Industrial Internet Security Framework v 1.0 | Page 73

Security Framework 8: Protecting Endpoints execution is one approach to creating some sort of cryptographic identifier that authoritatively confirms that the file has not been altered from its intended form. The whitelisting of files also protects against runtime integrity compromised by insertion of previous version of the file or incompatible version of files, such as known library files to be mistakenly or intentionally inserted in the system. In practice, many vendors avoid this technique because of the complexity in signing all the files during software development and release cycles. Alternatively, file hashing provides a separate ledger of hashes for allowed files. If a particular executable is not on the whitelist ledger, or the hash of the executable does not match the hash in the ledger, then its execution is blocked. All modifications to the ledger must be controlled and also be equally protected against tampering. Memory-region protection controls memory-access rights, thus creating a TEE that prevents unauthorized access. Protection can be implemented in hardware, software, the OS, the separation kernel or the firmware. It is common to assign the memory regions during the boot process. This is especially effective in small, simple, resource-constrained devices. Dynamic integrity controls include such applications as host intrusion detection (HID) or host intrusion protection (HIP) or runtime process integrity attestation controls. HIP monitor and analyze an endpoint, as well as the network traffic, looking for anomalous activity or known signatures that trigger alarms. HIPs may also monitor application access to protected resources, protected RAM, and privileged directories on the file system. While there is no definitive best way to implement device integrity solutions, as much runtime integrity should be implemented as is possible within the constraints of the device. 8.8 ENDPOINT DATA PROTECTION Securing data in endpoints involves data-at-rest (DAR) and data-in-use (DIU). The protection strategy for data-in-motion (DIM) differs at the edge, the cloud, and in the communications. Cryptography enforces data confidentiality and ensures integrity of the data. It may be used on all the data, only the sensitive portions or the entire storage medium. In practice, multiple data protection techniques may be applied simultaneously, providing protection from different types of attacks. 8.8.1 DATA CONFIDENTIALITY Data confidentiality refers to ensuring that information is not disclosed to unauthorized parties. To implement this, cryptography renders data unintelligible to unauthorized entities that do not have the proper key for decryption of the data. The algorithm must be designed and implemented to ensure that no unauthorized party can determine the keys associated with the encryption or derive the plaintext. Data confidentiality is often mandated by regulations, in particular when privacy of the records is important or the record contains personally identifiable information (PII). Some fields in a record may contain sensitive data that requires confidentiality while other fields need to be processed by an application. In this case, data tokenization can replace sensitive fields IIC:PUB:G4:V1.0:PB:20160926 - 73 -