Industrial Internet Security Framework v 1.0 | Page 71

Security Framework 8: Protecting Endpoints hardware at the endpoint microcontroller, and evidence of the storage of the credential material, etc. may be required to evaluate the level of trust to grant to a successful authentication transaction. 8.6.2 ENDPOINT COMMUNICATION AUTHORIZATION All communications between endpoints must be not only authenticated, but also authorized. Every connection attempt in an IIoT environment should be evaluated to determine whether it fits the endpoint or communication policy. Any such violation must generate an event notification, and may result in a block of the network connection attempt. Authorizing a connection attempt involves asserting that the port, protocol, application, library and process is allowed via policy. Authorization may be enforced either on the endpoint or on the network. On the endpoint, much more information is available to determine the nature of the communication allowing for a more informed authorization decision. 8.7 ENDPOINT INTEGRITY PROTECTION Measuring the device boot process enables the validation of its integrity, so we may assert that a device has powered up in a known good state. Given that devices may not be rebooted for long periods of time in OT environments, both static and dynamic integrity assurance of the runtime should also be implemented. I dentity material must be properly secured in the trust roots to maintain its integrity and avoid identity spoofing, and data integrity must be monitored and maintained to establish trust in the data, including both data-at-rest and data-in-motion. 8.7.1 BOOT PROCESS INTEGRITY The boot process initializes the main hardware components, and starts the operating system. Trust must be established in the boot environment before any trust in any other software or executable program can be claimed. So the booted environment must be verified and determined to be in an uncompromised state. Measuring the boot-process enables the detection of manipulation of the host OS and software, so that malicious changes in the behavior of the devices can be detected. It enables boot-time detection of rootkits, viruses and worms. The terms trusted boot and measured boot both refer to the process by which every entity in the booting sequence measures the next entity in the execution chain before executing it. It creates a chain of trust during the boot sequence whereby each element is measured and then executed (if in appropriate state) throughout the boot process. The measurements can be remotely attested and later used to evaluate trust on the endpoint. Some boot-process-protection technologies interrupt the boot process if an improper component is detected. The term authenticated, verified or secure boot refers to technologies that interrupt and halt the booting process if the device is not in the desired state [BDI-CRTM]. A verified boot process is a type of trusted boot where the boot firmware and software is signed, but not measured; in this type of boot protection, the system will halt if the verification of a boot IIC:PUB:G4:V1.0:PB:20160926 - 71 -