Industrial Internet Security Framework v 1.0 | Page 86
Security Framework
9.2
9: Protecting Communications and Connectivity
INFORMATION FLOW PROTECTION
Information flows are any information in motion, including IP messages, serial communications,
data flows, control signals, removable media, printed reports and data carried in human minds.
Controlling different types of information flows protects them against attackers.
Online information flows are generally the flows most accessible to remote attackers bent on
sabotage or data theft by pivoting through intermediate systems and networks.
9.2.1 CONTROLLING INFORMATION FLOWS IN BROWNFIELD DEPLOYMENTS
It can be costly to recertify the safety and reliability of hardware and software components. For
example, regulations for discrete manufacturing in some jurisdictions demand that certain
classes of automated equipment can operate at a manufacturing site only if all the equipment,
hardware and software, has been safety-certified by a third party. None of it may be put into
production without recertification. Vendors using commercial operating systems are often
unwilling to pay the cost of recertification for security updates, technologies and methods.
Consequently, equipment is often out of date. Even brand-new equipment may need:
•
•
•
physical security measures to prevent unauthorized personnel from physical contact with
sensitive equipment and networks,
network perimeter security controls to prevent unauthorized messages from reaching
sensitive equipment and networks and
passive network intrusion detection to monitor suspicious communications patterns.
These approaches have been preferred for brownfield networks because they do not change any
parts, and so do not require recertification. Whether that is sufficient for a given system should
be determined during risk analysis.
9.2.2 NETWORK DATA ISOLATION
A channel is an independently identified, managed and monitored data flow at the transport,
framework or application layer. There are three basic communications channels that are
commonly defined: data, control and management channels. Each channel should be isolated
from the others and managed and monitored separately, for example by using separate TCP
connections, separate wireless frequencies, or separate publish/subscribe topics on a common
event bus or message broker.
Figure 9-4 Communications Channels between IIoT Endpoints
IIC:PUB:G4:V1.0:PB:20160926
- 86 -