Industrial Internet Security Framework v 1.0 | Page 119
Security Framework
11: Security Configuration and Management
occur on a designated network (physical or virtual), to ensure that the onboarding process is
complete before communications with OT equipment can occur. The endpoint may be
reprovisioned both on a schedule (perhaps for key rotation) or based on need.
During normal usage the endpoint applies the optimum endpoint security policy. Based on
security events, the endpoint may transition to an alert state that tightens security controls down
to the minimum operational functionality or a later remediation state where the endpoint is
reset. This may need reprovisioning before normal usage resumes.
Endpoint decommissioning terminates the useful lifecycle of the endpoint and transitions it into
an end-of-life state. A decommissioned endpoint may be reused, so it must be able to be
recommissioned and reprovisioned for another purpose.
Endpoint availability should be considered throughout the security lifecycle.
11.9 CONFIGURATION AND MANAGEMENT DATA PROTECTION
Security management maintains the consistency of security over time, and must not interfere
with operational processes.
Security metadata such as connection status and characteristics (encrypted or authenticated),
and the state of security controls on the device should be gathered and shared with operation
management systems so that it can be tracked. The security metadata should be sent on a
separate communications channel from the operational application data.
In some cases, security management data should be sent on a separate physical network adapter,
such as what may be found on a gateway device, or a larger device with multiple physical
adapters. In other cases, if the device only has one physical network adapter, security
management data should be separated logically (i.e., on its own VLAN).
Security data should conform to the requirements of the specific network. For example, if the
network is bandwidth-constrained by operational technology data, then the security metadata
may need to be bandwidth-limited through the connection, or may be transmitted in bursts at
intervals when network load is lower. Control of the frequency, throughput, volume and duration
of metadata updates to the management server is desirable.
IIC:PUB:G4:V1.0:PB:20160926
- 119 -