feat(iace): CRA / Cyber tab — demo CRA integration on the Kistenhub project
New "CRA / Cyber" tab in the IACE project (Zusatzmodule). Treats the Kistenhubgeraet CE project as if it had an IoT module; invented cyber findings are mapped to CRA Annex I requirements via the REAL backend mapper output (faithful), and crucially cross-linked to the existing CE safety hazards they re-open (cyber defeats a mechanically-mitigated guard -> CRA x Machinery Reg). Frontend fixture for now; live wiring to the mapper endpoint follows. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
@@ -0,0 +1,117 @@
|
||||
'use client'
|
||||
|
||||
// DEMO data layer for the CRA / Cyber tab. The Kistenhubgeraet (crate lift) CE
|
||||
// project is treated AS IF it had an internet-connected IoT module. The cyber
|
||||
// findings are invented, but the CRA mapping below is the REAL output of the
|
||||
// deterministic backend mapper (compliance/services/cra_finding_mapper.py) run
|
||||
// on these findings — so the integration concept is faithful. The cross_links
|
||||
// (cyber re-opens a mechanically-mitigated safety hazard) are the core idea we
|
||||
// want to validate visually. Live wiring replaces this fixture later.
|
||||
|
||||
export interface CRAFinding {
|
||||
id: string
|
||||
title: string
|
||||
location: string
|
||||
scanner_severity: string
|
||||
cwe: string
|
||||
primary_requirement: string
|
||||
requirement_title: string
|
||||
requirement_ids: string[]
|
||||
annex_anchor: string
|
||||
iso27001_ref: string[]
|
||||
risk_level: string
|
||||
measures: { id: string; description: string }[]
|
||||
}
|
||||
|
||||
export interface CrossLink {
|
||||
cyber_finding_ids: string[]
|
||||
safety_hazard: string
|
||||
safety_ref: string
|
||||
original_measure: string
|
||||
cyber_breaks_it: string
|
||||
residual: string
|
||||
}
|
||||
|
||||
export interface CRADemo {
|
||||
scenario: string
|
||||
findings: CRAFinding[]
|
||||
by_risk: Record<string, number>
|
||||
coverage_pct: number
|
||||
requirements_touched: string[]
|
||||
open_measures: { id: string; description: string }[]
|
||||
cross_links: CrossLink[]
|
||||
deadlines: { date: string; label: string }[]
|
||||
}
|
||||
|
||||
const MEASURE_DESC: Record<string, string> = {
|
||||
M541: 'Signierte Software- und Firmware-Updates mit Rollback-Schutz',
|
||||
M542: 'Initiale Default-Passwoerter beim ersten Start erzwungen aendern',
|
||||
M545: 'Cybersecurity-Hardening-Guide fuer den Anwender beilegen',
|
||||
M547: 'Updates ueber authentisierten Kanal mit Integritaetspruefung',
|
||||
}
|
||||
|
||||
const m = (...ids: string[]) => ids.map((id) => ({ id, description: MEASURE_DESC[id] || '' }))
|
||||
|
||||
const DEMO: CRADemo = {
|
||||
scenario:
|
||||
'Kistenhubgeraet mit (angenommenem) IoT-Modul / Internetanschluss — Fernsteuerung, Telemetrie und Remote-Updates.',
|
||||
findings: [
|
||||
{ id: 'KH-CY-1', title: 'Fernsteuer-Weboberflaeche mit universellem Default-Passwort', location: 'remote-ui/login',
|
||||
scanner_severity: 'critical', cwe: 'CWE-259', primary_requirement: 'CRA-AI-8',
|
||||
requirement_title: 'Keine Default-Passwoerter', requirement_ids: ['CRA-AI-8'],
|
||||
annex_anchor: 'Annex I, 1(3)(d)', iso27001_ref: ['A.8.5'], risk_level: 'CRITICAL', measures: m('M542') },
|
||||
{ id: 'KH-CY-2', title: 'IoT-Telemetrie unverschluesselt ueber MQTT', location: 'telemetry/mqtt',
|
||||
scanner_severity: 'high', cwe: 'CWE-319', primary_requirement: 'CRA-AI-15',
|
||||
requirement_title: 'Transport-Schutz (Data in Transit)', requirement_ids: ['CRA-AI-15', 'CRA-AI-13'],
|
||||
annex_anchor: 'Annex I, 1(3)(e)', iso27001_ref: ['A.8.24'], risk_level: 'HIGH', measures: [] },
|
||||
{ id: 'KH-CY-3', title: 'Firmware-Updates ohne Signaturpruefung', location: 'updater',
|
||||
scanner_severity: 'high', cwe: 'CWE-494', primary_requirement: 'CRA-AI-30',
|
||||
requirement_title: 'Update-Integritaet', requirement_ids: ['CRA-AI-30', 'CRA-AI-28', 'CRA-AI-6'],
|
||||
annex_anchor: 'Annex I, 1(4)', iso27001_ref: ['A.8.24'], risk_level: 'HIGH', measures: m('M547', 'M541') },
|
||||
{ id: 'KH-CY-4', title: 'Offener Debug-Port (telnet) am Controller', location: 'controller:23',
|
||||
scanner_severity: 'medium', cwe: 'CWE-1188', primary_requirement: 'CRA-AI-1',
|
||||
requirement_title: 'Secure-by-Default-Konfiguration', requirement_ids: ['CRA-AI-1'],
|
||||
annex_anchor: 'Annex I, 1(1)', iso27001_ref: ['A.8.9'], risk_level: 'HIGH', measures: m('M545') },
|
||||
{ id: 'KH-CY-5', title: 'Gebundelte libmodbus mit bekannter CVE (veraltet)', location: 'deps/libmodbus',
|
||||
scanner_severity: 'high', cwe: 'CWE-1104', primary_requirement: 'CRA-AI-22',
|
||||
requirement_title: 'Dependency-Monitoring', requirement_ids: ['CRA-AI-22'],
|
||||
annex_anchor: 'Annex I, 1(5)', iso27001_ref: ['A.8.8', 'A.8.25'], risk_level: 'HIGH', measures: [] },
|
||||
{ id: 'KH-CY-6', title: 'Keine Sicherheits-Protokollierung der Remote-Befehle', location: 'remote-ui',
|
||||
scanner_severity: 'medium', cwe: 'CWE-778', primary_requirement: 'CRA-AI-24',
|
||||
requirement_title: 'Security-Logging', requirement_ids: ['CRA-AI-24'],
|
||||
annex_anchor: 'Annex I, 1(3)(g)', iso27001_ref: ['A.8.15'], risk_level: 'MEDIUM', measures: [] },
|
||||
],
|
||||
by_risk: { CRITICAL: 1, HIGH: 4, MEDIUM: 1, LOW: 0 },
|
||||
coverage_pct: 100.0,
|
||||
requirements_touched: ['CRA-AI-1', 'CRA-AI-6', 'CRA-AI-8', 'CRA-AI-13', 'CRA-AI-15', 'CRA-AI-22', 'CRA-AI-24', 'CRA-AI-28', 'CRA-AI-30'],
|
||||
open_measures: m('M542', 'M547', 'M541', 'M545'),
|
||||
cross_links: [
|
||||
{
|
||||
cyber_finding_ids: ['KH-CY-1', 'KH-CY-3'],
|
||||
safety_hazard: 'Unerwarteter Anlauf des Hubwerks → Quetschen zwischen Last und Rahmen',
|
||||
safety_ref: 'Risikobeurteilung: Quetschen Hubwerk',
|
||||
original_measure: 'Zweihandschaltung + trennende Schutzeinrichtung (mechanisch, PL d)',
|
||||
cyber_breaks_it:
|
||||
'Über die Fernsteuerung (Default-Passwort) oder manipulierte Firmware kann der Hub ohne Zweihandbedienung remote ausgelöst werden — die mechanisch gemilderte Quetsch-Gefährdung ist wieder offen.',
|
||||
residual: 'offen',
|
||||
},
|
||||
{
|
||||
cyber_finding_ids: ['KH-CY-2'],
|
||||
safety_hazard: 'Überlast / Lastabsturz durch manipulierte Lastgrenze',
|
||||
safety_ref: 'Risikobeurteilung: Lastabsturz',
|
||||
original_measure: 'Überlastsicherung / Lastmomentbegrenzer',
|
||||
cyber_breaks_it:
|
||||
'Unverschlüsselte MQTT-Telemetrie und -Befehle erlauben die Manipulation der Lastgrenz-Parameter — der Überlastschutz kann ausgehebelt werden.',
|
||||
residual: 'offen',
|
||||
},
|
||||
],
|
||||
deadlines: [
|
||||
{ date: '2026-06-11', label: 'Conformity Bodies benannt' },
|
||||
{ date: '2026-09-11', label: 'Vulnerability-Reporting-Pflicht aktiv (24h/72h)' },
|
||||
{ date: '2027-12-11', label: 'CE-Marking nach CRA verpflichtend' },
|
||||
],
|
||||
}
|
||||
|
||||
export function useCRADemo() {
|
||||
return { data: DEMO }
|
||||
}
|
||||
Reference in New Issue
Block a user