Industrial Internet Security Framework v 1.0 | Page 76

Security Framework

8: Protecting Endpoints

physical source that cannot be easily controlled. RNG should be provided by the hardware of the
device, but this can be challenging in resource-constrained devices.
The length of time that a specific key is valid for use by legitimate entities is called the
cryptoperiod [NIST-KEYM]. Cryptoperiods limit the exposure if a single key is compromised. When
a key is compromised, a key revocation process must be in place to notify that the keying material
is invalid before its cryptoperiod has expired. Unfortunately, the process associated with
changing keys may be complex, so a key management system that automates the various steps
in the key management is recommended.
Not all endpoints require cryptographic controls. In some cases, data may be publicly available,
not requiring any confidentiality controls. In other cases, redundant sensors may be reporting
the same measurement; so tampering with any of the sensors’ data could be detected, removing
the need for cryptographic integrity controls. Other surrogates, such as gateways, may be
performing cryptographic operations on behalf of the endpoint.
Embedded designers may offload some, or all, cryptographic operations in computing resourceconstrained devices to secure microcontroller units (MCU). The most common motivation is a
desire to keep cryptocredentials in a secured environment along with increased performance and
reduced burden on main processor. A need for secure random number generation can also be a
factor. More secure MCU have high-quality random generator modules, cryptographic engines
built with countermeasures to address physical attacks or a strong, unique public/private keypair injected at manufacturing time.
Training and organizational maturity are required to deploy security correctly. For example, wellestablished cryptographic algorithms with appropriate key sizes and key management are
required.

8.12 ISOLATION TECHNIQUES FOR ENDPOINT PROTECTION
Isolation refers to the technique used to shield a component of a system from unwanted effects
where an element of the endpoint cannot be affected by other elements of the endpoint, thus
shielding its functionality from failures and malicious activity.
There are several isolation models. Each is described in turn.
8.12.1 PROCESS ISOLATION
The process isolation model relies on the operating system to isolate business or operational
components from the security components at the process level (see Figure 8-4, left). Hierarchical
protection domains protect functions and data from inadvertent or malicious failure acting as a
gate to protect more privileged layers from less privileged layers.
Process isolation is the predominant security deployment model in the industry today. However,
compromising any component within the operating system, including applications and libraries,
breaks the integrity of the device and may form a foothold for further attacks.

IIC:PUB:G4:V1.0:PB:20160926

- 76 -