Industrial Internet Security Framework v 1.0

Security Framework 11: Security Configuration and Management endpoints, it may be acceptable to authenticate with a plaintext credential using the IP address or MAC address as the identity. But for slightly more critical entities, multifactor authentication may be needed to protect against attacks on stored and transmitted credentials. In the higher and highest criticality entities, authentication should be cryptographically protected and tamperresistant hardware should be used to store all secrets and credentials at rest and in use. Credential storage must meet strict criteria on certain endpoints that have a high level of criticality. There may be organizational policy requirements that highly critical entities with strong authentication and credential storage may not trust entities with insufficient authentication and credential protection in place. At the end of the credential’s lifecycle, the credential must be appropriately removed from service. When a credential is identified for suspension, it is temporarily blocked from being used for authentication. This applies to any credential, or generation process, that is suspected of potential compromise in a system. If the compromise is likely for the credential or the generation process, then the credential must be revoked. Other reasons to revoke a credential in IIoT systems is due to credential expiration or as part of the key rotation process. In either case, a newer credential has replaced the revoked one. To limit the risk of credential compromise, credentials should be replaced at a specific frequency, as defined in the organization's credential rotation policy. In some cases, it is possible to renew credentials, rather than to replace them, to extend their useful lifespan, if this complies with the credential rotation policy. All credential management operations must be tracked for audit purposes. The audit data should be retained for a period of time defined by organizational data retention policy. The audit trail data integrity should be assured and attestable, and treated as confidential. 11.7.3 ENTITY AUTHENTICATION PHASE Entity authentication establishes the level of trust in the identity of the remote endpoint. Successful authorization based on successful authentication, results in the granting of privileges on resources. Proper authentication and authorization policies must be instituted to control access to resources based on the identity of the remote entity (see section 8.6). All authentication and authorization operations must be tracked for audit purposes. The audit data should be retained for a period of time defined by organizational data retention policy. The audit trail data integrity should be assured and attestable, and treated as confidential. There must be accountability across the system by tracking employees and contractors of the OT process. Privacy concerns arise whenever personal information is tracked. An employee identifier may reduce these concerns, so accountability will trump privacy. However, when customer, partner and other data is tracked, care must be taken to protect the PII and other personal sensitive data. IIC:PUB:G4:V1.0:PB:20160926 - 117 -

Industrial Internet Security Framework v 1.0 | Page 117