R-TF-024-003 Cyber Security Risk Matrix
| Security Risk Assessment | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Analyze | Initial evaluation | Mitigation or control action | Residual evaluation | |||||||||||||||||
| Identifier | Asset | Threat | Vulnerability | Consequences | Existing Controls | Likelihood | Severity | RPN | Risk class | Decision/Risk treatment | SRS issue key | New Risk? | New risk issue key | Likelihood | Severity | RPN | Risk Class | Safety risk? | Safety risk issue key | |
| R-C67 | Medical device software, patient data | Container escape | Containers on the device share the host Linux kernel and may use elevated privileges or host mounts. Vulnerabilities or permissive configs can enable container escape, giving attackers host control and impacting other containers/safety functions. | Container environments, such as Docker and Kubernetes, share the same underlying kernel as the host operating system. Therefore, a kernel or container vulnerability that allows the execution of unauthorized code could be used to escape the container. Further, container environments with incorrect configurations or excessive privileges could also allow a container escape. By escaping the container, the threat actor could manipulate the underlying OS or applications/data within other containers hosted on that device. | ||||||||||||||||
| R-E6S | Medical device software, patient data | Application Binaries Modified | This component exposes a network-facing interface that accepts remote input. This makes application binaries modified relevant because remote requests can exercise unexpected code paths and access controls. | A threat actor could modify application-level binaries or libraries on the device to introduce unauthorized code, maintain persistence, or evade detection. This could also include the modification of runtime libraries used to support the execution of programs, along with key PLC function blocks used to structure the execution of application function blocks, such as organizational blocks. (Integrity impact likely) | ||||||||||||||||
| R-400 | Medical device software, patient data | Cross Site Scripting (XSS) | This component exposes a network-facing interface that accepts remote input. This makes cross site scripting (xss) relevant because remote requests can exercise unexpected code paths and access controls. | The device does not properly restrict, filter, or validate the content of web-based requests or outputs, especially content used to construct HTTP or JavaScript elements within a web page. A threat actor can add malicious JavaScript to an HTTP request, including through a GET/POST parameter or HTTP header fields, which then executes on the browser of an unsuspecting user. The malicious JavaScript can then be used to steal session tokens or send malicious requests (especially leveraging XMLHttpRequest) to change device configurations or data. | ||||||||||||||||
| R-QV5 | Medical device software, patient data | HTTP Application Session Hijacking | This component exposes a network-facing interface that accepts remote input. This makes http application session hijacking relevant because remote requests can exercise unexpected code paths and access controls. | A threat actor can hijack an insufficiently protected HTTP session token to gain unauthorized access to a device. HTTP session tokens can be obtained by a threat actor if they’re sent unencrypted over the network or if the site is vulnerable to cross-site scripting (XSS). | ||||||||||||||||
| R-ZZY | Medical device software | HTTP Path Traversal | This component exposes a network-facing interface that accepts remote input. This makes http path traversal relevant because remote requests can exercise unexpected code paths and access controls. | A threat actor can send requests for files or content that resides in different directories from those intended to be accessible by the a web server. This can be used to gain access to data that is not intended to be remotely accessible through the web servers, such as files from the operating system or other applications. This threat is primarily a result of the web server having excessive privileges regarding files and directories on the device. | ||||||||||||||||
| R-UBG | Medical device software | HTTP Direct Object Reference | This component exposes a network-facing interface that accepts remote input. This makes http direct object reference relevant because remote requests can exercise unexpected code paths and access controls. | If a device does not properly authenticate all HTTP requests, a threat actor can directly send a request to a specific URL to access data or initiate a device function. This could be used to access/download sensitive data or perform unwanted changes to settings or functions on a device. This typically requires that the threat actor directly knows the URL of the specific file/object/page, rather than depending on the existing links provided by the web application. This is especially problematic for files hosted on a web server (e.g., txt, pdf) since the authentication mechanisms provided by the web application framework may not enforce access controls on those files. | ||||||||||||||||
| R-WPS | Medical device software | HTTP Injection/Response Splitting | This component exposes a network-facing interface that accepts remote input. This makes http injection/response splitting relevant because remote requests can exercise unexpected code paths and access controls. | The device uses HTTP headers that are unencrypted, not-validated, and/or unauthenticated. This means that the device may accept and process arbitrary data coming to the receiving web-server over the network. Threat actors may therefore be able to inject their own information into the header, possibly using their input to get more information than they should have access to or exploiting a vulnerability on the receiving device. (Integrity impact likely) | ||||||||||||||||
| R-0JE | Medical device software, patient data | Insecure Deserialization | This component offers low-level or physical interfaces. This makes insecure deserialization relevant because local interaction can bypass protections and alter system state. | Many object oriented languages use serialization to convert class objects into byte strings for more efficient storage or transmission. However, if an untrusted byte string is deserialized without properly validating its contents, it could be used to exploit a vulnerability in the associated library. A threat actor could send a maliciously crafted serialized object to a device to exploit a deserialization vulnerability within a device. | ||||||||||||||||
| R-5NF | Medical device software, patient data | Default Credentials | This component uses wireless connectivity that can be probed within range. This makes default credentials relevant because over-the-air attacks are possible if pairing/auth are weak. | Devices often include default credentials from the vendor. Default credentials can be changed, but are often overlooked when devices are commissioned. If left unchanged, a threat actor may discover and use these credentials to gain unauthorized access to the device. Non-unique or predictable default credentials can lead to device compromise. | ||||||||||||||||
| R-STL | Medical device software, patient data | Credential change mechanism can be abused | This component uses wireless connectivity that can be probed within range. This makes credential change mechanism can be abused relevant because over-the-air attacks are possible if pairing/auth are weak. | A device’s credential change mechanisms can be abused to lock out users from their own devices by changing credentials to something unknown to the legitimate user. This could impair the legitimate user from accessing the device and may also render the device permanently inoperable. This could also be coupled with unwanted device configuration changes before the user is locked out. (CIA impact not explicitly stated) | ||||||||||||||||
| R-JBG | Company secrets | Unauthenticated session changes credential | This component relies on authentication and session/role management. This makes unauthenticated session changes credential relevant because weak logic can permit unauthorized access or escalation. | A threat actor can change or reset a password or credential without being authenticated. This can be used by a threat actor to set the credential to a known value and then use this to authenticate to the device. (CIA impact not explicitly stated) | ||||||||||||||||
| R-H2I | Company secrets | Hardcoded Credentials | This component uses wireless connectivity that can be probed within range. This makes hardcoded credentials relevant because over-the-air attacks are possible if pairing/auth are weak. | Hardcoded credentials typically cannot be changed by end-users and are often undocumented, leaving the end-user unaware of the risk. If a threat actor is able to discover the credentials for a device (or family of devices with the same password), they may be able to exploit multiple devices with no known device-level mitigation. Hardcoded credentials are often intended for vendor-specific diagnostic functions or to authenticate components designed to communicate together (e.g., a PLC and associated IED), but can be abused by threat actors when discovered. (CIA impact not explicitly stated) | ||||||||||||||||
| R-LG0 | Company secrets | Incorrect certificate verification allows authentication bypass | This component relies on authentication and session/role management. This makes incorrect certificate verification allows authentication bypass relevant because weak logic can permit unauthorized access or escalation. | Certificate-based authentication depends on the correct parsing and validation of an X.509 certificate. However, if the certificate is not properly parsed and all fields are not validated, a threat actor could potentially bypass authentication using a fraudulent certificate. (CIA impact not explicitly stated) | ||||||||||||||||
| R-HQM | Patient data | Predictable cryptographic key | This component uses wireless connectivity that can be probed within range. This makes predictable cryptographic key relevant because over-the-air attacks are possible if pairing/auth are weak. | If the device does not generate sufficiently random cryptographic primitives, a threat actor could predict or brute-force guess a key to either gain unauthorized access to the device or decrypt a connection. Cryptographic keys that are not generated with random “seed” information, including from Pseudo-Random Number Generators (PRNG), will lack sufficient entropy. For example, researchers have demonstrated that a large number of Internet exposed devices with TLS or SSH services utilized the same RSA moduli, which could be then used to determine the device’s private key and then used to remotely authenticate with the device. | ||||||||||||||||
| R-HB7 | Patient data | Cryptographic timing side-channel | This component uses wireless connectivity that can be probed within range. This makes cryptographic timing side-channel relevant because over-the-air attacks are possible if pairing/auth are weak. | Algorithms or code implementations of cryptographic processes will sometimes leak information by ending operations early or late based on, and correlated with, the input/key. If a threat actor is able to execute code on a processor performing a cryptographic operation, they may be able to infer the resulting key from that operation by measuring the timing it takes to perform the various functions. For example, if a function like memcpy (which performs byte-by byte comparison) is used to check an HMAC value, by measuring the time it takes for the function to execute, the length of time needed to brute force guess a key can be significantly reduced. | ||||||||||||||||
| R-K6N | Patient data | Weak/Insecure Cryptographic Protocol | This component relies on authentication and session/role management. This makes weak/insecure cryptographic protocol relevant because weak logic can permit unauthorized access or escalation. | The device utilizes a weak or insecure cryptographic protocol or algorithm that can be broken or undermined. This could allow the threat actor to extract plaintext information from encrypted communications, extract cryptographic keys, or bypass authentication mechanisms. A threat actor can utilize various techniques to manipulate these protocols, including brute-force guessing of keys or using cryptanalysis to decipher the text. (Confidentiality impact likely) | ||||||||||||||||
| R-RUC | Other company asset | Remotely Accessible Unauthenticated Services | This component uses wireless connectivity that can be probed within range. This makes remotely accessible unauthenticated services relevant because over-the-air attacks are possible if pairing/auth are weak. | If an application does not authenticate all connections from a remote device or system, a threat actor can remotely establish a connection to the device to access confidential data or make unwanted changes to device status or configuration. (CIA impact not explicitly stated) | ||||||||||||||||
| R-VLK | Intellectual property | Undocumented protocol features | This component exposes a network-facing interface that accepts remote input. This makes undocumented protocol features relevant because remote requests can exercise unexpected code paths and access controls. | Some devices may support proprietary protocols, or may add proprietary functionality to open protocols. Many of the custom functions or commands may not be sufficiently documented. If users aren’t aware of these functions/commands, they cannot be expected to properly configure the device to remove unwanted functionality. Further, they are limited in their ability to monitor the device for any potential malicious use of these functions/commands to exploit devices. (CIA impact not explicitly stated) | ||||||||||||||||
| R-IDW | Other company asset | Remotely triggerable deadlock/DoS | This component uses wireless connectivity that can be probed within range. This makes remotely triggerable deadlock/dos relevant because over-the-air attacks are possible if pairing/auth are weak. | Some devices will have operating modes that put the device in an inoperable state. Devices may also have network parsing or protocol vulnerabilities that can put the device in a deadlocked or otherwise unresponsive state. A threat actor may therefore be able to send a message to a device that causes it to enter one of these deadlocked or unresponsive states, rendering the device non-functional or leaving it in an otherwise degraded state. Additionally, if the device does not have a mechanism to reset or recover from this state, it may remain unavailable until it is reset or rebooted, which may require physical operator presence. (Availability impact likely) | ||||||||||||||||
| R-C8H | Other company asset | Network stack resource exhaustion | This component parses untrusted inputs and protocols. This makes network stack resource exhaustion relevant because crafted inputs can trigger logic or memory errors. | Remote connections and communications can consume various device resources (e.g., network stack buffers, packet processing, socket connections) that, if exhausted, could lead to the device entering an unresponsive state. A threat actor may attempt to intentionally cause this by sending either repetitive or specially crafted messages to a device to consume resources and cause the device to become unresponsive. The unresponsive state will typically continue for at least the duration of the attack. In some cases it may persist until the device is reset or rebooted, which may require physical operator presence. (Availability impact likely) | ||||||||||||||||
| R-6FQ | Intellectual property | Missing message replay protection | This component uses wireless connectivity that can be probed within range. This makes missing message replay protection relevant because over-the-air attacks are possible if pairing/auth are weak. | Threat actors may be able to replay a message to a device to cause an unwanted function, send an unwanted command, or gain access to privileged data. Message replaying can be used to bypass non-existant or poorly designed authentication mechanisms lacking proper protections, such as a nonce or timestamp. (CIA impact not explicitly stated) | ||||||||||||||||
| R-KZ3 | Company secrets | Authentication bypass by message replay | This component uses wireless connectivity that can be probed within range. This makes authentication bypass by message replay relevant because over-the-air attacks are possible if pairing/auth are weak. | Some devices will allow for authentication over the network, but do not implement mechanisms (i.e. nonces, timestamps) to ensure that messages containing credentials cannot be reused. Devices like these are potentially vulnerable to replay attacks. In these attacks, threat actors may be able to take legitimate packets that were sent over the network, capture them, and send them again to the device. If the device accepts these packets, threat actors may be able to initiate unauthorized actions. Additionally, if threat actors are able to edit the contents of those packets, they can potentially control the device remotely. (CIA impact not explicitly stated) | ||||||||||||||||
| R-4O0 | Patient data | Cryptographic protocol side channel | This component uses wireless connectivity that can be probed within range. This makes cryptographic protocol side channel relevant because over-the-air attacks are possible if pairing/auth are weak. | While encrypting data can prevent a threat actor from directly obtaining the plaintext communication, a threat actor may be able to infer information about the device or communicated data through side-channel and metadata analysis of encrypted communication sessions. For example, a threat actor could use information about message lengths, sequences, and frequency to infer some or all of the plaintext content of messages. (Confidentiality impact likely) | ||||||||||||||||
| R-7X3 | Other company asset | Network routing capability abuse | This component exposes a network-facing interface that accepts remote input. This makes network routing capability abuse relevant because remote requests can exercise unexpected code paths and access controls. | Some devices will allow for the forwarding of packets to other connected devices (e.g., routing, port forwarding, tunneling, VPN). If the device is used to forward or route communications, a threat actor could change the forwarding rules or routes. This feature could be used by the threat actor to either (i) disable required forwarding rules to prevent authorized communications or (ii) add new rules that allow unauthorized access to other devices. The threat actor could potentially use this to gain access to devices that are within protected networks or zones. (CIA impact not explicitly stated) | ||||||||||||||||
| R-Y1T | Cloud infrastructure and databases | Spoofing the External Entity; Vector: HTTPS (TLS 1.3) | This component exposes a network-facing interface that accepts remote input. This makes spoofing the external entity relevant because remote requests can exercise unexpected code paths and access controls. | The external entity may be spoofed by an attacker and this may lead to unauthorized access to the device. Consider using a standard authentication mechanism to identify the external entity. (CIA impact not explicitly stated) | ||||||||||||||||
| R-I2B | Cloud infrastructure and databases | Spoofing the Medical Device; Vector: HTTPS (TLS 1.3) | This component exposes a network-facing interface that accepts remote input. This makes spoofing the medical device relevant because remote requests can exercise unexpected code paths and access controls. | The device may be spoofed by an attacker and this may lead to information disclosure or unauthorized access to the device. Consider using a standard authentication mechanism to identify each part of the communication. (Confidentiality impact likely) | ||||||||||||||||
| R-I28 | Cloud infrastructure and databases | Potential data repudiation by Traefik Proxy; Vector: HTTPS (TLS 1.3) | This component exposes a network-facing interface that accepts remote input. This makes potential data repudiation by traefik proxy relevant because remote requests can exercise unexpected code paths and access controls. | The device/external entity claims that it did not receive data from a source outside the trust boundary. Consider using logging or auditing to record the source, time, and summary of the received data. (CIA impact not explicitly stated) | ||||||||||||||||
| R-CZH | Cloud infrastructure and databases | Data Flow through HTTPS (TLS 1.3) Is Potentially Interrupted; Vector: HTTPS (TLS 1.3) | This component exposes a network-facing interface that accepts remote input. This makes data flow through https (tls 1.3) is potentially interrupted relevant because remote requests can exercise unexpected code paths and access controls. | An external agent interrupts data flowing between the external entity and the device in either direction. (CIA impact not explicitly stated) | ||||||||||||||||
| R-CHN | Cloud infrastructure and databases | The AWS Data Store Services Could Be Corrupted; Vector: HTTPS (TLS 1.3) | This component exposes a network-facing interface that accepts remote input. This makes the aws data store services could be corrupted relevant because remote requests can exercise unexpected code paths and access controls. | Data flowing across HTTPS (TLS 1.3) may be tampered with by an attacker. This may lead to corruption of data. Ensure the integrity of the data flow. (Integrity impact likely) | ||||||||||||||||
| R-SUQ | Cloud infrastructure and databases | Data in transit not encrypted; Vector: HTTPS (TLS 1.3) | This component exposes a network-facing interface that accepts remote input. This makes data in transit not encrypted relevant because remote requests can exercise unexpected code paths and access controls. | Data flowing across HTTPS (TLS 1.3) may be disclosed by an attacker if it is not encrypted. This may lead to sensitive information disclosure. Ensure the confidentiality of the data flow. (Confidentiality impact likely) | ||||||||||||||||