Industrial Internet Security Framework v 1.0 | Page 78
Security Framework
•
8: Protecting Endpoints
Security coprocessor: Building an off-CPU security presence in a trusted execution
environment (including a hardware root of trust) on a separate chip, enables a number of
security capabilities to be implemented including all of the TPM-type operations, but also
additional integrity controls, security for communications, event monitoring, security
analytics and other security-related operations. The key to this approach is having the
security elements deployed on a physically separate chip.
8.12.3 VIRTUAL ISOLATION
The virtual isolation model—sometimes referred to as hypervisor isolation—uses a hypervisor to
implement isolation between each virtual instance running on the device. As a result, one of the
instances running on the hypervisor can be a security instance that acts as a TEE on the device.
The virtual instance TEE may store confidential information, such as identity material, and may
implement security controls such as mutual authentication, connection authorization,
cryptographic functions, firewalling, deep packet inspection, integrity controls and remote boot
attestation functions. The device boot process often measures the hypervisor for integrity, and
the hypervisor then measures each virtual instance before starting it, thereby extending the chain
of trust into the virtual TEE such that the integrity can be assured immediately after boot. After
boot, runtime integrity controls must ensure that the virtual TEE integrity remains intact.
One of the advantages of the virtual TEE comes in the form of consolidation of multiple platforms
on the same physical hardware. This follows the cloud model for consolidating a number of
physical servers onto a single hypervisor to benefit from the economies of scale. This enables, for
example, combining Programmable Logic Controller (PLC) logic and a Windows Human Machine
Interface (HMI) on the same physical device in an IIoT environment.
IIC:PUB:G4:V1.0:PB:20160926
- 78 -