Industrial Internet Security Framework v 1.0 | Page 53

Security Framework
•

•
•

7: IISF Functional Viewpoint

Endpoints & Communications: Monitoring data is gathered by a local agent running on
each of the endpoints and communications in the system obtaining information on the
implementation of security controls in accordance with the system security policy.
Secure Remote Logging: The sending and receiving of log messages using secure
communications.
Supply Chain: Collecting data from all components builders and integrators in the supply
chain to assure that security requirements are met.

Analyze. Analysis uses looks for events (for example, violation of security thresholds) and trends
that may uncover certain system security vulnerabilities or threats. This phase stores and saves
the information for audit or other mining purposes. There are two types of analysis:
•
•

Behavioral Analysis observes the usage patterns in the system and learns what is
appropriate behavior for the system.
Rule-Based Analysis monitors for violations of predefined policy rules that define events
that should never occur in the system.

Act. Having analyzed events and trends, action must be taken. There are three types:
•
•
•

Proactive/Predictive attempts to mitigate threats before the attack begins by observing
leading indicators of an imminent attack.
Reactive detection & Recovery provides manual and automated responses to attacks in
progress and tries to mitigate them to recover and return to normal runtime state.
Root Cause/Forensics analysis and forensics investigates the underlying vulnerabilities
and exploits after the attack.

Monitoring is supported by the other functions in this layer. Monitoring requires protection for
the collecting agents at the endpoint, and that the communication between the monitoring and
analysis agent, if required, is also protected. Monitoring encrypted channels may not be possible,
so monitoring of data-in-motion requires coordination with the policy defining the level of
protection of communication between endpoints.
The data collected is protected according to the monitoring and analysis data policy. This policy
may be more restrictive than policies for other data types, as it contains aggregated and sensitive
information about the system. The security model and policy determines the data captured
describing the overall state of the system that is input to the analysis phase.

7.6

SECURITY CONFIGURATION AND MANAGEMENT

Security Configuration & Management is responsible for the control of changes to both the
operational functionality of the system (including reliability and safety behavior) and the security
controls ensuring its protection. For example, security configuration and management provides
stability to the system by ensuring that all changes to the system are performed in a secure,
controlled and trusted way.

IIC:PUB:G4:V1.0:PB:20160926

- 53 -