Industrial Internet Security Framework v 1.0 | Page 69
Security Framework
8: Protecting Endpoints
The level of trust attributed to a credential depends on its uniqueness and strength. An IP
address, a MAC address and a QR code are all credentials, and they are unique, but they are not
strong, as they can be falsified to impersonate another endpoint. A cryptographic certificate is
both unique (with appropriate randomness) and strong (depending on key type and length).
However, if the private key associated with the certificate is not stored and processed in
protected storage and memory, the certificate can still be compromised.
Several standards exist that provide guidance on choosing the right level of protection for
endpoint identity: ISO/IEC 29115, IEC 62443 and ISO/IEC 24760-1. 1
In ISO/IEC 29115, four levels of authentication (LOA) are described in the list below:
•
•
•
•
Low: Weak credential with no crypto (IP address, MAC address, etc.), or insecure
authentication protocol
Medium: multi-factor authentication, and secure authentication protocol with secrets
being protected (no crypto), and controls to prevent attacks on stored credentials
High: multi-factor authentication, and cryptographically protected authentication
protocol, and any RoT (e.g. software keystore, or OS-enforced access control on a file
system)
Very High: all methods described in High plus the addition of tamper-resistant HRoT
(including credential storage and cryptographic operations inside the HRoT), and
cryptographically protecting privacy-sensitive data in the authentication protocols.
The descriptions above lists the levels including their mapping to a notion of trust levels from
lowest to highest in strength.
In IEC 62443 four security levels (SL1-4) of protection are described for seven foundational
requirements (FR), one of which is ‘Identification and Authentication Control’. These four levels
of security pertain to the security of the system in general as a measure of confidence that the
system is free of vulnerabilities. For the ‘Identification and Authentication Control’ FR, technical
security requirements are defined for identifying all entities (human, software processes and
device). The security requirements (SR) for the selected required SL enable asset owners to assess
the capability required to protect credentials.
If no threat exists against the endpoint, cleartext credential, such as identification numbers may
be used. In some rare instances, it may not be required for all endpoints to support identity, but
the risks should be well understood and documented. ISO/IEC 24760-1 defines three levels of
trust for identities: identity, unique identity and secure identity. Industrie 4.0 provides
information 2 on what a secure identity technology consists of, and in the case of digital identity
a secure identity is a certificate protected by an HRoT such as a TPM.
See [ISO-29115], [IEC-62443-11], [IEC-62443-21], [IEC-62443-23], [IEC-62443-24], [IEC-62443-3], [IEC62443-31], [IEC-62443-33] and [ISO-24760-1]
2
See [Ind4.0-SecId]
1
IIC:PUB:G4:V1.0:PB:20160926
- 69 -