Industrial Internet Security Framework v 1.0 | Page 97

Security Framework 10: Security Monitoring and Analysis vulnerabilities and attacks. This analysis allows actions to proactively implement security controls to reduce the potential for attack, actions to react to attacks in progress, to enable forensic analysis of previous attacks and to learn and to predict vulnerabilities that might be exploited in the future. Greenfield systems can be designed with monitoring in mind, however it may be more difficult with brownfield implementations where endpoints may not support monitoring functionality. Monitoring and analysis also applies to the supply chain, a series of processes that may span organizations in producing a component of an IIoT system. If an attack occurs in the supply chain it may have a major impact on an IIoT system, making integrity validation important. The monitoring and analytics system must also be secured. It must prevent leaks of confidential and private information as well as leaks of data about the system security that could enable subsequent attacks. It must also prevent attackers from injecting false data to the security monitoring and analytics system that could result in a self-inflicted denial of service attack. 10.1 INCIDENT PREVENTION, DETECTION, ANALYSIS AND RESPONSE Security analytics are most valuable when they produce actionable conclusions that can be incorporated into automated incident response plans. Automatic responses should usually be limited in their effect. For example, if monitoring tools indicate that an intruder is on the network, only that segment of the network should be isolated and shut down, so the intrusion can be investigated before the entire network is shutdown causing a denial of service to all. 10.1.1 PRIOR TO AN INCIDENT Before an attack, there may be indications that it is likely to occur. An attacker may leave tracks as they perform reconnaissance to map and understand a system and its vulnerabilities. If these tracks are detected this can aid taking actions to understand and mitigate the attack. IIoT systems should relay potential indicators of security incidents promptly to analysis systems. An incident response plan with roles and responsibilities must be in place prior to an incident and tested and updated on specified periods or as needed. During an attack, the following actions may be taken based on monitoring and analysis information and the incident response plan: • • • Security incident events can be detected on the network and used to raise alerts after analysis suggests the likelihood of an attack. Security policies may be updated on systems reachable from suspect endpoints to enhance their defenses before the attack propagates. Appropriate personnel are notified, and dashboards, monitors and reports are updated. 10.1.2 DURING AN INCIDENT During an incident, accurate data on what changes are occurring in the system is needed: • Security policies on systems reachable from or affected by potentially compromised devices may be updated to provide elevated levels of defense during a security incident. IIC:PUB:G4:V1.0:PB:20160926 - 97 -