diff --git a/data/ssvc_1_applier.csv b/data/ssvc_1_applier.csv index 420c895c..e00f414c 100644 --- a/data/ssvc_1_applier.csv +++ b/data/ssvc_1_applier.csv @@ -49,31 +49,31 @@ 47,none,controlled,mission fail,major,out-of-cycle 48,none,controlled,mission fail,hazardous,out-of-cycle 49,none,controlled,mission fail,catastrophic,out-of-cycle -50,none,unavoidable,none,none,defer -51,none,unavoidable,none,minor,scheduled -52,none,unavoidable,none,major,scheduled -53,none,unavoidable,none,hazardous,out-of-cycle -54,none,unavoidable,none,catastrophic,immediate -55,none,unavoidable,degraded,none,defer -56,none,unavoidable,degraded,minor,scheduled -57,none,unavoidable,degraded,major,scheduled -58,none,unavoidable,degraded,hazardous,out-of-cycle -59,none,unavoidable,degraded,catastrophic,immediate -60,none,unavoidable,MEF crippled,none,scheduled -61,none,unavoidable,MEF crippled,minor,scheduled -62,none,unavoidable,MEF crippled,major,scheduled -63,none,unavoidable,MEF crippled,hazardous,out-of-cycle -64,none,unavoidable,MEF crippled,catastrophic,immediate -65,none,unavoidable,MEF fail,none,scheduled -66,none,unavoidable,MEF fail,minor,scheduled -67,none,unavoidable,MEF fail,major,out-of-cycle -68,none,unavoidable,MEF fail,hazardous,out-of-cycle -69,none,unavoidable,MEF fail,catastrophic,immediate -70,none,unavoidable,mission fail,none,out-of-cycle -71,none,unavoidable,mission fail,minor,out-of-cycle -72,none,unavoidable,mission fail,major,out-of-cycle -73,none,unavoidable,mission fail,hazardous,out-of-cycle -74,none,unavoidable,mission fail,catastrophic,immediate +50,none,open,none,none,defer +51,none,open,none,minor,scheduled +52,none,open,none,major,scheduled +53,none,open,none,hazardous,out-of-cycle +54,none,open,none,catastrophic,immediate +55,none,open,degraded,none,defer +56,none,open,degraded,minor,scheduled +57,none,open,degraded,major,scheduled +58,none,open,degraded,hazardous,out-of-cycle +59,none,open,degraded,catastrophic,immediate +60,none,open,MEF crippled,none,scheduled +61,none,open,MEF crippled,minor,scheduled +62,none,open,MEF crippled,major,scheduled +63,none,open,MEF crippled,hazardous,out-of-cycle +64,none,open,MEF crippled,catastrophic,immediate +65,none,open,MEF fail,none,scheduled +66,none,open,MEF fail,minor,scheduled +67,none,open,MEF fail,major,out-of-cycle +68,none,open,MEF fail,hazardous,out-of-cycle +69,none,open,MEF fail,catastrophic,immediate +70,none,open,mission fail,none,out-of-cycle +71,none,open,mission fail,minor,out-of-cycle +72,none,open,mission fail,major,out-of-cycle +73,none,open,mission fail,hazardous,out-of-cycle +74,none,open,mission fail,catastrophic,immediate 75,poc,small,none,none,defer 76,poc,small,none,minor,defer 77,poc,small,none,major,scheduled @@ -124,31 +124,31 @@ 122,poc,controlled,mission fail,major,immediate 123,poc,controlled,mission fail,hazardous,immediate 124,poc,controlled,mission fail,catastrophic,immediate -125,poc,unavoidable,none,none,defer -126,poc,unavoidable,none,minor,scheduled -127,poc,unavoidable,none,major,scheduled -128,poc,unavoidable,none,hazardous,out-of-cycle -129,poc,unavoidable,none,catastrophic,immediate -130,poc,unavoidable,degraded,none,scheduled -131,poc,unavoidable,degraded,minor,scheduled -132,poc,unavoidable,degraded,major,out-of-cycle -133,poc,unavoidable,degraded,hazardous,out-of-cycle -134,poc,unavoidable,degraded,catastrophic,immediate -135,poc,unavoidable,MEF crippled,none,scheduled -136,poc,unavoidable,MEF crippled,minor,scheduled -137,poc,unavoidable,MEF crippled,major,out-of-cycle -138,poc,unavoidable,MEF crippled,hazardous,out-of-cycle -139,poc,unavoidable,MEF crippled,catastrophic,immediate -140,poc,unavoidable,MEF fail,none,out-of-cycle -141,poc,unavoidable,MEF fail,minor,out-of-cycle -142,poc,unavoidable,MEF fail,major,out-of-cycle -143,poc,unavoidable,MEF fail,hazardous,out-of-cycle -144,poc,unavoidable,MEF fail,catastrophic,immediate -145,poc,unavoidable,mission fail,none,immediate -146,poc,unavoidable,mission fail,minor,immediate -147,poc,unavoidable,mission fail,major,immediate -148,poc,unavoidable,mission fail,hazardous,immediate -149,poc,unavoidable,mission fail,catastrophic,immediate +125,poc,open,none,none,defer +126,poc,open,none,minor,scheduled +127,poc,open,none,major,scheduled +128,poc,open,none,hazardous,out-of-cycle +129,poc,open,none,catastrophic,immediate +130,poc,open,degraded,none,scheduled +131,poc,open,degraded,minor,scheduled +132,poc,open,degraded,major,out-of-cycle +133,poc,open,degraded,hazardous,out-of-cycle +134,poc,open,degraded,catastrophic,immediate +135,poc,open,MEF crippled,none,scheduled +136,poc,open,MEF crippled,minor,scheduled +137,poc,open,MEF crippled,major,out-of-cycle +138,poc,open,MEF crippled,hazardous,out-of-cycle +139,poc,open,MEF crippled,catastrophic,immediate +140,poc,open,MEF fail,none,out-of-cycle +141,poc,open,MEF fail,minor,out-of-cycle +142,poc,open,MEF fail,major,out-of-cycle +143,poc,open,MEF fail,hazardous,out-of-cycle +144,poc,open,MEF fail,catastrophic,immediate +145,poc,open,mission fail,none,immediate +146,poc,open,mission fail,minor,immediate +147,poc,open,mission fail,major,immediate +148,poc,open,mission fail,hazardous,immediate +149,poc,open,mission fail,catastrophic,immediate 150,active,small,none,none,defer 151,active,small,none,minor,defer 152,active,small,none,major,scheduled @@ -199,28 +199,28 @@ 197,active,controlled,mission fail,major,immediate 198,active,controlled,mission fail,hazardous,immediate 199,active,controlled,mission fail,catastrophic,immediate -200,active,unavoidable,none,none,defer -201,active,unavoidable,none,minor,scheduled -202,active,unavoidable,none,major,out-of-cycle -203,active,unavoidable,none,hazardous,immediate -204,active,unavoidable,none,catastrophic,immediate -205,active,unavoidable,degraded,none,scheduled -206,active,unavoidable,degraded,minor,out-of-cycle -207,active,unavoidable,degraded,major,out-of-cycle -208,active,unavoidable,degraded,hazardous,immediate -209,active,unavoidable,degraded,catastrophic,immediate -210,active,unavoidable,MEF crippled,none,out-of-cycle -211,active,unavoidable,MEF crippled,minor,out-of-cycle -212,active,unavoidable,MEF crippled,major,out-of-cycle -213,active,unavoidable,MEF crippled,hazardous,immediate -214,active,unavoidable,MEF crippled,catastrophic,immediate -215,active,unavoidable,MEF fail,none,immediate -216,active,unavoidable,MEF fail,minor,immediate -217,active,unavoidable,MEF fail,major,immediate -218,active,unavoidable,MEF fail,hazardous,immediate -219,active,unavoidable,MEF fail,catastrophic,immediate -220,active,unavoidable,mission fail,none,immediate -221,active,unavoidable,mission fail,minor,immediate -222,active,unavoidable,mission fail,major,immediate -223,active,unavoidable,mission fail,hazardous,immediate -224,active,unavoidable,mission fail,catastrophic,immediate +200,active,open,none,none,defer +201,active,open,none,minor,scheduled +202,active,open,none,major,out-of-cycle +203,active,open,none,hazardous,immediate +204,active,open,none,catastrophic,immediate +205,active,open,degraded,none,scheduled +206,active,open,degraded,minor,out-of-cycle +207,active,open,degraded,major,out-of-cycle +208,active,open,degraded,hazardous,immediate +209,active,open,degraded,catastrophic,immediate +210,active,open,MEF crippled,none,out-of-cycle +211,active,open,MEF crippled,minor,out-of-cycle +212,active,open,MEF crippled,major,out-of-cycle +213,active,open,MEF crippled,hazardous,immediate +214,active,open,MEF crippled,catastrophic,immediate +215,active,open,MEF fail,none,immediate +216,active,open,MEF fail,minor,immediate +217,active,open,MEF fail,major,immediate +218,active,open,MEF fail,hazardous,immediate +219,active,open,MEF fail,catastrophic,immediate +220,active,open,mission fail,none,immediate +221,active,open,mission fail,minor,immediate +222,active,open,mission fail,major,immediate +223,active,open,mission fail,hazardous,immediate +224,active,open,mission fail,catastrophic,immediate \ No newline at end of file diff --git a/doc/version_1/040_treesForVulMgmt.md b/doc/version_1/040_treesForVulMgmt.md index 14c06aca..45791ca0 100644 --- a/doc/version_1/040_treesForVulMgmt.md +++ b/doc/version_1/040_treesForVulMgmt.md @@ -379,7 +379,17 @@ resiliency ### System Exposure (Deployer) > The Accessible Attack Surface of the Affected System or Service -Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. If a vulnerability cannot be patched, other mitigations may be used. Usually, the effect of these mitigations is to reduce exposure of the vulnerable component. Therefore, an deployer’s response to Exposure may change if such mitigations are put in place. If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success. Whether that mitigation allows the deployer to defer further action varies according to each case. + +Measuring attack surface precisely is difficult, and we do not propose to perfectly delineate between small and controlled access. +Exposure should be judged against the system in its deployed context, which may differ from how it is commonly expected to be deployed. +For example, the exposure of a device on a vehicle's CAN bus will vary depending on the presence of a cellular telemetry device on the same bus. + +If a vulnerability cannot be patched, other mitigations may be used. +Usually, the effect of these mitigations is to reduce exposure of the vulnerable component. +Therefore, a deployer’s response to Exposure may change if such mitigations are put in place. +If a mitigation changes exposure and thereby reduces the priority of a vulnerability, that mitigation can be considered a success. +Whether that mitigation allows the deployer to defer further action varies according to each case. + @@ -387,7 +397,7 @@ Measuring attack surface precisely is difficult, and we do not propose to perfec | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Small | Local service or program; highly controlled network | | Controlled | Networked service with some access restrictions or mitigations already in place (whether locally or on the network). A successful mitigation must reliably interrupt the adversary’s attack, which requires the attack is detectable both reliably and quickly enough to respond. *Controlled* covers the situation in which a vulnerability can be exploited through chaining it with other vulnerabilities. The assumption is that the number of steps in the attack path is relatively low; if the path is long enough that it is implausible for an adversary to reliably execute it, then *exposure* should be *small*. | -| Unavoidable | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) | +| Open | Internet or another widely accessible network where access cannot plausibly be restricted or controlled (e.g., DNS servers, web servers, VOIP servers, email servers) | ### Mission Impact (Deplyer) > Impact on Mission Essential Functions of the Organization @@ -457,7 +467,8 @@ Some of the decision points require some substantial upfront analysis effort to Stakeholders who use the prioritization method should consider releasing the priority with which they handled the vulnerability. This disclosure has various benefits. For example, if the supplier publishes a priority ranking, then deployers could consider that in their decision-making process. One reasonable way to include it is to break ties for the deployer. If an deployer has three “scheduled” vulnerabilities to patch, they may address them in any order. If two vulnerabilities were produced by the supplier as “scheduled” patches, and one was “out-of-cycle,” then the deployer may want to use that information to favor the latter. -In the case where no information is available or the organization has not yet matured its initial situational analysis, we can suggest something like defaults for some decision points. If the deployer does not know their exposure, that means they do not know where the devices are or how they are controlled, so they should assume *Exposure* is **unavoidable**. If the decision maker knows nothing about the environment in which the device is used, we suggest assuming a **major** *Safety Impact*. This position is conservative, but software is thoroughly embedded in daily life now, so we suggest that the decision maker provide evidence that no one’s well-being will suffer. The reach of software exploits is no longer limited to a research network. Similarly, with *Mission Impact*, the deployer should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume **MEF support crippled** as a default. *Exploitation* needs no special default; if adequate searches are made for exploit code and none is found, the answer is **none**. The decision set {**none**, **unavoidable**, **MEF crippled**, **major**} results in a scheduled patch application. +In the case where no information is available or the organization has not yet matured its initial situational analysis, we can suggest something like defaults for some decision points. If the deployer does not know their exposure, that means they do not know where the devices are or how they are controlled, so they should assume *Exposure* is **open**. If the decision maker knows nothing about the environment in which the device is used, we suggest assuming a **major** *Safety Impact*. This position is conservative, but software is thoroughly embedded in daily life now, so we suggest that the decision maker provide evidence that no one’s well-being will suffer. The reach of software exploits is no longer limited to a research network. Similarly, with *Mission Impact*, the deployer should assume that the software is in use at the organization for a reason, and that it supports essential functions unless they have evidence otherwise. With a total lack of information, assume **MEF support crippled** as a default. *Exploitation* needs no special default; if adequate searches are made for exploit code and none is found, the answer is **none**. The decision set {**none**, **open**, **MEF crippled**, **major**} results in a scheduled patch application. + ## Development Methodology diff --git a/doc/version_1/060_workedExample.md b/doc/version_1/060_workedExample.md index 9c920664..d84271d7 100644 --- a/doc/version_1/060_workedExample.md +++ b/doc/version_1/060_workedExample.md @@ -13,7 +13,7 @@ This information rules out “active” given the (perhaps limited) search proce - **Deployment of affected system** - These pumps are attached directly to the client. If an update is required, the client is permitted to do that through their own computer or app. However, we have not provided them with documentation on properly using their computer or app to securely access their device. This is done for convenience so that if the user needs to change something quickly, they can. They also can also come to us (hospital) for a change in their device’s settings for dosage etc. The doctor’s computer that directly handles interfacing with these devices is only connected to the intranet for the purpose of updating the client’s settings on the device. Doctors authenticate with ID badge and password. -*Exposure* is less straightforward than *Exploitation*. The option **unavoidable** is clearly ruled out. However, it is not clear whether the optional Bluetooth connection between the medical device and a phone app represents **controlled** or **small** exposure. The description does not explicitly handle the capture/replay aspect of the vulnerability. If the only way to exploit the vulnerability is to be within physical transmission range of the device, then that physical constraint argues for exposure being **small**. However, if the client’s phone app could be used to capture and replay attack packets, then unless that app is particularly well secured, the answer should be **controlled**. Regardless, the answer is not clear from the supplied information. Furthermore, if this fictional app is specific to the insulin pump, then even if it is not compromised, the attack might use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select **small** and move on to ask about mission impact. +*Exposure* is less straightforward than *Exploitation*. The option **open** is clearly ruled out. However, it is not clear whether the optional Bluetooth connection between the medical device and a phone app represents **controlled** or **small** exposure. The description does not explicitly handle the capture/replay aspect of the vulnerability. If the only way to exploit the vulnerability is to be within physical transmission range of the device, then that physical constraint argues for exposure being **small**. However, if the client’s phone app could be used to capture and replay attack packets, then unless that app is particularly well secured, the answer should be **controlled**. Regardless, the answer is not clear from the supplied information. Furthermore, if this fictional app is specific to the insulin pump, then even if it is not compromised, the attack might use its installation to remotely identify targets. However, since most of the hospital’s clients have not installed the app, and for nearly all cases, physical proximity to the device is necessary; therefore, we select **small** and move on to ask about mission impact. According to the fictional pilot scenario, “Our mission dictates that the first and foremost priority is to contribute to human welfare and to uphold the Hippocratic oath (do no harm).” The continuity of operations planning for a hospital is complex, with many MEFs. However, even from this abstract, it seems clear that “do no harm” is at risk due to this vulnerability. A mission essential function to that mission is each of the various medical devices works as expected, or at least if a device fails, it cannot actively be used to inflict harm. Unsolicited insulin delivery would mean that MEF “fails for a period of time longer than acceptable,” matching the description of MEF failure. The question is then whether the whole mission fails, which does not seem to be the case. The recovery of MEF functioning is not affected, and most MEFs (the emergency services, surgery, oncology, administration, etc.) would be unaffected. Therefore, we select **MEF failure** and move on to ask about safety impact.