Industrial Internet Security Framework v 1.0 | Page 79

Security Framework 8: Protecting Endpoints Figure 8-5: Virtual Isolation Virtual isolation enables the same economies of scale that have driven the growth in cloud adoption. On the edge, virtualization enables OT components to function without change in their existing operating system, while allowing security functions to run independently in its own OS. As the security OS is on the same physical device as the OT operating system, it can provide many controls such as embedded identity, secure boot attestation and communication interceptor pattern, all below the OT operating environment. Virtual isolation augments brownfield software deployments with security capabilities below the OS. The security does not reside in the guest OS, but rather in a dedicated security OS, acting as a TEE, that implements many of the security operations on behalf of the guest OS. This is analogous to deploying a gateway inside the device, rather than in front of it. The advantage for brownfield deployments is that it doesn’t require changes to guest source code and that the application itself is oblivious to the existence of the security OS protecting it. Separation kernels are a specific form of virtual isolation. They provide strong isolation that covers all the resources provided by the underlying hardware platform (processor time, memory and I/O devices). In addition to isolating components from each other, they also enable communication control between components and devices according to a security policy. In contrast with monolithic hypervisor kernels, separation kernels do not implement many services commonly associated with operating systems, such as device drivers, file systems and network stacks. Separation kernels exist to provide separation between components and enable controlled communication among them. By intentionally limiting the functionality of the kernel to isolation and simple IPC primitives, separation kernels have greatly reduced attack surface and implementation complexity. IIC:PUB:G4:V1.0:PB:20160926 - 79 -