Industrial Internet Security Framework v 1.0 | Page 143
Security Framework
Annex C: Security Capabilities and Techniques Tables
Objective: Access Control
Endpoint access
control
Communications
access control
Example
Technique/Process
Confinement and
information flow
protection within
endpoint
Sandboxing (application);
Fine-grained data-centric
access control
Comprehensive and consistent
(middleware);
security policies
Separation kernels (OS);
Trusted computing
environments (hardware)
Cryptographic
protection of
communications and
connectivity
Use of protocols at
different layers;
Forcible disconnection of
unauthorized endpoints;
Network segmentation;
Gateways and filtering;
Information flow control Network firewalls;
Unidirectional gateways
Controlling access to
data in its lifecycle
Mutual impact of access
controls on other key
system characteristics
Mitigating impact of
both insider and
outsider attacks on
access control
Correct and trusted
implementation of cryptographic
techniques;
Network access control for
endpoints
Comprehensive and consistent
security policies;
Trusted manufacturing of devices
Access control for monitoring,
logging and managing assets (e.g.
endpoints, communication, data,
workforce);
Control procedures for managing
and monitoring operations;
Controlling access to data that is
fed into analytics solutions;
Separation of duties;
Role-based access control (RBAC)
Access control for management and monitoring
operations
Architectural access
control
Example Requirements
Architectural access
control evaluation
Enforcing principle of
least privilege
Access control within endpoints,
communication, management
and monitoring
Holistic security evaluation
methodology;
Domain-specific expertise
Granular access control policies
Table C-5: Techniques and Processes for Enabling System Access Control
IIC:PUB:G4:V1.0:PB:20160926
- 143 -