validated by experts in the subject)",High,"Failing to adequately protect PII can incur large fines
+OWASP E4 – Securing Sensitive Information
+
+UL 1376 3.8 Logs or errors do not expose sensitive data: Logging and error messages must not expose sensitive data without authentication","Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic confidentiality protections on storage of sensitive data (class defined by vendor, see SCP-030). The protections must be industry standard and keys must be managed to protect them from leaks as well. (rationale: cryptography must be validated by experts in the subject)",High,"Failing to adequately protect PII can incur large fines
+
+Logs and error messages must not expose PII without authentication.
e.g. this applies also to apps on mobile where data is cached until it can be synced to other vehicle-connected devices. This data must be encrypted as per this requirement.
@@ -653,6 +681,10 @@ FMCSA GDL 35 Prevent the attacker from reinstalling a legitimate but known-vulne
FMCSA GDL 36 Make sure you can revoke and replace cryptographic keys.
OWASP E3 – Firmware Updates and Cryptographic Signatures
+
+UL 1376 1.1 Remote software updates supported: Software updates must be supported, using network or wireless interfaces where available
+
+UL 1376 1.3 Software update authentication: Software updates must be cryptographically authenticated, and provide anti-roll back features
","Test that a) a modified update is rejected b) a modified update signed by any key other than the manufacturer is rejected c) a previous version cannot be reinstalled.
If this facility is not in motor freight carrier control; then inspection of a report from the vendor showing tests of the above.",Medium,,SII-011 (Protecting Firmware on Devices) - The vendor shall implement/deploy secure over the air update systems including assurances of integrity&authenticity. Also rollback protections and a means of denying the use of old potentially compromised signing keys.,Yes,Yes,Yes,Yes
@@ -680,7 +712,7 @@ FMCSA GDL 8 Decide early who is in charge of creating, implementing and maintain
Vehicle Connection;
Connectivity/Communications;
Cloud or Back-end;
-",SII-021,Protecting Firmware on Devices," Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified. Taking no longer than the following elapsed times: high in 30d, moderate in 90d and low in 180d.
+",SII-021,Protecting Firmware on Devices,"Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified. Taking no longer than the following elapsed times: high in 30d, moderate in 90d and low in 180d.
Vendors shall provide a document that defines vulnerabilities severities (e.g. CVSS). Negotiation of mutually aggregable exceptions to the remediation timelines is acceptable to compensate for cases where the complexity of remediation or mitigations of the vulnerability is prohibitively expensive to execute in the prescribed timeline. In general, the timelines of remediation can be agreed -to in a SLA.","NIST 800-53 r5 SI-2 - FLAW REMEDIATION
a. Identify, report, and correct system flaws;
@@ -695,7 +727,11 @@ CTIA CCTPID 3.5 Patch Management
FedRAMP CSP CMSG B Row 10 – Vulnerability Scanning CSPs must mitigate all discovered high-risk vulnerabilities within 30 days, mitigate moderate vulnerability risks in 90 days, and mitigate low vulnerability risks in 180 days. CSPs must send their Reviewer updated artifacts every 30 days to show evidence that outstanding high-risk vulnerabilities have been mitigated
-FMCSA GDL 8 Decide early who is in charge of creating, implementing and maintaining software/firmware updates for a device when a vulnerability emerges and ensure these guidelines are met.",Inspection of vendor supplied documentation detailing the methods used to update software components across vendor’s infrastructure. Ensure that it is possible to remediate a vulnerability with an identified high severity (30d).,Medium,-,"SII-021 (Protecting Firmware on Devices) - Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified. Taking no longer than the following elapsed times: high in 30d, moderate in 90d and low in 180d.
+FMCSA GDL 8 Decide early who is in charge of creating, implementing and maintaining software/firmware updates for a device when a vulnerability emerges and ensure these guidelines are met.
+
+UL 1376 3.5 Software free from known vulnerabilities: System software should be free of publicly disclosed vulnerabilities
+
+UL 1376 7.1 Documented patch / update process: A documented process for the distribution of patches/updates must be maintained",Inspection of vendor supplied documentation detailing the methods used to update software components across vendor’s infrastructure. Ensure that it is possible to remediate a vulnerability with an identified high severity (30d).,Medium,-,"SII-021 (Protecting Firmware on Devices) - Identified vulnerabilities are remediated or mitigated using suitable compensating controls on a timeline predicated by the severity of the vulnerability identified. Taking no longer than the following elapsed times: high in 30d, moderate in 90d and low in 180d.
Vendors shall provide a document that defines vulnerabilities severities (e.g. CVSS). Negotiation of mutually aggregable exceptions to the remediation timelines is acceptable to compensate for cases where the complexity of remediation or mitigations of the vulnerability is prohibitively expensive to execute in the prescribed timeline. In general, the timelines of remediation can be agreed -to in a SLA.",Yes,Yes,Yes,Yes
"Mobile App;
All of the changes included in this pull request are in answer to issue #33, and thus the description of this issue contains a list of all the changes. Most of them are related to the UL 1376 document by either addition of new xrefs for certain requirements and/or additions in the Remarks and Verification columns of the matrix. One change was related to switching an xref from NIST 800-53 to NIST 800-57 (for requirement IA-030). Other small syntaxic corrections were also made (e.g. addition of a space between two words where one was forgotten).
Here is a text diff of the TCRM xlsx: