WICE Cybersecurity

From WICE Wiki v2.92
Jump to navigation Jump to search

WICE has a large number of cybersecurity mechanisms implemented in response to threats. Threats are identified in a TARA procedure and potential weaknesses in WICE are addressed.

Alkit maintains a publicly accessible Vulnerability disclosure programme that allows for the disclosure of Vulnerabilities discovered by researchers and other external actors or entities. Contact Alkit Communications to receive information required to utilise the disclosure programme.

WICE Cybersecurity Approach

The high level approach is to secure the back-end and the WCUs and provide a secure channel between them to ensure confidentiality and integrity of the system.

Access control mechanism

The WICE system has a comprehensive Access Control framework (configured in the WICE Portal) to control which user has access to which WCU.

Secure communication mechanism

The WICE system relies on a secure communication mechanism based on TLS 1.3 and a PKI for communication between WCUs and the WICE back-end.

The WCU communicates with the WICE-back-end using the secure TLS-based tunnel, allowing configurations of the WCUs. The access control of the PKI solution is based on X.509 certificates identifying the endpoints of communication (WCU and WICE back-end). Only WCUs with a valid certificate can connect to the WICE back-end and is therefore an access control mechanism that ensures only authorised WICE users can access a WCU.

Authentication mechanism

The WICE system authenticates all users when logging in to the WICE Portal front-end user interface. A role-based access control framework is used to configure which WICE user has access to different resources, including WCUs. A specific user that has been assigned credentials to a specific WCU can then access the WCU by means of the secure TLS-based connection between the WCU and the back-end, provided the WCU is properly configured and authenticated through the PKI.

Secure update mechanism

The WICE system supports remote updates of the WCU software, including firmware. The software update mechanism allows an authenticated WICE user with the proper access rights to select a new software version to be installed on one or more WCUs through the WICE Portal user interface. The selected software will be downloaded to the WCU(s) over a secure channel (TLS tunnel), verified for integrity, and installed on the WCU.

Resilience mechanism

The WICE system uses resilience mechanisms to mitigate the effects of Denial of Service (DoS) Attacks on the network interfaces of the WCU and return the WCU to a defined state after the attack.

Input validation

The WICE system validates all input received via external interfaces if the input has potential impact on security assets and/or network assets.

Vulnerability Monitoring

Alkit maintains a publicly accessible Vulnerability disclosure programme that allows for the disclosure of Vulnerabilities discovered by researchers and other external actors or entities. Contact Alkit Communications to receive information required to utilise the disclosure programme.

Retrieved from "https://wiki.alkit.se/wice292/index.php?title=WICE_Cybersecurity&oldid=3839"