Industrial Internet Security Framework v 1.0 | Page 110

Security Framework

11: Security Configuration and Management

To limit the risks of cross-contamination between operational and security concerns, different
teams, with different roles and responsibilities, should each have the minimum level of access
possible for any particular operation.
The security management platform should balance security and the other key system
characteristics.
11.4.2 POLICY AUTHORING AND DEFINITION
Security policy is assigned to an endpoint or a group of them. The policy should be composite in
nature. Creating baseline policies simplifies applying them to many endpoints in complex IIoT
systems. The baseline policy is then adjusted for individual endpoints or groups of endpoints,
eliminating the need to rebuild the entire policy each time. Providing a consistent policy format,
and enabling the endpoints to interpret the policy eases identifying security gaps.
It must be possible for a person to understand how the security is expected to behave, based on
regulatory or organizational policy, and translate that into machine policy settings. There are at
least two places where security must be simplified for human understanding: policy definition
and the results of the event analysis. Policy definition begins with a person defining the desired
behaviors in the IIoT environment. These are then translated into security settings that are stored
in the machine policy sent to the endpoint. Event analysis begins with security events being sent
from the endpoint to an adequately secure location for analysis. That may trigger alarms and
generate notifications in the form of dashboards, UI alerts, email notifications and reports.
A person must be able to initially define the organizational security policy in terms of machine
policies. Applying appropriate updates to the security policy based on security event analysis
creates a feedback loop by which the security can be maintained (or even increased) over time.
It may be possible to automate this feedback loop.

Figure 11-5: IIoT Management and Monitoring Feedback Loop

The feedback loop in Figure 11-5 begins with pushing machine policy to the endpoints. The
endpoints gather events based on the machine policy settings, especially violations to the
security policy, and communicate the events out for security analytics. The security event data is
correlated, alarms triggered when security thresholds are exceeded, and automated responses
executed to mitigate the security events. The automated responses may be as simple as setting
an alert on a dashboard or sending an email, or as complex as sending out new machine policy
IIC:PUB:G4:V1.0:PB:20160926

- 110 -