Industrial Internet Security Framework v 1.0 | Page 107

Security Framework 11: Security Configuration and Management manufacturer of the endpoint. To realize this, endpoints require three security-related APIs as shown in Table 11-1. API Call Description Receiving policy exposes an API to receive system configuration and security management policy from a management component. The policy is parsed and the Receive Policy sections delivered to the associated controls. This enables the remote management capability. Communicating events by collecting log data to be offloaded from the endpoint Gather Logs and ensures that attacks on the endpoint can be tracked and hinders attackers’ ability to Communicate Events hide the evidence of their activity. Gathering endpoint properties, including hardware capabilities, software on the Gather Endpoint endpoint (including OS), and application settings, from the endpoint, ideally via trusted Properties introspection mechanism. Table 11-1: APIs for Interoperable Endpoint Security An interoperability standard defining these common APIs explicitly would unify the implementation of a significant portion of the management and monitoring infrastructure. The NIST SCAP standards for defining interoperable content automation for vulnerability, measurement and policy compliance, and IEC 62351, Part 7 1 for network data and security management for the power industry go some way towards this goal, but there is no published standard in existence to date, so each management and monitoring implementation is different from the others. 11.2 SECURITY COMMUNICATIONS CHANNELS Communication channels include a data channel and a control channel with management as a sub-channel of the control channel. The control channel enforces policy on the data channel. The management channel carries several types of messages requiring independent handling. For example, security message flows containing policy flowing to endpoints should be separated from security event flows flowing back to an aggregation point to enforce the separation of concerns between policy management and event monitoring. The security channel may be divided into a security configuration channel and security monitoring channel. The security configuration channel contains the policy definition. The hierarchical channels are shown in Figure 11-3 below. 1 See [NIST-SCAP] and [IEC-62351-7] IIC:PUB:G4:V1.0:PB:20160926 - 107 -