Industrial Internet Security Framework v 1.0 | Page 102

Security Framework • • • 10: Security Monitoring and Analysis regulations that prohibit the transmission of personally-identifiable data across geographic boundaries, or the storage or analysis of such data in some regions, sensitive data may need to be protected at rest or sensitive data may need to be protected from modification, such as by writing it to a write-only, write-once medium and by providing a mechanism to compare on-device log data with centrally reported data. 10.5 SPECIAL CONSIDERATIONS FOR MONITORING In addition to the general aspects to monitoring, special considerations apply to brownfield systems, supply chain systems, and the relationship to security and privacy policies. There may be limits on the data that can be collected from legacy brownfield endpoints that do not support monitoring directly. This might be addressed using a front-end system when feasible. A supply chain is a special case for monitoring, since it requires monitoring the stages in producing IIoT components to ensure their integrity. Finally, data monitoring should be compliant with privacy and security policies. Figure 10-4: Security Monitoring Special Considerations 10.5.1 SECURITY MODEL AND POLICY Security monitoring is effective when there is a model of expected state and interactions allowing deviations from that model to be detected. Examples are the expected protocol interactions on the network, including their network destinations. The monitored data should be consistent with expected network and endpoint behavior, including security policies. 10.5.2 GREENFIELD VERSUS BROWNFIELD CONSIDERATIONS Legacy industrial systems may have limited logging and reporting capabilities, and they cannot be upgraded to provide modern capabilities because of the cost of re-certification. Detailed logging at gateways to legacy systems and passive network monitoring systems for legacy communications can compensate. Passive network monitoring keeps track of normal network IIC:PUB:G4:V1.0:PB:20160926 - 102 -