Industrial Internet Security Framework v 1.0 | Page 101

Security Framework

10: Security Monitoring and Analysis

Examples of endpoint data that may be monitored include:
•
•
•

•

time and system information, including timestamps, IP addresses, port numbers, other
network identifiers, system identifiers, process identifiers and filenames,
user information describing the authenticated user responsible for causing the event, or
which system user the event affects or is relevant to,
physical process information describing aspects of the physical process the data relates
to, such as physical equipment names, sensor types, names of monitored values, or
physically-connected device register names or numbers and
location information describing where the IIoT device was when the data was recorded.

Network monitoring can be achieved using network hardware that uses port mirroring to copy
network packets from the network to a monitoring device. This enables network packet traffic to
be analyzed for various aspects, such as the protocol types, sources and destinations, timing and
other aspects. This can be used to detect attacks at various levels in the protocol stack.
Network and host information that may be monitored includes:
•
•

•
•

full network traffic recordings that store every bit in every packet for a period of time,
host execution activity and audit recordings that store every significant action taken by a
CPU, process or software component, such as reading a value from a physical process,
controlling some aspect of the process or accessing sensitive information such as
personally identifiable information, or a private encryption key,
network statistics, including connection setup and tear-down events, communications
volume statistics for different kinds of data content and communications connections and
data from security analysis systems that should also be treated as security data and made
available to analysis engines for further correlation.

Only the minimum amount of data needed should be collected to avoid the costs and difficulties
of storing, transmitting and analyzing large amounts of unnecessary data. Minimizing data
collection also reduces the risk of exposing it.
Owners/operators should not collect sensitive end-user data as part of monitoring. Where it
cannot be avoided, their own procedures and service level agreements (SLAs) should follow
privacy and security regulations, especially when access to data is indirect, such as when a
network packet trace includes user data as part of the payload. Secure logs, monitoring storage
and audit mechanisms should be used, for example by storing logs remotely.

10.4 SECURITY DATA PROTECTION
There are security policy and regulatory challenges for gathering, communicating and storing
sensitive data used for monitoring and analysis. These include:
•

regulations that prohibit certain kinds of monitoring of employees and other authorized
users, or require notifying users or acquiring their permission before monitoring them,

IIC:PUB:G4:V1.0:PB:20160926

- 101 -