Industrial Internet Security Framework v 1.0 | Page 131

Security Framework Annex A: Industrial Security Standards examples are those of European Union (GDPR) and North America (HIPAA and PIPEDA). 1 Since regulations are mandatory, non-adherence could mean fines and even jail time. Best practice is to have privacy by design, default and deployment approach. Some of the privacy requirements might overlap with security requirements and should be considered concurrently. More information on data privacy standards and regulations can be found at Baker & McKenzie’s ‘Global Privacy Matrix’ and Electronic Frontier Foundation (EFF)’s ‘International Privacy Standards’.2 A.7 PROTOCOL RESOURCES Detailed evaluation of the security properties, weaknesses and strengths of industrial network protocols is not within the scope of the current draft of this document. However, pointing to corresponding resources, including associated security considerations is likely of interest to security engineers and architects: Object Management Group manages the open specifications of the Data Distribution Service (DDS), including ‘DDS Security Specification’. More information about the specification, its users and comparison with other technologies can be found at the OMG website. 3 OPC Foundation maintains the open specifications of the OPC protocol. Information on OPC Classic, OPC UA, and OPC .NET (formerly OPC Xi) can be found at the OPC website. 4 DNP User Group maintains the Distributed Network Protocol (DNP3). Technical information, conformance testing, and listing of conformant products can be found at the DNP website. 5 Modbus Organization manages the development and use of Modbus protocols. Information about the Modbus protocols, as well as technical resources for development and testing of Modbus-based industrial systems can be found at the Modbus website.6 PROFIBUS and PROFINET International manages the PROFIBUS and PROFINET industrial protocols. Protocol specifications, technical documents and software tools can be found at the PROFIBUS website. 7 Other standards and protocols that might be of interest to IIoT architects are MQTT and AMQP, both OASIS standards, and XMPP.8 Common protocol definitions and standards, such as HTTP 9 See [EU-GDPR], [HHS-HIPAA] and [CA-PIPEDA] See [BaMcK-GPH] and [EFF-IPS] 3 See [OMG-DDS] 4 See [OPC-classic], [OPC-NET] and [OPC-UA] 5 See [DNP] 6 See [Modbus] 7 See [PI-pbus] and [PI-pnet] 8 See [MQTT], [AMQP], [OASIS] and [XMPP] 9 See [IETF-RFC7230] 1 2 IIC:PUB:G4:V1.0:PB:20160926 - 131 -