Industrial Internet Security Framework v 1.0 | Page 73
Security Framework
8: Protecting Endpoints
execution is one approach to creating some sort of cryptographic identifier that authoritatively
confirms that the file has not been altered from its intended form. The whitelisting of files also
protects against runtime integrity compromised by insertion of previous version of the file or
incompatible version of files, such as known library files to be mistakenly or intentionally inserted
in the system. In practice, many vendors avoid this technique because of the complexity in signing
all the files during software development and release cycles. Alternatively, file hashing provides
a separate ledger of hashes for allowed files. If a particular executable is not on the whitelist
ledger, or the hash of the executable does not match the hash in the ledger, then its execution is
blocked. All modifications to the ledger must be controlled and also be equally protected against
tampering.
Memory-region protection controls memory-access rights, thus creating a TEE that prevents
unauthorized access. Protection can be implemented in hardware, software, the OS, the
separation kernel or the firmware. It is common to assign the memory regions during the boot
process. This is especially effective in small, simple, resource-constrained devices.
Dynamic integrity controls include such applications as host intrusion detection (HID) or host
intrusion protection (HIP) or runtime process integrity attestation controls. HIP monitor and
analyze an endpoint, as well as the network traffic, looking for anomalous activity or known
signatures that trigger alarms. HIPs may also monitor application access to protected resources,
protected RAM, and privileged directories on the file system.
While there is no definitive best way to implement device integrity solutions, as much runtime
integrity should be implemented as is possible within the constraints of the device.
8.8
ENDPOINT DATA PROTECTION
Securing data in endpoints involves data-at-rest (DAR) and data-in-use (DIU). The protection
strategy for data-in-motion (DIM) differs at the edge, the cloud, and in the communications.
Cryptography enforces data confidentiality and ensures integrity of the data. It may be used on
all the data, only the sensitive portions or the entire storage medium. In practice, multiple data
protection techniques may be applied simultaneously, providing protection from different types
of attacks.
8.8.1 DATA CONFIDENTIALITY
Data confidentiality refers to ensuring that information is not disclosed to unauthorized parties.
To implement this, cryptography renders data unintelligible to unauthorized entities that do not
have the proper key for decryption of the data. The algorithm must be designed and
implemented to ensure that no unauthorized party can determine the keys associated with the
encryption or derive the plaintext. Data confidentiality is often mandated by regulations, in
particular when privacy of the records is important or the record contains personally identifiable
information (PII).
Some fields in a record may contain sensitive data that requires confidentiality while other fields
need to be processed by an application. In this case, data tokenization can replace sensitive fields
IIC:PUB:G4:V1.0:PB:20160926
- 73 -