Skip to content

Product capabilities & addressed threats

This section gives an overview of Nerve's security capabilities and addressed threats through the design and implementation of the product. For a successful implementation of a defense in depth strategy in the overall system, it is necessary for the user to understand the capabilities of Nerve and threats addressed by these capabilities.

Security capabilities implemented by the product

The following list is an overview of the security capabilities, but it is not intended to be a complete list. Product features, such as the capability to log events, can be used to improve security even though they are not security features as such.

Security capability Description
Secure development process Nerve is developed using a secure development process. This means that security is considered through the lifetime of the product.
CVE monitoring and vulnerability scan Nerve software libraries are checked in regular intervals for known vulnerabilities. Corrective actions are taken by the development team.
Role-based access control The Nerve Management System features a comprehensive role-based access control mechanism, which allows a fine-grained configuration of rights.
Access control on all interfaces All Nerve APIs are subject to access control.
Secure connections All data communication between nodes and the Management System is secured using state of the art cryptography. For Nerve version 2.5 and above, TLS 1.2 or higher is used.
Centralized logging Nerve provides the capability to log events into the central log system in the Management System. This can help to track actions and changes. Refer to Audit logs for the Management System for the implementation of security-relevant log collection.
OS update capability Nerve can update its operating system centrally through the Management System.
Workload update capability Applications installed on Nerve can be updated centrally through the Management System or locally through the Local UI.
Workload repository Nerve provides an integrated workload repository, which can help to ensure that workloads are not modified unknowingly.
Workload hashes Using this Nerve DNA feature, the customer can ensure that the correct workload is being deployed by precisely identifying workloads with the workload hash.
Node onboarding with serial number and secure ID The Management System only accepts nodes which are registered using the correct combination of serial number and secure ID.

Addressed threats

The list of addressed threats in this section is split up into three categories: system-wide, node-related and Management System-related threats. Measures that need to be taken by implementers are formatted in bold.

For ease of use, a summary of all measures can be found in the Security recommendation checklist.

System-wide threats

Threat Measures to be taken by implementers
Malicious workload (supply chain attack) Attackers may insert malicious code in publicly available software images or even in non-public software.
  • Implementers of security shall ensure that workloads are only taken from trustworthy sources and/or analyzed for security threats.
Malicious node image (supply chain attack) Attackers may include malicious software in the Nerve image.

The Nerve team protects against these threats with adequate process measures.
Malicious workload configuration Nerve provides the capability to provide configuration data for workloads. These may be used to inject malicious code.
  • Implementers of security shall ensure that workloads do not accept executables or scripts as configurations.
Threat Description & Measures
Stolen node credentials Credentials may get stolen.
  • Implementers of security shall ensure that the credentials of the local user are changed after installation.
  • Implementers of security shall ensure that each node has unique credentials.
  • Implementers of security shall use state of the art measures such as training and workplace security to prevent credentials from leaking.
Injecting unexpected items in APIs or user forms The Nerve team protects against such attacks with adequate technology.
Placing a malicious workload in the local repository Nerve supports a local workload repository to reduce data transfer to the Management System.
  • Implementers of security shall ensure the integrity and security of their local workload repository, if used.
Compromising VM backup files Nerve can create workload backups to external repositories. Those may become compromised.
  • Implementers of security shall ensure the integrity and security of their external backup server, if used.
No cryptography on HTTP communication All communication to and from the Nerve Management System is encrypted. However, HTTP communication may fall back to not using cryptography. The Nerve team protects against such attacks with adequate technology. The Nerve local user interface is not using encryption.
  • Implementers of security shall take adequate measures to ensure that unencrypted communication to the Nerve node's local user interface or API does not compromise system security.
Abuse of documented API The API may contain vulnerabilities.

The Nerve team protects against such attacks with adequate design process and technology.
Brute force attacks Brute force attacks on the API may cause credentials to be leaked.

The Nerve team protects against such attacks with adequate design process and technology. Refer to Connecting to the local UI for more information.
Privilege escalation Use of features may lead to undesired escalation of privileges.

The Nerve team protects against such attacks with adequate design process and technology.
Compromising node integrity through bind-mounting of a node directory in Docker Compose Bind-mounting of a directory by a workload may provide an entry point for the workload to the underlying operating system.

Nerve protects against this by rejecting such bind-mounts with the exception of the time zone directory.
Compromising node integrity by creating a network with undesired properties Nerve protects against this by rejecting the creation of networks with undesired properties.
Compromising network segregation by configuring workloads without respecting security zone boundaries Nerve comes with a predefined set of networks, which allows configuration of workloads to access traffic only on desired ports and networks. Out of convenience or unknowingly, users may configure workloads in a way that zone separation is compromised.
  • Implementers of security shall ensure that the network configuration of workloads aligns with the security concept of the system.
Leaking credentials by reading the DNA file Users may decide to place credentials in the Nerve DNA file, which is an unencrypted plain-text file.
  • Implementers of security shall ensure that the DNA files do not contain credentials.
Injecting malicious workload Attackers may try to inject malicious workloads, not only by modification at the time of download from an external repository, but also when already in the workload repository of the Management System. The Nerve DNA feature provides hashes to identify workloads uniquely. Thus, it is recommended to use the Nerve DNA feature with hashes for deployment of applications.
  • Implementers of security should use the Nerve DNA feature with hashes for deployment of applications.
Spoof Management System Attackers may try to spoof the Management System DNS entry so that a node connects to the wrong Management System.
  • Implementers of security shall ensure the integrity of the DNS service in the network to which the WAN interface of the node is connected.
Overcommitment of resources Users may overcommit resources and therefore reduce system availability. Nerve provides the possibility to protect against overcommitment of resources by assigning resource constraints to workloads.
  • Implementers of security shall ensure that resource constraint configuration is done correctly to avoid overcommitment of resources
  • Implementers of security should monitor resource consumption periodically or create an alert to ensure system availability.
  • Implementers of security should test workloads for resource leaking.
Threat Description & measures
Stolen credentials Credentials of users in the Management System may get stolen.
  • Implementers of security shall use state of the art measures such as training and workplace security to prevent credentials from leaking. Consider using organization-wide credential management by connecting the Nerve Management System through LDAP.
Injecting unexpected items in APIs or user forms The Nerve team protects against such attacks with adequate technology.
Brute force attack on the Management System The Nerve team protects against such attacks with adequate technology. Refer to Logging in to the Management System for more information.
DoS attack on REST API endpoint The Management System REST endpoints may be subject to denial of service attacks. When hosted by TTTech Industrial, the Nerve team protects against this attack.
  • Implementers of security running an on-premise Management System shall protect against DoS attacks using adequate technology such as firewalls.
Command or code injection The Management System may be subject to command or code injection attacks.

The Nerve team protects against such attacks by using a secure development process and adequate technology.
Stolen node identification The node identification comprising serial number and secure ID may get stolen. Note that it will be difficult to protect the device serial number from getting stolen, thus the focus will be on the secure ID.
  • Implementers of security shall use state of the art measures such as training and workplace security to prevent the node secure ID from leaking.
Onboarding of malicious nodes Attackers may try to onboard malicious nodes to the system. To prevent this, the onboarding process shall include an out-of-band process verifying the identity of a newly onboarded node.
  • Implementers of security shall ensure the identity of the onboarded node in their onboarding process, e.g. by adding a manual verification of the serial number to the procedure.
MQTT service attacks Internal MQTT systems may be attacked.

The Nerve team protects against such attacks with adequate technology.
Retrieving logs and metrics Attackers may try to retrieve logs and metrics.

The Nerve team protects against such attacks with adequate technology.
Destroying or modifying logs Attackers may try to modify or destroy logs. Implementing a backup policy can be an adequate countermeasure. When hosted by TTTech Industrial, the Nerve team provides backups.
  • Implementers of security running an on-premise Management System shall protect against lost logs by implementing an adequate backup policy.
Destroying or modifying the Management System and stored data Attackers may try to modify or destroy the Management System and the data stored. Implementing a backup policy can be an adequate countermeasure. When hosted by TTTech Industrial, the Nerve team provides backups.
  • Implementers of security running an on-premise Management System shall protect against lost Management Systems and data by implementing an adequate backup policy.
Sending unauthorized logs Attackers may try to send logs even though they are not authorized.

The Nerve team protects against such attacks with adequate technology.
Brute force attack on authorization endpoint Attackers may obtain credentials by brute force attack on the logging subsystem.

The Nerve team protects against such attacks with adequate technology.
Certificates of the Management System may become outdated When hosted by TTTech Industrial, the Nerve team protects against this. When hosted on-premise, this lies in the user's responsibility.
  • Implementers of security shall ensure a timely renewal of the certificates of the Management System.