Title

Inadequate “operator/facilitator/administrator” access control for remote monitoring of a VTU connected to an IP network. (Cat II impact)

Discussion

Activation and use of remote monitoring and control features such as those discussed here and in RTS-VTC 1160.00 must be protected by access control. Minimally this must be the administrator password; however, access to this feature should not give full administrator access.

Check Content

[IP]; Interview the IAO to validate compliance with the following requirement: In the event the VTU is connected to an IP network ensure access to IP remote monitoring and associated control functions of the VTU is minimally protected by a password. Note: During APL testing, this is a finding in the event this requirement is not supported by the VTU. i.e., remote monitoring must be able to have a password set in order to access remote monitoring features. Verify that an administrator password is required to access remotely accessible VTU. Have the IAO or SA demonstrate compliance with the requirement.

Fix Text

[IP]; Perform the following tasks: If IP remote monitoring is activated, configure the VTU to require a password before permitting access to the remote monitoring and associated control functions.

Additional Identifiers

Rule ID: SV-18727r1_rule

Vulnerability ID: V-17600

Group Title: RTS-VTC 1162.00 [IP]

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.