Product capabilities & addressed threats
This section gives an overview of Nerve's security capabilities and addressed threats through the design and implementation of the product. For a successful implementation of a defense in depth strategy in the overall system, it is necessary for the user to understand the capabilities of Nerve and threats addressed by these capabilities.
Security capabilities implemented by the product
The following list is an overview of the security capabilities, but it is not intended to be a complete list. Product features, such as the capability to log events, can be used to improve security even though they are not security features as such.
Security capability | Description |
---|---|
Secure development process | Nerve is developed using a secure development process. This means that security is considered through the lifetime of the product. |
CVE monitoring and vulnerability scan | Nerve software libraries are checked in regular intervals for known vulnerabilities. Corrective actions are taken by the development team. |
Role-based access control | The Nerve Management System features a comprehensive role-based access control mechanism, which allows a fine-grained configuration of rights. |
Access control on all interfaces | All Nerve APIs are subject to access control. |
Secure connections | All data communication between nodes and the Management System is secured using state of the art cryptography. For Nerve version 2.5 and above, TLS 1.2 or higher is used. |
Centralized logging | Nerve provides the capability to log events into the central log system in the Management System. This can help to track actions and changes. Refer to Audit logs for the Management System for the implementation of security-relevant log collection. |
OS update capability | Nerve can update its operating system centrally through the Management System. |
Workload update capability | Applications installed on Nerve can be updated centrally through the Management System or locally through the Local UI. |
Workload repository | Nerve provides an integrated workload repository, which can help to ensure that workloads are not modified unknowingly. |
Workload hashes | Using this Nerve DNA feature, the customer can ensure that the correct workload is being deployed by precisely identifying workloads with the workload hash. |
Node onboarding with serial number and secure ID | The Management System only accepts nodes which are registered using the correct combination of serial number and secure ID. |
Addressed threats
The list of addressed threats in this section is split up into three categories: system-wide, node-related and Management System-related threats. Measures that need to be taken by implementers are formatted in bold.
For ease of use, a summary of all measures can be found in the Security recommendation checklist.
System-wide threats
Threat | Measures to be taken by implementers |
---|---|
Malicious workload (supply chain attack) | Attackers may insert malicious code in publicly available software images or even in non-public software.
|
Malicious node image (supply chain attack) | Attackers may include malicious software in the Nerve image. The Nerve team protects against these threats with adequate process measures. |
Malicious workload configuration | Nerve provides the capability to provide configuration data for workloads. These may be used to inject malicious code.
|
Node-related threats
Threat | Description & Measures |
---|---|
Stolen node credentials | Credentials may get stolen.
|
Injecting unexpected items in APIs or user forms | The Nerve team protects against such attacks with adequate technology. |
Placing a malicious workload in the local repository | Nerve supports a local workload repository to reduce data transfer to the Management System.
|
Compromising VM backup files | Nerve can create workload backups to external repositories. Those may become compromised.
|
No cryptography on HTTP communication | All communication to and from the Nerve Management System is encrypted. However, HTTP communication may fall back to not using cryptography. The Nerve team protects against such attacks with adequate technology. The Nerve local user interface is not using encryption.
|
Abuse of documented API | The API may contain vulnerabilities. The Nerve team protects against such attacks with adequate design process and technology. |
Brute force attacks | Brute force attacks on the API may cause credentials to be leaked. The Nerve team protects against such attacks with adequate design process and technology. Refer to Connecting to the local UI for more information. |
Privilege escalation | Use of features may lead to undesired escalation of privileges. The Nerve team protects against such attacks with adequate design process and technology. |
Compromising node integrity through bind-mounting of a node directory in Docker Compose | Bind-mounting of a directory by a workload may provide an entry point for the workload to the underlying operating system. Nerve protects against this by rejecting such bind-mounts with the exception of the time zone directory. |
Compromising node integrity by creating a network with undesired properties | Nerve protects against this by rejecting the creation of networks with undesired properties. |
Compromising network segregation by configuring workloads without respecting security zone boundaries | Nerve comes with a predefined set of networks, which allows configuration of workloads to access traffic only on desired ports and networks. Out of convenience or unknowingly, users may configure workloads in a way that zone separation is compromised.
|
Leaking credentials by reading the DNA file | Users may decide to place credentials in the Nerve DNA file, which is an unencrypted plain-text file.
|
Injecting malicious workload | Attackers may try to inject malicious workloads, not only by modification at the time of download from an external repository, but also when already in the workload repository of the Management System. The Nerve DNA feature provides hashes to identify workloads uniquely. Thus, it is recommended to use the Nerve DNA feature with hashes for deployment of applications.
|
Spoof Management System | Attackers may try to spoof the Management System DNS entry so that a node connects to the wrong Management System.
|
Overcommitment of resources | Users may overcommit resources and therefore reduce system availability. Nerve provides the possibility to protect against overcommitment of resources by assigning resource constraints to workloads.
|
Management System-related threats
Threat | Description & measures |
---|---|
Stolen credentials | Credentials of users in the Management System may get stolen.
|
Injecting unexpected items in APIs or user forms | The Nerve team protects against such attacks with adequate technology. |
Brute force attack on the Management System | The Nerve team protects against such attacks with adequate technology. Refer to Logging in to the Management System for more information. |
DoS attack on REST API endpoint | The Management System REST endpoints may be subject to denial of service attacks. When hosted by TTTech Industrial, the Nerve team protects against this attack.
|
Command or code injection | The Management System may be subject to command or code injection attacks. The Nerve team protects against such attacks by using a secure development process and adequate technology. |
Stolen node identification | The node identification comprising serial number and secure ID may get stolen. Note that it will be difficult to protect the device serial number from getting stolen, thus the focus will be on the secure ID.
|
Onboarding of malicious nodes | Attackers may try to onboard malicious nodes to the system. To prevent this, the onboarding process shall include an out-of-band process verifying the identity of a newly onboarded node.
|
MQTT service attacks | Internal MQTT systems may be attacked. The Nerve team protects against such attacks with adequate technology. |
Retrieving logs and metrics | Attackers may try to retrieve logs and metrics. The Nerve team protects against such attacks with adequate technology. |
Destroying or modifying logs | Attackers may try to modify or destroy logs. Implementing a backup policy can be an adequate countermeasure. When hosted by TTTech Industrial, the Nerve team provides backups.
|
Destroying or modifying the Management System and stored data | Attackers may try to modify or destroy the Management System and the data stored. Implementing a backup policy can be an adequate countermeasure. When hosted by TTTech Industrial, the Nerve team provides backups.
|
Sending unauthorized logs | Attackers may try to send logs even though they are not authorized. The Nerve team protects against such attacks with adequate technology. |
Brute force attack on authorization endpoint | Attackers may obtain credentials by brute force attack on the logging subsystem. The Nerve team protects against such attacks with adequate technology. |
Certificates of the Management System may become outdated | When hosted by TTTech Industrial, the Nerve team protects against this. When hosted on-premise, this lies in the user's responsibility.
|