Industrial Internet Security Framework v 1.0 | Page 119

Security Framework 11: Security Configuration and Management occur on a designated network (physical or virtual), to ensure that the onboarding process is complete before communications with OT equipment can occur. The endpoint may be reprovisioned both on a schedule (perhaps for key rotation) or based on need. During normal usage the endpoint applies the optimum endpoint security policy. Based on security events, the endpoint may transition to an alert state that tightens security controls down to the minimum operational functionality or a later remediation state where the endpoint is reset. This may need reprovisioning before normal usage resumes. Endpoint decommissioning terminates the useful lifecycle of the endpoint and transitions it into an end-of-life state. A decommissioned endpoint may be reused, so it must be able to be recommissioned and reprovisioned for another purpose. Endpoint availability should be considered throughout the security lifecycle. 11.9 CONFIGURATION AND MANAGEMENT DATA PROTECTION Security management maintains the consistency of security over time, and must not interfere with operational processes. Security metadata such as connection status and characteristics (encrypted or authenticated), and the state of security controls on the device should be gathered and shared with operation management systems so that it can be tracked. The security metadata should be sent on a separate communications channel from the operational application data. In some cases, security management data should be sent on a separate physical network adapter, such as what may be found on a gateway device, or a larger device with multiple physical adapters. In other cases, if the device only has one physical network adapter, security management data should be separated logically (i.e., on its own VLAN). Security data should conform to the requirements of the specific network. For example, if the network is bandwidth-constrained by operational technology data, then the security metadata may need to be bandwidth-limited through the connection, or may be transmitted in bursts at intervals when network load is lower. Control of the frequency, throughput, volume and duration of metadata updates to the management server is desirable. IIC:PUB:G4:V1.0:PB:20160926 - 119 -