Industrial Internet Security Framework v 1.0 | Page 114

Security Framework 11: Security Configuration and Management There are standards and recommendations in place today for identity management. The ‘Entity Authentication Assurance Framework’ (EAAF) in ISO/IEC 29115 1 is an authentication standard describing the life cycle for credentials and authenticating entities. The NIST 800-57, ‘Recommendation for Key Management’ 2 applies similar approaches to the management of credentials and identity material. Also, the ‘Functional Model Representation of the Identity Ecosystem’ 3 is a model for identity solutions, including the various components and interactions. If the credential management process is not correctly implemented and adhered to, then the results of the endpoint authentication may not produce the level of trust desired. Applying an IIoT perspective to the existing identity management recommendations yields a variant of the lifecycle process. The treatment of identity for a human entity does not differ greatly from existing IT models, so non-person entities are the focus here. The IIoT management life cycle comprises three phases as shown below. Figure 11-6: IIoT Identity Management Lifecycle The enrollment phase ensures that the appropriate entity is to receive the appropriate identity material. This requires participation from the component builders to establish trust during manufacturing, procurement, delivery and commissioning. The entity may change ownership several times during these steps, so an audit trail tracking the chain of custody should be kept, See [ISO-29115] See [NIST-800-57] 3 See [IDESG-IDEF] 1 2 IIC:PUB:G4:V1.0:PB:20160926 - 114 -