26.1
|
Combination of short encryption keys and long period of validity enables attacker to break encryption
|
M23
|
Cybersecurity best practices for software and hardware development shall be followed
|
26.2
|
Insufficient use of cryptographic algorithms to protect sensitive systems
|
26.3
|
Using deprecated cryptographic algorithms
|
27.1
|
Hardware or software, engineered to enable an attack or fail to meet design criteria to stop an attack
|
M23
|
Cybersecurity best practices for software and hardware development shall be followed
|
28.1
|
The presence of software bugs can be a basis for potential exploitable vulnerabilities. This is particularly true if software has not been tested to verify that known bad code/bugs is not present and reduce the risk of unknown bad code/bugs being present
|
M23
|
Cybersecurity best practices for software and hardware development shall be followed.
Cybersecurity testing with adequate coverage
|
28.2
|
Using remainders from development (e.g. debug ports, JTAG ports, microprocessors, development certificates, developer passwords, …) can permit an attacker to access ECUs or gain higher privileges
|
29.1
|
Superfluous internet ports left open, providing access to network systems
|
29.2
|
Circumvent network separation to gain control. Specific example is the use of unprotected gateways, or access points (such as truck-trailer gateways), to circumvent protections and gain access to other network segments to perform malicious acts, such as sending arbitrary CAN bus messages
|
M23
|
Cybersecurity best practices for software and hardware development shall be followed.
Cybersecurity best practices for system design and system integration shall be followed
|