Industrial Internet Security Framework v 1.0 | Page 4

7 IISF Functional Viewpoint ................................................................................................ 46

7.1

Security Building Blocks ..................................................................................................... 46

7.2

IIoT System , IIRA Functional Viewpoint and IISF Functional Viewpoint ................................ 47

7.3

Endpoint Protection .......................................................................................................... 48

7.4

Communications and Connectivity Protection .................................................................... 50

7.5

Security Monitoring and Analysis ....................................................................................... 52

7.6

Security Configuration And Management ........................................................................... 53

7.7

Data Protection ................................................................................................................. 55

7.8

Security Model and Policy .................................................................................................. 56

7.9

From Functional to Implementation Viewpoint .................................................................. 58

8 Protecting Endpoints ....................................................................................................... 60

8.1

Security Threats and Vulnerabilities on Endpoints .............................................................. 61

8.2

Architectural Considerations for Protecting Endpoints ........................................................ 63

8.2.1

Endpoint Security Lifecycle ............................................................................................... 64

8.2.2

Hardware versus Software ................................................................................................ 64

8.2.3

Brownfield Endpoint Considerations ................................................................................ 65

8.3

Endpoint Physical Security ................................................................................................. 66

8.4

Establish Roots of Trust ..................................................................................................... 67

8.5

Endpoint Identity ............................................................................................................... 68

8.6

Endpoint Access Control .................................................................................................... 70

8.6.1

Endpoint Authentication ................................................................................................... 70

8.6.2

Endpoint Communication Authorization .......................................................................... 71

8.7

Endpoint Integrity Protection ............................................................................................. 71

8.7.1

Boot Process Integrity ....................................................................................................... 71

8.7.2

Runtime Integrity .............................................................................................................. 72

8.8

Endpoint Data Protection .................................................................................................. 73

8.8.1

Data Confidentiality .......................................................................................................... 73

8.8.2

Data Integrity .................................................................................................................... 74

8.9

Endpoint Monitoring and Analysis ..................................................................................... 75

8.10 Endpoint Configuration and Management .......................................................................... 75

8.11 Cryptography Techniques for Endpoint Protection .............................................................. 75

8.12 Isolation Techniques for Endpoint Protection ..................................................................... 76

8.12.1

Process isolation ............................................................................................................... 76

8.12.2

Container Isolation ............................................................................................................ 77

8.12.3

Virtual Isolation ................................................................................................................. 78

8.12.4

Physical Isolation ............................................................................................................... 80

8.13 Resource-Constrained Device Considerations ..................................................................... 80

9 Protecting Communications and Connectivity ................................................................. 82

9.1

Cryptographic Protection of Communications & Connectivity ............................................. 83

9.1.1

Security Controls in Communication and Connectivity Protocols .................................... 83

9.1.2

Building Blocks for Protecting Exchanged Content ........................................................... 84

9.1.3

Connectivity Standards and Security ................................................................................ 84

9.1.4

Cryptographic Protection for Different Communications and Connectivity Paradigms .. 85

9.2

Information Flow Protection .............................................................................................. 86

9.2.1

Controlling Information Flows in Brownfield Deployments ............................................. 86