Industrial Internet Security Framework v 1.0

Security Framework Annex C: Security Capabilities and Techniques Tables Objective: Confidentiality Example Technique/Process Example Requirements Securely generated, distributed, and maintained keys; Protective storage of sensitive key material; Standardized and up-to-date encryption algorithms Confidentiality at endpoints Encrypted data storage Confidentiality of communication Encrypted communication Securely generated, distributed, and maintained keys; Standardized and up-to-date encryption algorithms Confidentiality of management and monitoring operations and solutions Encrypted communication Endpoint confidentiality and communications confidentiality Endpoint confidentiality; communications confidentiality; Confidentiality of management and monitoring Confidentiality of data in its lifecycle Architectural confidentiality Mutual impact of confidentiality controls on other key system characteristics Mitigating impact of both insider and outsider attacks on confidentiality Holistic security evaluation Architectural methodology; confidentiality evaluation Domain-specific expertise Enforcing principle of least privilege; Access control Granular access control policies Table C-4: Techniques and Processes for Enabling System Confidentiality Availability, integrity, and confidentiality are generally referred to as core security objectives. Other security objectives are often derived from one or more of these requirements. An important example is access control. Due to the prominence of access control for IIoT systems, a list of techniques and processes associated with it is mentioned in Table C-5. IIC:PUB:G4:V1.0:PB:20160926 - 142 -

Industrial Internet Security Framework v 1.0 | Page 142