Industrial Internet Security Framework v 1.0 | Page 102
Security Framework
•
•
•
10: Security Monitoring and Analysis
regulations that prohibit the transmission of personally-identifiable data across
geographic boundaries, or the storage or analysis of such data in some regions,
sensitive data may need to be protected at rest or
sensitive data may need to be protected from modification, such as by writing it to a
write-only, write-once medium and by providing a mechanism to compare on-device log
data with centrally reported data.
10.5 SPECIAL CONSIDERATIONS FOR MONITORING
In addition to the general aspects to monitoring, special considerations apply to brownfield
systems, supply chain systems, and the relationship to security and privacy policies. There may
be limits on the data that can be collected from legacy brownfield endpoints that do not support
monitoring directly. This might be addressed using a front-end system when feasible. A supply
chain is a special case for monitoring, since it requires monitoring the stages in producing IIoT
components to ensure their integrity. Finally, data monitoring should be compliant with privacy
and security policies.
Figure 10-4: Security Monitoring Special Considerations
10.5.1 SECURITY MODEL AND POLICY
Security monitoring is effective when there is a model of expected state and interactions allowing
deviations from that model to be detected. Examples are the expected protocol interactions on
the network, including their network destinations. The monitored data should be consistent with
expected network and endpoint behavior, including security policies.
10.5.2 GREENFIELD VERSUS BROWNFIELD CONSIDERATIONS
Legacy industrial systems may have limited logging and reporting capabilities, and they cannot
be upgraded to provide modern capabilities because of the cost of re-certification. Detailed
logging at gateways to legacy systems and passive network monitoring systems for legacy
communications can compensate. Passive network monitoring keeps track of normal network
IIC:PUB:G4:V1.0:PB:20160926
- 102 -