Industrial Internet Security Framework v 1.0 | Page 71
Security Framework
8: Protecting Endpoints
hardware at the endpoint microcontroller, and evidence of the storage of the credential material,
etc. may be required to evaluate the level of trust to grant to a successful authentication
transaction.
8.6.2 ENDPOINT COMMUNICATION AUTHORIZATION
All communications between endpoints must be not only authenticated, but also authorized.
Every connection attempt in an IIoT environment should be evaluated to determine whether it
fits the endpoint or communication policy. Any such violation must generate an event
notification, and may result in a block of the network connection attempt.
Authorizing a connection attempt involves asserting that the port, protocol, application, library
and process is allowed via policy. Authorization may be enforced either on the endpoint or on
the network. On the endpoint, much more information is available to determine the nature of
the communication allowing for a more informed authorization decision.
8.7
ENDPOINT INTEGRITY PROTECTION
Measuring the device boot process enables the validation of its integrity, so we may assert that
a device has powered up in a known good state. Given that devices may not be rebooted for long
periods of time in OT environments, both static and dynamic integrity assurance of the runtime
should also be implemented. I dentity material must be properly secured in the trust roots to
maintain its integrity and avoid identity spoofing, and data integrity must be monitored and
maintained to establish trust in the data, including both data-at-rest and data-in-motion.
8.7.1 BOOT PROCESS INTEGRITY
The boot process initializes the main hardware components, and starts the operating system.
Trust must be established in the boot environment before any trust in any other software or
executable program can be claimed. So the booted environment must be verified and
determined to be in an uncompromised state.
Measuring the boot-process enables the detection of manipulation of the host OS and software,
so that malicious changes in the behavior of the devices can be detected. It enables boot-time
detection of rootkits, viruses and worms.
The terms trusted boot and measured boot both refer to the process by which every entity in the
booting sequence measures the next entity in the execution chain before executing it. It creates
a chain of trust during the boot sequence whereby each element is measured and then executed
(if in appropriate state) throughout the boot process. The measurements can be remotely
attested and later used to evaluate trust on the endpoint.
Some boot-process-protection technologies interrupt the boot process if an improper
component is detected. The term authenticated, verified or secure boot refers to technologies
that interrupt and halt the booting process if the device is not in the desired state [BDI-CRTM].
A verified boot process is a type of trusted boot where the boot firmware and software is signed,
but not measured; in this type of boot protection, the system will halt if the verification of a boot
IIC:PUB:G4:V1.0:PB:20160926
- 71 -