Security Framework 10 : Security Monitoring and Analysis
10 SECURITY MONITORING AND ANALYSIS
Security monitoring aggregates and stores a variety of types of data from running Industrial Internet of Things systems , enabling analysis into past compromises , current security events and the prediction of future risks . Security analytic tools provide useful feedback to the organization via parameters suitable for high-level dashboard display .
Monitoring parameters are most valuable when they relate directly to an organization ’ s security concerns and are prioritized by stakeholders . They should represent well-defined actionable conditions understood by those who must take action . As an example , a parameter could report the fraction of meters that responded successfully to their most recent firmware validation request , and another could indicate the fraction of end-user sites whose power flows have been disabled by remote control by the utility .
Monitoring is related to the model of attack incidents and security and privacy policies . An incident model consisting of three phases includes a potential attacker performing reconnaissance to understand the system , an attack in progress , and recovery from an attack . Data collection considerations related to performance , scale and privacy should be considered , as well as the types of analysis possible and the various actions possible to implement additional security controls .
Figure 10-1 : Functional Breakdown for Security Monitoring and Analysis
Monitored data can be collected from endpoints as well as the network and should be stored securely . Data may also be collected from devices and their components at stages in the supply chain process as IIoT components are manufactured to ensure that they themselves are secure as expected . Different types of analysis may be performed to provide indications of
IIC : PUB : G4 : V1.0 : PB : 20160926 - 96 -