Industrial Internet Security Framework v 1.0

Security Framework Annex C: Security Capabilities and Techniques Tables Objective: Access Control Endpoint access control Communications access control Example Technique/Process Confinement and information flow protection within endpoint Sandboxing (application); Fine-grained data-centric access control Comprehensive and consistent (middleware); security policies Separation kernels (OS); Trusted computing environments (hardware) Cryptographic protection of communications and connectivity Use of protocols at different layers; Forcible disconnection of unauthorized endpoints; Network segmentation; Gateways and filtering; Information flow control Network firewalls; Unidirectional gateways Controlling access to data in its lifecycle Mutual impact of access controls on other key system characteristics Mitigating impact of both insider and outsider attacks on access control Correct and trusted implementation of cryptographic techniques; Network access control for endpoints Comprehensive and consistent security policies; Trusted manufacturing of devices Access control for monitoring, logging and managing assets (e.g. endpoints, communication, data, workforce); Control procedures for managing and monitoring operations; Controlling access to data that is fed into analytics solutions; Separation of duties; Role-based access control (RBAC) Access control for management and monitoring operations Architectural access control Example Requirements Architectural access control evaluation Enforcing principle of least privilege Access control within endpoints, communication, management and monitoring Holistic security evaluation methodology; Domain-specific expertise Granular access control policies Table C-5: Techniques and Processes for Enabling System Access Control IIC:PUB:G4:V1.0:PB:20160926 - 143 -

Industrial Internet Security Framework v 1.0 | Page 143