BenGardiner
commented
2 years ago Here's a diff of the changes proposed here (first sheet with autogenerated columns removed)
--- "Telematics Cybersecurity Requirements Matrix 20220201.csv" 2022-02-01 15:22:15.125956800 -0500
+++ "Telematics Cybersecurity Requirements Matrix.csv" 2022-02-02 19:12:58.812654500 -0500
@@ -85,7 +85,9 @@ a. Enforce a limit of [Assignment: organ
b. Automatically [Selection (one or more): lock the account or node for an [Assignment: organization-defined time period]; lock the account or node until released by an administrator; delay next logon prompt per [Assignment: organization-defined delay algorithm]; notify system administrator; take other [Assignment: organization-defined action]] when the maximum
number of unsuccessful attempts is exceeded.
-CTIA CCTPID 5.2 Password Management Test",Inspection of vendor-supplied documentation detailing the methods used to enforce rate limiting.,Medium,-,No,No,No,Yes
+CTIA CCTPID 5.2 Password Management Test
+
+UL 1376 2.8 Brute force protection: Implement protection against brute force attacks",Inspection of vendor-supplied documentation detailing the methods used to enforce rate limiting.,Medium,-,No,No,No,Yes
AC-080,Device-Local Authentication,All authentication offered on device-local interfaces shall expect credentials which are unique to each device instance and uncorrelated to any and all public information about the device.,"ETSI EN 303 645 V2.1.0 Provision 5.1-1 Where passwords are used and in any state other than the factory default, all consumer IoT device passwords shall be unique per device or defined by the user.
FMCSA GDL 32 Make sure local wireless interfaces like Bluetooth or Wi-Fi don't provide admin access without authentication.
@@ -140,6 +142,7 @@ UL 1376 4.4 No direct execution of comma
Ensure that there are no services for test or debug active in the device. Ideally, look for assurances that any test or debug executables cannot be run on the device.",High,"Deploying with test or debug facilities enabled is egregious.
Functionality that allows for the direct execution of scripts or commands by the device or system can often be exploited by a malicious party and therefore must be disabled.",Yes,Yes,Yes,Yes
+CM-040,Configuration Management,"The vendors’ devices shall have a default system configuration that ensures security ‘out of the box’. In other words, the default configuration should be the most-secure and any additional features should be disabled by default and have their security implications communicated in documentation.",UL 1376 3.2 Systems configured to secure defaults: Systems must be configured to secure defaults,Inspection of vendor-supplied documentation confirming that a) all device configuration options have their security tradeoffs documented and that b) the device’s default configuration is the most-secure.,High,Sufficient customer guidance should be provided to allow for that customer to understand the risks associated with enabling any insecure features of the device.,Yes,Yes,Yes,Yes
IA-010,Identification and Authentication,All remote hosts of the vendor's system shall be configured to uniquely identify and authenticate all other remote hosts of the system and/or any other interfacing systems.,"NIST 800-53 r5 IA-3 – DEVICE IDENTIFICATION AND AUTHENTICATION
Uniquely identify and authenticate [Assignment: organization-defined devices and/or types of devices] before establishing a [Selection (one or more): local; remote; network] connection.","Inspection of vendor-supplied documentation detailing how devices and components are uniquely identified.
@@ -215,6 +218,7 @@ M-031,Disposal of Goods,"The vendor's di
NIST 800-88 R1",Inspection of vendor-supplied documentation detailing their disposal of goods procedures; confirm that disposal of systems in skips or landfills is not allowed unless the systems have been purged or cleared.,Medium,,No,No,No,Yes
M-032,Disposal of Goods,"The vendor's processes to remove previously stored information must include acceptable processes for magnetic media, solid-state media, printers, scanners, laptops, smartphones, server and deskstop computers.",NIST 800-88 R1 Appendix A -- Minimum Sanitization Recommendations,"Inspection of vendor-supplied documentation detailing their disposal of goods procedures; confirm that there are procedures that cover all of magnetic media, solid-state media, printers, scanners, laptops, smartphones, server and desktop computers",Low,,No,No,No,Yes
+M-040,Maintenance,Vendors must provide manual backup/override capabilities to their safety related services to ensure that any failure of the device does not result in a safety issue.,UL 1376 4.3 Manual back-up / override for safety critical operations: Manual backup/override must be provided for safety related services,Inspection of vendor-supplied documentation detailing the system’s safety related services and the manual backup/override associated with them. Test the manual override capabilities to confirm their functionality.,High,,No,Yes,Yes,No
P-010,Planning,The vendor shall have a System Security Plan (SSP) which details a clear and concise understanding of authorization boundaries of the telematics system.,"NIST 800-53 r5 PL-2 - SECURITY AND PRIVACY PLANS
a. Develop security and privacy plans for the system that:
1. Are consistent with the organization’s enterprise architecture;
@@ -245,7 +249,7 @@ a. Develop security and privacy architec
3. Describe how the architectures are integrated into and support the enterprise architecture; and
4. Describe any assumptions about, and dependencies on, external systems and services;
b. Review and update the architectures [Assignment: organization-defined frequency] to reflect changes in the enterprise architecture; and
-c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.","· Inspection of vendor-supplied ISA documentation.
+c. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.","Inspection of vendor-supplied ISA documentation.
Ensure that the ISA document at a minimum includes:
Approach to confidentiality, integrity, and availability protections
@@ -379,6 +383,9 @@ SAA-040,System and Service Acquisition,T
Assess and review the supply chain-related risks associated with suppliers or contractors and the system, system component, or system service they provide [Assignment: organization-defined frequency].
FMCSA GDL 6 Perform your own security due diligence, which involves but is not limited to ensuring that third-party devices in the supply chain meet your basic security requirements.",Inspection of vendor documentation detailing supplier review and acceptance processes and criteria.,Low,-,Yes,Yes,Yes,Yes
+SAA-050,Security Management,"Cryptographic keys used in the vendors’ systems must be generated, stored and managed according to industry best practice.","UL 1376 2.6 Industry best practice key management: Cryptographic keys must be managed to industry best practice
+
+NIST 800-57",Inspection of vendor-supplied documentation detailing the adherence to industry best practices. ,High,-,Yes,Yes,Yes,Yes
SCP-010,Protecting Communications paths for systems,Communication paths that traverse outside controlled boundaries must protect confidentiality and integrity of data,"NIST 800-53 r5 SC-8 (1) - TRANSMISSION CONFIDENTIALITY AND INTEGRITY | CRYPTOGRAPHIC PROTECTION
Implement cryptographic mechanisms to [Selection (one or more): prevent unauthorized disclosure of information; detect changes to information] during transmission.
@@ -498,6 +505,7 @@ Certificate pinning in clients -- when c
SCP-091,System and Communication Protocols,The vendor shall implement checks for expired certificates and ensure the ability to remove trust in any given root certificate authority from their systems and devices PKI implementations.,"FMCSA GDL 51 Check whether keys have expired or been revoked.
FMCSA GDL 52 Ensure the ability to remove a Root CA’s certificate.","Test that root certificate trust can be removed. This should result in failure to establish communications or a failure to validate updates, depending on which system is being tested.",Medium,,Yes,No,Yes,Yes
+SCP-092,System and Communication Protocols,The vendors’ systems shall implement protection of remote communication sessions by implementation of an inactivity timer that disconnects / de-authenticates the user after no more than 5 minutes of inactivity.,"UL 1376 4.5 Sensitive services implement session management: System management services accessible over wireless and IP interfaces must implement session management to limit multiple sessions, and ensure on-going authentication","For each role used in the clour or back-end syste: test that a session for a user with that role is automatically disconnected / de-authenticated after no more than five minutes of inactivity, or a documented maximum inactivity delay. This test is especially important for high-privilege or admin roles.",Medium,,No,No,No,Yes
SCP-100,System and Communication Protocols,The vendor's system shall separate execution domains and/or processes (i.e. process isolation within both the telematics device and back-end system and between the serial communications in the telematics device and the interface to the vehicle network),"NIST 800-53 r5 SC-39 - PROCESS ISOLATION
Maintain a separate execution domain for each executing system process.
@@ -525,6 +533,7 @@ FMCSA GDL 24 Don’t support 2G on cellu
FMCSA GDL 25 Assume satellite communication channels have unknown security vulnerabilities and might become compromised at any time.
",Inspection of vendor documentation confirming secured configuration of any wireless and or satellite interfaces. Confirm especially that there are no downgrades of communications protocols possible.,Medium,,Yes,No,Yes,Yes
+SCP-140,Protecting Data on Devices,"Vendors must ensure that their authentication mechanism is protected against brute force attacks. This includes ensuring that any password storage functions provide sufficient security through the use of industry best practice hashing mechanisms (such as BCrypt), as well as providing limits on access to sensitive services.",UL 1376 2.8 Brute force protection: Implement protection against brute force attacks,Inspection of 3rd party documentation of a demonstration by the vendor that asserts that hash cracking the stored passwords (hashes) is too expensive to be practical..,Low,,Yes,Yes,Yes,No
SII-010,Protecting Firmware on Devices,"The vendor shall have a process for remediating flaws in deployed telematics devices and backend systems.
In the case of telematics devices, firmware update capabilities are important to be able to remediate all flaws that could be located in the device.","NIST 800-53 r5 SI-2 - FLAW REMEDIATION
@@ -620,6 +629,9 @@ Implement the following mechanisms to pr
NIST 800-53 r5 SI-7 (15) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | CODE AUTHENTICATION
Implement cryptographic mechanisms to authenticate the following software or firmware components prior to installation: [Assignment: organization-defined software or firmware components].",Inspection of a 3rd party implementation review report or a demonstration by the vendor that asserts the use of cryptographic protections for the integrity of the boot process.The cryptographic protections must employ asymmetric industry standard algorithms. (rationale: cryptography must be validated by experts in the subject),High,Secure boot underpins the access control which protects the vehicle networks,No,Yes,Yes,No
+SII-041,Protecting Firmware on Devices,Vendors shall implement a hardware based root of trust for boot authentication of the device.,"UL 1376 1.5 Hardware root of trust: Device implements a hardware based root of trust for updates and boot authentication
+
+SAE J3101 9.1 Authenticated Boot",Inspection of vendor-supplied documentation detailing the implementation of a hardware based root of trust for secure boot of the device.,Medium,,No,Yes,Yes,No
SII-060,Protecting Firmware on Devices,The vendor shall provide a means (and document the process) for customers to verify the firmware in their devices.,"NIST 800-53 r5 SI-7 (12) - SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY | INTEGRITY VERIFICATION
Require that the integrity of the following user-installed software be verified prior to execution: [Assignment: organization-defined user-installed software].
continuation of #42 "As per the contents of Issue #31, new requirements have been made to expand the matrix based on some UL1376 requirements that did not have an equivalent in the TCRM."