Industrial Internet Security Framework v 1.0 | Page 93
Security Framework
9: Protecting Communications and Connectivity
In this example, an air-gapped controller triggers periodic reversals of the gateway. In each
orientation, the gateway replicates servers and emulates devices. The gateway may both
replicate a historian database from a plant network to a corporate network and replicate the
security-update and anti-virus server databases from the corporate network back into the plant
network.
When continuous inputs from an external source are required (for example, when a generating
dispatch center must provide second-by-second control of an electric generator to balance
generating capacity against power grid load conditions), unidirectional gateways may be
positioned to permit data to flow continuously into more-trusted networks. In this case, the
gateways replicate servers and emulate devices into more-trusted networks rather than out of
such networks. When information, especially the control information, is permitted into moretrusted networks, it is essential to provide layers of defense-in-depth inspection and validation
of inbound instruction streams to ensure the reliability of the physical process, as well as to
protect both equipment and worker safety.
Unidirectional gateways may have information filters built into the replication software. As the
server replication software extracts information from servers for replication, that information
can be filtered according to sophisticated policies. In the generating dispatch center example
above, the replicated server may be an inter-control center communications protocol (ICCP)
server, and the filter may be configured to permit only select register numbers and values to
enter the protected generating network.
9.2.7 NETWORK ACCESS CONTROL
Network access control (NAC) grants or restricts logical access to the communication network,
combining network control and network security control. An example is a user connecting an
Ethernet cable to a switch or router. The cable establishes the physical connection, and the switch
or router assesses whether the end device will be granted logical access to the communication
protocols. If access is not granted, the physical link will remain “dead” for network
communication and the connected end device will remain locked out of the network.
A well-known mechanism for granting access is IEEE 802.1X 1. Devices are either permitted or
denied access to the network based on per-device credentials such as identity certificates as well
as user names and password. IEEE 802.1X lets network operators maintain strong control over
the set of devices that can communicate in the network.
Network access control based on the IEEE 802.1X authentication method is available in many
modern Ethernet switches and wireless LAN access points. In Ethernet switches, 802.1X is usually
performed on a per-port basis. The WLAN access point replaces the physical network port as the
point of authentication in wireless LAN.
1
See [IEEE-802]
IIC:PUB:G4:V1.0:PB:20160926
- 93 -