Industrial Internet Security Framework v 1.0 | Page 107
Security Framework
11: Security Configuration and Management
manufacturer of the endpoint. To realize this, endpoints require three security-related APIs as
shown in Table 11-1.
API Call
Description
Receiving policy exposes an API to receive system configuration and security
management policy from a management component. The policy is parsed and the
Receive Policy
sections delivered to the associated controls. This enables the remote management
capability.
Communicating events by collecting log data to be offloaded from the endpoint
Gather Logs and
ensures that attacks on the endpoint can be tracked and hinders attackers’ ability to
Communicate Events
hide the evidence of their activity.
Gathering endpoint properties, including hardware capabilities, software on the
Gather Endpoint
endpoint (including OS), and application settings, from the endpoint, ideally via trusted
Properties
introspection mechanism.
Table 11-1: APIs for Interoperable Endpoint Security
An interoperability standard defining these common APIs explicitly would unify the
implementation of a significant portion of the management and monitoring infrastructure. The
NIST SCAP standards for defining interoperable content automation for vulnerability,
measurement and policy compliance, and IEC 62351, Part 7 1 for network data and security
management for the power industry go some way towards this goal, but there is no published
standard in existence to date, so each management and monitoring implementation is different
from the others.
11.2 SECURITY COMMUNICATIONS CHANNELS
Communication channels include a data channel and a control channel with management as a
sub-channel of the control channel. The control channel enforces policy on the data channel.
The management channel carries several types of messages requiring independent handling. For
example, security message flows containing policy flowing to endpoints should be separated
from security event flows flowing back to an aggregation point to enforce the separation of
concerns between policy management and event monitoring.
The security channel may be divided into a security configuration channel and security
monitoring channel. The security configuration channel contains the policy definition.
The hierarchical channels are shown in Figure 11-3 below.
1
See [NIST-SCAP] and [IEC-62351-7]
IIC:PUB:G4:V1.0:PB:20160926
- 107 -