Industrial Internet Security Framework v 1.0 | Page 61

Security Framework

8: Protecting Endpoints

Along with the building blocks for endpoints, two techniques that apply to all building blocks,
isolation and cryptography, are described in this chapter.
Cryptography Techniques is a discipline that embodies principles, means, and mechanisms for
the transformation of data to hide its information content, prevent its undetected modification
and prevent its unauthorized use.
Concealment of resources sometimes uses Isolation Techniques (see section 8.12) to provide
visibility only to those that have authorization.

8.1

SECURITY THREATS AND VULNERABILITIES ON ENDPOINTS

Endpoints have many potential vulnerabilities susceptible to malicious or unintentional errors.
Figure 8-2 shows a broad range of solutions stacks ranging from a bare metal application (left
side) to a guest OS running in a virtual machine on a hypervisor (right side) that isolates
applications in their respective containers. Each configuration has strengths and weaknesses that
must be evaluated for each application. For example, bare metal applications generally have
fewer security controls implemented, but run on more resource-constrained hardware. On the
other hand, a hypervisor-based security solution requires more processing power, but can
dedicate an entire virtualized instance to security.

Figure 8-2: Threat and Vulnerabilities to IIoT Endpoints

As shown in Figure 8.2, a broad range of threat and vulnerabilities exist in different facets of the
endpoints in each of the following areas:
IIC:PUB:G4:V1.0:PB:20160926

- 61 -