Industrial Internet Security Framework v 1.0

Security Framework Contents

Part III: The Functional and Implementation Viewpoints

7 IISF Functional Viewpoint................................................................................................ 46
7.1	Security Building Blocks..................................................................................................... 46
7.2	IIoT System, IIRA Functional Viewpoint and IISF Functional Viewpoint................................ 47
7.3	Endpoint Protection.......................................................................................................... 48
7.4	Communications and Connectivity Protection.................................................................... 50
7.5	Security Monitoring and Analysis....................................................................................... 52
7.6	Security Configuration And Management........................................................................... 53
7.7	Data Protection................................................................................................................. 55
7.8	Security Model and Policy.................................................................................................. 56
7.9	From Functional to Implementation Viewpoint.................................................................. 58

8 Protecting Endpoints....................................................................................................... 60
8.1	Security Threats and Vulnerabilities on Endpoints.............................................................. 61
8.2	Architectural Considerations for Protecting Endpoints........................................................ 63
8.2.1		Endpoint Security Lifecycle............................................................................................... 64
8.2.2		Hardware versus Software................................................................................................ 64
8.2.3		Brownfield Endpoint Considerations................................................................................ 65
8.3	Endpoint Physical Security................................................................................................. 66
8.4	Establish Roots of Trust..................................................................................................... 67
8.5	Endpoint Identity............................................................................................................... 68
8.6	Endpoint Access Control.................................................................................................... 70
8.6.1		Endpoint Authentication................................................................................................... 70
8.6.2		Endpoint Communication Authorization.......................................................................... 71
8.7	Endpoint Integrity Protection............................................................................................. 71
8.7.1		Boot Process Integrity....................................................................................................... 71
8.7.2		Runtime Integrity.............................................................................................................. 72
8.8	Endpoint Data Protection.................................................................................................. 73
8.8.1		Data Confidentiality.......................................................................................................... 73
8.8.2		Data Integrity.................................................................................................................... 74
8.9	Endpoint Monitoring and Analysis..................................................................................... 75
8.10 Endpoint Configuration and Management.......................................................................... 75
8.11 Cryptography Techniques for Endpoint Protection.............................................................. 75
8.12 Isolation Techniques for Endpoint Protection..................................................................... 76
8.12.1		Process isolation............................................................................................................... 76
8.12.2		Container Isolation............................................................................................................ 77
8.12.3		Virtual Isolation................................................................................................................. 78
8.12.4		Physical Isolation............................................................................................................... 80
8.13 Resource-Constrained Device Considerations..................................................................... 80

9 Protecting Communications and Connectivity................................................................. 82
9.1	Cryptographic Protection of Communications & Connectivity............................................. 83
9.1.1		Security Controls in Communication and Connectivity Protocols.................................... 83
9.1.2		Building Blocks for Protecting Exchanged Content........................................................... 84
9.1.3		Connectivity Standards and Security................................................................................ 84
9.1.4		Cryptographic Protection for Different Communications and Connectivity Paradigms.. 85
9.2	Information Flow Protection.............................................................................................. 86
9.2.1		Controlling Information Flows in Brownfield Deployments............................................. 86

IIC: PUB: G4: V1.0: PB: 20160926- iv-

Industrial Internet Security Framework v 1.0 | Page 4