Industrial Internet Security Framework v 1.0 | Page 69

Security Framework 8: Protecting Endpoints The level of trust attributed to a credential depends on its uniqueness and strength. An IP address, a MAC address and a QR code are all credentials, and they are unique, but they are not strong, as they can be falsified to impersonate another endpoint. A cryptographic certificate is both unique (with appropriate randomness) and strong (depending on key type and length). However, if the private key associated with the certificate is not stored and processed in protected storage and memory, the certificate can still be compromised. Several standards exist that provide guidance on choosing the right level of protection for endpoint identity: ISO/IEC 29115, IEC 62443 and ISO/IEC 24760-1. 1 In ISO/IEC 29115, four levels of authentication (LOA) are described in the list below: • • • • Low: Weak credential with no crypto (IP address, MAC address, etc.), or insecure authentication protocol Medium: multi-factor authentication, and secure authentication protocol with secrets being protected (no crypto), and controls to prevent attacks on stored credentials High: multi-factor authentication, and cryptographically protected authentication protocol, and any RoT (e.g. software keystore, or OS-enforced access control on a file system) Very High: all methods described in High plus the addition of tamper-resistant HRoT (including credential storage and cryptographic operations inside the HRoT), and cryptographically protecting privacy-sensitive data in the authentication protocols. The descriptions above lists the levels including their mapping to a notion of trust levels from lowest to highest in strength. In IEC 62443 four security levels (SL1-4) of protection are described for seven foundational requirements (FR), one of which is ‘Identification and Authentication Control’. These four levels of security pertain to the security of the system in general as a measure of confidence that the system is free of vulnerabilities. For the ‘Identification and Authentication Control’ FR, technical security requirements are defined for identifying all entities (human, software processes and device). The security requirements (SR) for the selected required SL enable asset owners to assess the capability required to protect credentials. If no threat exists against the endpoint, cleartext credential, such as identification numbers may be used. In some rare instances, it may not be required for all endpoints to support identity, but the risks should be well understood and documented. ISO/IEC 24760-1 defines three levels of trust for identities: identity, unique identity and secure identity. Industrie 4.0 provides information 2 on what a secure identity technology consists of, and in the case of digital identity a secure identity is a certificate protected by an HRoT such as a TPM. See [ISO-29115], [IEC-62443-11], [IEC-62443-21], [IEC-62443-23], [IEC-62443-24], [IEC-62443-3], [IEC62443-31], [IEC-62443-33] and [ISO-24760-1] 2 See [Ind4.0-SecId] 1 IIC:PUB:G4:V1.0:PB:20160926 - 69 -