Industrial Internet Security Framework v 1.0 | Page 87
Security Framework
9: Protecting Communications and Connectivity
The data channel, sometimes called the operational monitoring channel, is used to report
operational information, and the state of the endpoint. The control channel is used to alter the
behavior of the industrial process, and alter the state of the endpoint. The management channel
carries administrative traffic such as machine profiles, security policies, endpoint configuration
changes and access control settings. For example, a power meter may use separate data, control
and management TCP/IP sessions, to report usage, remotely connect and disconnect electric
service and update firmware versions, r espectively.
Using separate communications channels can reduce the cost and complexity of managing and
monitoring each kind of communication. There may be multiple instances of each type of channel
active at any time on a given endpoint. Separate security controls can be defined for each
channel. These include technical confidentiality controls such as encryption, network
segmentation and communications authorization, as well as integrity controls such as message
signing. Separate quality of service (QoS) requirements may also be applied to each of the
channels to ensure message delivery within defined tolerances. See section 11.2 for a detailed
discussion of the management channels.
When using bi-directional protocols to communicate across trust boundaries, even “pure”
monitoring channels can pose the threat of potential unauthorized access of IIoT endpoints, since
any message permitted into a safety-critical or reliability-critical network segment might encode
a platform-level attack, such as those based on buffer overflows.
9.2.3 NETWORK SEGMENTATION
Networks cannot be interconnected indiscriminately. Industrial security standards such as
ISA/IEC 62443-1-1, ISA/IEC 62443-3-3, ANSSI, NIST 800-82 1 and others all recommend separating
networks into segments, each segment containing assets with similar security policies and
communications requirements. They also recommend assigning each network segment a trust
level, and protecting communications and connectivity through the perimeters of networks,
especially between segments at different trust levels. For example, no site would intentionally
expose a safety-critical device to the internet, because there’s no reason to allow attackers to
reach safety-critical equipment. There would always be a residual risk, no matter how thoroughly
the device is hardened.
Network segmentation can be fine-grained or coarse-grained. Candidates for segmentation
include public networks (such as the internet), business networks, operations networks, plantwide networks, control networks, device networks, protection networks and safety networks.
Fine-grained segmentation is generally better but it is usually costlier to maintain.
Security and device management networks are often candidates for segmentation. LAN and WAN
networks permit IT-like management communications such as backups, security logging and
updates to take place without interfering with time-critical or sensitive operations and
communications. Segmentation can provide useful traffic management, but may be of limited
security value because of the size of the attack surface—every dual-ported device with access to
1
See [IEC-62443-11], [IEC-62443-33], [ANSSI-CMKM] and [NIST-800-82]
IIC:PUB:G4:V1.0:PB:20160926
- 87 -