Security hardening guidelines
Nerve is a third-party platform for which software can be developed. It provides several features and measures that need to be used to ensure security. The following section gives an overview of several product areas or aspects of the product where measures need to be taken by implementers. Note that the measures listed can have major implications for software development processes and functions to ensure the entire system operates according to the security standard.
For ease of use, a summary of all measures can be found in the Security recommendation checklist.
Secure installation
Product aspect |
Description & measures |
Physical installation |
- Implementers of security shall ensure physical protection against physical access to the device to avoid an unauthorized user accessing sensible data on the disk.
- Implementers of security shall ensure that physical access to the network cables is limited in order to protect the network within the machine. Whenever possible, select a secure connection to devices.
|
Node Configuration
Product aspect |
Description & measures |
Configuration of networks |
Nerve devices can have multiple networks. In order to minimize the attack surface, users shall configure only those networks which are needed for operation.
- Implementers of security shall configure only those networks on a Nerve node which are needed for operation.
- Implementers of security shall place the node behind a firewall allowing access to port 443. If workloads provide access to additional ports, the workloads should be hardened to prevent unauthorized access and the firewall configuration should be adapted.
|
Acknowledging remote connections |
Nerve nodes provide the option to require acknowledgement of remote connections. If this option is not enabled, users with access to remote connections can establish remote connections to the device anytime.
- Implementers of security shall activate the feature to require local acknowledgement for remote access where possible.
|
Data Services configuration
Product aspect |
Description & measures |
Data Services gateway |
The Data Services gateway is, by design, a component which acts as bridge between protocols. Often, this includes also bridging networks. The gateway should be attached only to those networks where needed, and for all services the highest possible level of authentication and encryption shall be used. Note that quite commonly fieldbus protocols do not use secure transport or authentication. The configurators of the Data Services gateway shall consider this lack of security and take measures accordingly.
- Implementers of security shall attach the Data Services gateway only to the required networks.
- Implementers of security shall activate the highest possible level of security for all inputs and outputs used.
- Implementers of security shall ensure that potential lack of security of fieldbus protocols is considered and mitigated in their security concept.
|
Workload Configuration
Product aspect |
Description & measures |
Skilled users for workload configuration |
Workload configuration is considered to be of the same complexity as software development.
- Implementers of security shall ensure that only personnel with sufficient know-how of security shall configure Nerve workloads.
- Implementers of security shall ensure that security implications of the Docker Compose YAML and virtual machine XML configurations are suitable for the given system. Such implications are, for example, a service being directly reachable from an external network or user credentials being contained in parameters such as environment variables.
|
Resource consumption |
Nerve provides the capability to reserve resources for a workload. This reduces the probability of interference and therefore the availability of the system.
- Implementers of security shall make use of the option to reserve and limit resources for Nerve workloads.
|
Configuration of remote access |
The Nerve remote access feature, per design, permits the traversing of zones. Users shall consider undesired piercing of security zones when configuring remote access.
- Implementers of security shall configure remote access routes only in line with their security concept.
- Implementers of security shall allow remote access configuration only for users with sufficient know-how of the security concept.
|
Secure operation guidelines
Product aspect |
Description & measures |
Following a secure development process |
Nerve is a system where customer applications are executed. Developers of customer applications may rely on the security features provided by Nerve. However, they do need to develop their applications in a secure way to achieve an overall secure system. Note that this requirement actually has quite big implications on the application development team and process throughout the whole lifecycle. Even though Nerve comes with a security certification, it does not mean that all applications running on Nerve are secure.
- Implementers of applications on Nerve shall follow a secure life-cycle process for their applications running on Nerve.
|
Creating a process to act on security information provided by the Nerve team |
The Nerve team provides security information to the contact address given to the Nerve team when licenses were purchased.
- Implementers of security shall ensure that there is a process to read and act upon the security information provided by the Nerve team through the given contact address.
- Implementers of security should create, deploy and sell their systems based on Nerve in a way that frequent security updates are acceptable.
- Implementers of security shall create a process to verify that the version and configurations of Nerve software correspond to the desired state.
- Implementers of security shall create a process to periodically review audit logs for unexpected or unauthorized access.
|
Account management guidelines
Product aspect |
Description & measures |
Management System |
Nerve provides comprehensive, fine-grained access to the Management System. It is important to make use of this system to implement the concept of minimum privilege. This is to be considered especially for the case of workload creation or configuration and creation of remote connections.
- Implementers of security shall assign roles to users based on the concept of minimum privilege.
- Implementers of security shall assign the right to create, configure or modify workloads only to users with sufficient need and expertise.
- Implementers of security shall assign the right to create, configure or modify remote connections only to users with sufficient need and expertise.
- Implementers of security shall follow best practices for account management, e.g. review all user accounts and their permissions periodically and remove the ones which are not needed anymore.
|
Local UI |
Nerve's local user interface is designed to be used by service engineers with sufficient expertise and security knowledge. Nerve does not provide role-based access control on the local interface. Therefore the local credentials are especially critical.
- Implementers of security shall ensure that only those people with sufficient need and security know-how shall be able to obtain the local node credentials.
|
Secure disposal guidelines
Product aspect |
Description & measures |
Secure disposal |
Information may leak after decommissioning the system. For example, decommissioned hardware may be sold and may provide the opportunity to analyze the system and leak data.
- Implementers of security shall ensure that a process exists to securely delete or destroy all data on decommissioned systems.
|