Industrial Internet Security Framework v 1.0 | Page 66

Security Framework 8: Protecting Endpoints the existing business process with added security controls or false-positive security events. Security controls should be loosely coupled to the industrial processes to minimize the interdependencies between them. The most common technique for implementing security quickly and effectively is to deploy a security gateway that provides security capabilities to the devices behind it. Common functionality includes: Storing and managing identity on the gateway isolates the identities so they can be maintained for each device behind the gateway. This may limit the number of devices that a single gateway may manage. Mutual authentication on behalf of devices behind the gateway with devices in front of the gateway makes it appear that the brownfield device is capable of maintaining identity and performing mutual authentication, even though the gateway is performing these tasks. Authorizing network traffic to filter traffic down to only those flows that are explicitly allowed between the two devices. This is a network whitelist of allowed communications; all others should be logged and potentially blocked. Confidentiality and integrity controls can encrypt the data for confidentiality or to sign the data for integrity purposes. Using a gateway is generally quicker and cheaper to implement than modifying the devices in the environment. Gateways can be deployed relatively quickly to provide a consistent level of security across all of the devices, and to manage the devices uniformly. Gateways can also eliminate vendor-specific management inconsistencies between devices. This makes security independent of the make, model and manufacturer of the device. Gateways provide networklevel security, but not the edge-device integrity and security that would provide fine-level control and visibility. Gateways are an initial step to achieve a quick increase in security to a consistent level. Later, device-level security capabilities such as runtime integrity controls can be added. 8.3 ENDPOINT PHYSICAL SECURITY Endpoints are deployed in a broad range of environments with different security requirements for protecting assets against theft, tampering, vandalism, or adverse effect from environmental conditions. This protection may be integral to the endpoint (e.g. detection of changes to hardware configuration) or provided as part of an enclosure encapsulating the endpoint (e.g. protective rack enclosure for the device). Physical access techniques are widely used in industrial systems to prevent unauthorized users from physical contact with endpoints and communication devices. Examples include physical perimeter security measures, such as doors and walls where access to unauthorized parties is prevented with access control techniques (locks, biometrics, RFID cards) and monitored by surveillance of the assets to be protected. Standards such as NIST SP 800-53 ‘Physical and IIC:PUB:G4:V1.0:PB:20160926 - 66 -