Industrial Internet Security Framework v 1.0 | Page 81

Security Framework

8: Protecting Endpoints

RSA is one of the most widely used asymmetric cryptographic algorithms. Other algorithms such
as those based on elliptic curves 1 can provide similar cryptographic strength as RSA, but with
smaller key sizes, offering benefits such as lower space and processing requirements 2. For
example, a 283-bit ECC key is equivalent to a RSA 3072 bit key 3. This means elliptic curve
cryptography (ECC) algorithms may be more suitable for resource-constrained endpoints. Many
parameters must be considered in the choice of elliptic curve algorithms as described in [IETFRFC6090].
Configuration management can be done securely, and the device can safely contribute security
telemetry to broader analytics systems in ways that the device’s telemetry can be authenticated.
Run-time security can be provided either in-device, or in a trusted gateway.
Implementing hardware acceleration in a field-programmable gate array (FPGA) enables
algorithm agility, which allows changing algorithms in the future due to security considerations.
custom application-specific integrated circuits (ASIC) cannot be changed, which is an important
consideration for long-lived devices.
Other constraints include wireless limitations, battery consumption, intermittent availability of
communications and constraints on maintenance windows, making updates less frequent. This
forces run-time security to be based on whitelists instead of blacklists, and increases dependency
on third-party security. Support for updates as small as 40K bytes, in contrast to gigabyte-sized
images, makes it possible to update with orders of magnitude less bandwidth and battery
consumption compared to monolithic updates. Other impacts of unreliable communications
include careful consideration of key ma