UL SUBJECT 2900-1-2016 UL Outline for Investigation Software Cybersecurity for Network- Connectable Products Part 1 General Requirements (Issue 2).pdf

1、UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULMARCH 30, 20161UL 2900-1Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 1: General RequirementsIssue Number: 1March 30, 2016Summary of TopicsThe UL 2900

2、-1 outline aims to provide a minimum set of requirements thatdevelopers of network-connectable products can pursue to establish abaseline of protection against vulnerabilities and software weaknesses,along with a minimum set of security risk controls and documentation toconsider relative to their ex

3、isting overall product risk assessments.ULs Outlines of Investigation are copyrighted by UL. Neither a printed norelectronic copy of an Outline of Investigation should be altered in any way. All ofULs Outlines of Investigation and all copyrights, ownerships, and rights regardingthose Outlines of Inv

4、estigation shall remain the sole and exclusive property of UL.COPYRIGHT 2016 UNDERWRITERS LABORATORIES INC.UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULMARCH 30, 2016UL 2900-12No Text on This PageUL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR F

5、URTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULCONTENTSINTRODUCTION1 Scope .52 Normative References .53 Glossary .7DOCUMENTATION OF PRODUCT, PRODUCT DESIGN AND PRODUCT USE4 Product Documentation .105 Product Design Documentation 116 Documentation for Product Use 11RISK CONTROLS7 Genera

6、l .128 Access Control, User Authentication and User Authorization 129 Remote Communication 1310 Cryptography .1411 Product Management .14RISK MANAGEMENT12 Vendor Product Risk Management Process 15VULNERABILITIES AND EXPLOITS13 Known Vulnerability Testing 1714 Malware Testing 1715 Malformed Input Tes

7、ting .1716 Structured Penetration Testing .19SOFTWARE WEAKNESSES17 Software Weakness Analysis .1918 Static Source Code Analysis 2019 Static Binary and Bytecode Analysis 20APPENDIX AA1 Sources for Software Weaknesses .A1APPENDIX BB1 Requirements for Secure Mechanisms for Storing Sensitive Data and Pe

8、rsonally IdentifiableData B1APPENDIX CMARCH 30, 2016 UL 2900-1 3UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM ULC1 Requirements for Security Functions .C1MARCH 30, 2016UL 2900-14UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION O

9、RDISTRIBUTION WITHOUT PERMISSION FROM ULINTRODUCTION1 Scope1.1 This outline applies to network-connectable products that shall be evaluated and tested forvulnerabilities, software weaknesses and malware.1.2 This outline describes:a) Requirements regarding the vendors risk management process for thei

10、r product.b) Methods by which a product shall be evaluated and tested for the presence of vulnerabilities,software weaknesses and malware.c) Requirements regarding the presence of security risk controls in the architecture and designof a product.1.3 This outline does not contain requirements regardi

11、ng functional testing of a product. This means thisoutline contains no requirements to verify that the product functions as designed.1.4 This outline does not contain requirements regarding the hardware contained in a product.2 Normative References2.1 All references are for the latest published vers

12、ion of the document, unless stated otherwise.1 UL 2900-2-1Outline of Investigation for Software Cybersecurity for Network-Connectable Products, Part 2-1: ParticularRequirements for Network Connectable Components of Healthcare Systems2 UL 2900-2-2Outline of Investigation for Software Cybersecurity fo

13、r Network-Connectable Products, Part 2-2: ParticularRequirements for Industrial Control Systems3 ITU-T X.1520,Cybersecurity information exchange Vulnerability/state exchange Common vulnerabilities andexposures (CVE)4 ITU-T X.1521,Cybersecurity information exchange Vulnerability/state exchange Common

14、 vulnerability scoringsystem (CVSS)5 ITU-T X.1524,Cybersecurity information exchange Vulnerability/state exchange Common weakness enumeration(CWE)6 ITU-T X.1525,Cybersecurity information exchange Vulnerability/state exchange Common weakness scoring system(CWSS)7 ITU-T X.1544,Cybersecurity informatio

15、n exchange Event/incident/heuristics exchange Common attack patternenumeration and classification (CAPEC)MARCH 30, 2016 UL 2900-1 5UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL8 Common Weakness Risk Analysis Framework (CWRAF); retrievable f

16、rom https:/cwe.mitre.org/cwraf/9 CWE/SANS Top 25 Most Dangerous Software Errors; retrievable from cwe.mitre.org/top2510 CWE On the Cusp: other weaknesses to consider; retrievable fromhttps:/cwe.mitre.org/top25/cusp.html11 OWASP Top 10; latest version retrievable fromhttps:/www.owasp.org/index.php/To

17、p_10_2013-Top_1012 ISO/IEC 11889,Information technology Trusted platform module library13 ISO/IEC 9796 (all parts),Information technology Security techniques Digital signature scheme giving message recovery14 ISO/IEC 9797 (all parts),Information technology Security techniques Message Authentication

18、Codes (MACs)15 ISO/IEC 9798 (all parts),Information technology Security techniques Entity authentication16 ISO/IEC 10118 (all parts),Information technology Security techniques Hash-functions17 ISO/IEC 11770 (all parts),Information technology Security techniques Key management18 ISO/IEC 14888 (all pa

19、rts),Information technology Security techniques Digital signatures with appendix19 ISO/IEC 15946 (all parts),Information technology Security techniques Cryptographic techniques based on elliptic curves20 ISO/IEC 18033 (all parts),Information technology Security techniques Encryption algorithms21 ISO

20、/IEC 19772 (all parts),Information technology Security techniques Authenticated encryption22 NIST FIPS 140-2, Annex A: Approved Security Functions23 NIST FIPS 140-2, Annex D: Approved Key Establishment TechniquesMARCH 30, 2016UL 2900-16UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION

21、ORDISTRIBUTION WITHOUT PERMISSION FROM UL3 Glossary3.1 ATTACK The use of one or more exploit(s) by an adversary to achieve one or more negativetechnical impact(s).3.2 ATTACK PATTERN A description of a generic method for carrying out attacks.3.3 AUTHENTICATION The process of verifying the identity of

22、 an entity.3.4 AUTHENTICITY The property that data, information or software originate from a specific entity,which may or may not have been authenticated.3.5 AUTHORIZATION The process of giving an entity permission to access or manipulate the product,or the property that an entity has such permissio

23、n.3.6 BINARY CODE Machine instructions and/or data in a format intended for a specific processorarchitecture.3.7 BYTECODE Instructions and/or data that are created from source code as an intermediate stepbefore generating binary code. Bytecode is independent of a specific processor architecture and

24、istypically handled by a virtual machine or interpreter.3.8 COMMON ATTACK PATTERN ENUMERATION AND CLASSIFICATION (CAPEC) Specified inITU-T X.1544 (ref. 7), the CAPEC is a publicly available resource providing a list and classification of alarge number of attack mechanisms based on the topology of th

25、e environment.3.9 COMMON VULNERABILITIES AND EXPOSURES (CVE) Specified in ITU-T X.1520 (ref. 3), theCVE is a publicly available resource providing common identifiers for known vulnerabilities and exposures.3.10 COMMON VULNERABILITY SCORING SYSTEM (CVSS) Specified in ITU-T X.1521 (ref. 4), theCVSS is

26、 a publicly available resource providing a means for prioritizing vulnerabilities in terms of exploitpotential.3.11 COMMON WEAKNESS ENUMERATION (CWE) Specified in ITU-T X.1524 (ref. 5), the CWE isa publicly available resource providing a structured means to exchange unified, measurable sets ofinform

27、ation providing common identifiers for software weaknesses, as well as consequences, detectionmethods and examples of each weakness.3.12 COMMON WEAKNESS SCORING SYSTEM (CWSS) Specified in ITU-T X.1525 (ref 6), theCWSS is a publicly available resource providing a means for prioritizing CWEs based on

28、their technicalimpact, ease of attack, and other factors.3.13 COMMUNICATION PROTOCOL A system of rules regarding syntax, semantics, synchronizationand error recovery of communication, allowing two or more entities to exchange information.3.14 CONFIDENTIALITY The property that data, information or so

29、ftware is not made available ordisclosed to unauthorized individuals, entities, or processes.MARCH 30, 2016 UL 2900-1 7UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3.15 EXECUTABLE A file containing instructions in binary code, which can be

30、used by a computer toperform computational tasks.3.16 EXPLOIT An input or action designed to take advantage of a weakness (or multiple weaknesses)and achieve a negative technical impact.NOTE: The existence of an exploit targeting a weakness is what makes that weakness a vulnerability.3.17 EXTERNAL I

31、NTERFACE An interface of the product that is designed to potentially allow accessto an entity outside the product; for example user interfaces, remote interfaces, local interfaces, wirelessinterfaces and file inputs.3.18 FILE A collection of data or program instructions stored as a unit with a singl

32、e name.3.19 GENERATIONAL MALFORMED INPUT TESTING A method of deriving malformed input testcases by using detailed knowledge of the syntax and semantics of the specifications of the protocol or fileformat being tested.3.20 HARM Physical injury or damage to the health of people, or damage to property

33、or theenvironment.3.21 INTEGRITY The property of data, information or software not having been improperly modified.3.22 KNOWN VULNERABILITY A vulnerability described in the National Vulnerability Database (NVD).NOTE: The NVD is accessible at https:/nvd.nist.gov.3.23 LOCAL INTERFACE An external inter

34、face potentially allowing access only to individuals, entitiesor systems within a very acute proximity requiring physical access to the product.NOTE: An example is a physically wired direct connection like a USB connection or RS 485 connectionwithin physical proximity.3.24 MALFORMED INPUT TESTING A

35、black-box testing technique used to reveal softwareweaknesses and vulnerabilities in a product by triggering them with invalid or unexpected inputs on theexternal interfaces of the product.3.25 MALFORMED INPUT TEST CASE The basic unit of malformed input testing, which consists of asingle interaction

36、 with the product under test.3.26 MALWARE Software designed with malicious intent to disrupt normal function, gather sensitiveinformation, and/or access other connected systems.3.27 NETWORK A collection of nodes and telecommunication links, allowing connected devices,software etc. to exchange data a

37、nd communicate.MARCH 30, 2016UL 2900-18UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3.28 PENETRATION TESTING A mechanism of evaluation of a product to exploit vulnerabilities andweaknesses discovered in the vulnerability assessment phase.3.

38、29 PERSONALLY IDENTIFIABLE INFORMATION Any information belonging to an individual that canuniquely distinguish an individual or information that can be used to derive their identity.NOTE: This can be, but is not limited to an individuals location, health records and/or financial recordsthat when use

39、d can determine the actual individuals identity.3.30 PRODUCT The network-connectable device, software or system under test.3.31 PROTOCOL See COMMUNICATION PROTOCOL3.32 REMOTE INTERFACE An external interface potentially allowing access to individuals, entities orprocesses regardless of geographic dis

40、tance to the product.3.33 RISK The potential for harm or damage, measured as the combination of the likelihood ofoccurrence of that harm or damage and the impact of that harm or damage.3.34 RISK ANALYSIS The systematic use of available information to identify threats and to estimaterisk.3.35 RISK CO

41、NTROL Any action taken or feature implemented to reduce risk.3.36 RISK MANAGEMENT Systematic application of management policies, procedures and practicesto the tasks of analyzing, evaluating, controlling and monitoring risk.3.37 SECURE ELEMENT A tamper-resistant platform like a chip capable of secur

42、ely hostingapplications and their confidential and cryptographic data and will prevent unauthorized access.3.38 SECURITY The state of having acceptable levels of confidentiality, integrity, authenticity and/oravailability of product data and/or functionality.3.39 SENSITIVE DATA Sensitive data is any

43、 critical security parameter that can compromise the useand security of the product such as passwords, keys, seeds for random number generators, authenticationdata.3.40 SOFTWARE All pre-loaded data which creates, affects, and/or modifies the functionality of theproduct. This includes, but is not lim

44、ited to, firmware, scripts, initialization files, pre-compiled code andinterpreted code. This does not include software preloaded and programmed in an IC chip for smallfunctions that require physical access and removal of the IC chip for reprogramming.3.41 SOFTWARE WEAKNESS A mistake in the architec

45、ture, design, coding, build process orconfiguration of software in the product, that may render the product vulnerable to a security exploit.3.42 SOURCE CODE Computer instructions written in a human-readable high-level computerlanguage, usually as text, including possible comments.MARCH 30, 2016 UL

46、2900-1 9UL COPYRIGHTED MATERIAL NOT AUTHORIZED FOR FURTHER REPRODUCTION ORDISTRIBUTION WITHOUT PERMISSION FROM UL3.43 STATIC ANALYSIS A process in which source code, bytecode or binary code is analyzed withoutexecuting the code.3.44 TEMPLATE MALFORMED INPUT TESTING Also known as mutational fuzzing,

47、templatemalformed input testing generates test cases by introducing anomalies into a valid message or file.Template malformed input test cases are not protocol aware and therefore will not contain items such ascorrect checksums and valid session IDs.3.45 THREAT A potentially successful attack, invol

48、ving an adversary utilizing specific techniques andresources to take advantage of specific vulnerabilities or lack of risk controls within a product.3.46 TRUSTED PLATFORM MODULE An international standard that defines the requirements for adedicated microprocessor with requirements for storage of cry

49、ptographic keys used to secure physicalproducts and the software contained.3.47 USER A person or process using a product or accessing it over one of its external interfaces.3.48 VENDOR The manufacturer, reseller or supplier of a product, which takes final responsibility forthe cybersecurity of that product towards the purchaser and/or user and which submits that prod