Industrial Internet Security Framework v 1.0 | Page 117
Security Framework
11: Security Configuration and Management
endpoints, it may be acceptable to authenticate with a plaintext credential using the IP address
or MAC address as the identity. But for slightly more critical entities, multifactor authentication
may be needed to protect against attacks on stored and transmitted credentials. In the higher
and highest criticality entities, authentication should be cryptographically protected and tamperresistant hardware should be used to store all secrets and credentials at rest and in use.
Credential storage must meet strict criteria on certain endpoints that have a high level of
criticality. There may be organizational policy requirements that highly critical entities with
strong authentication and credential storage may not trust entities with insufficient
authentication and credential protection in place.
At the end of the credential’s lifecycle, the credential must be appropriately removed from
service. When a credential is identified for suspension, it is temporarily blocked from being used
for authentication. This applies to any credential, or generation process, that is suspected of
potential compromise in a system. If the compromise is likely for the credential or the generation
process, then the credential must be revoked.
Other reasons to revoke a credential in IIoT systems is due to credential expiration or as part of
the key rotation process. In either case, a newer credential has replaced the revoked one.
To limit the risk of credential compromise, credentials should be replaced at a specific frequency,
as defined in the organization's credential rotation policy. In some cases, it is possible to renew
credentials, rather than to replace them, to extend their useful lifespan, if this complies with the
credential rotation policy.
All credential management operations must be tracked for audit purposes. The audit data should
be retained for a period of time defined by organizational data retention policy. The audit trail
data integrity should be assured and attestable, and treated as confidential.
11.7.3 ENTITY AUTHENTICATION PHASE
Entity authentication establishes the level of trust in the identity of the remote endpoint.
Successful authorization based on successful authentication, results in the granting of privileges
on resources. Proper authentication and authorization policies must be instituted to control
access to resources based on the identity of the remote entity (see section 8.6).
All authentication and authorization operations must be tracked for audit purposes. The audit
data should be retained for a period of time defined by organizational data retention policy. The
audit trail data integrity should be assured and attestable, and treated as confidential.
There must be accountability across the system by tracking employees and contractors of the OT
process. Privacy concerns arise whenever personal information is tracked. An employee identifier
may reduce these concerns, so accountability will trump privacy. However, when customer,
partner and other data is tracked, care must be taken to protect the PII and other personal
sensitive data.
IIC:PUB:G4:V1.0:PB:20160926
- 117 -