Mitigation-page

MID-035: Encrypt Network Traffic

Mitigation Tier: Foundational

Description

Encrypting network traffic typically involves taking network data and running it through an encryption algorithm such that the network data cannot be read in its encrypted form - this achieves data confidentiality. Therefore, encrypting network traffic allows devices to share critical or secret information without worrying about a third party reading the data.

Some encryption algorithms, such as AES-GCM, include authentication and integrity features to give the receiving devices some guarantees that their data has not been tampered with. See MID-034 - Authenticate Network Messages for more information.

Lastly, besides the implementation of the cryptographic library itself, other related architecture considerations must be made. These can include using a secure and validated algorithm (MID-044 - Strong Cryptographic Algorithms and Protocols), secure key storage, secure key sharing/agreement (e.g., DH), and secure key generation (MID-047 - Sufficient Entropy for Keys), to name a few.

IEC 62443 4-2 Mappings

  • CR 4.1 – Information confidentiality

References

[1] K. McKay and D. Cooper. “NIST 800-52r2 - Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations.” nist.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://doi.org/10.6028/NIST.SP.800-52r2

[2] E. Barker, A. Roginsky, and R. Davis. “NIST 800-133r2 - Recommendation for Cryptographic Key Generation.” nist.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r2.pdf

[3] Y. Sheffer, R. Holz, and P. Saint-Andre. “Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS).” ietf.org. Accessed: Aug. 28, 2024. [Online.] Available: https://datatracker.ietf.org/doc/html/rfc7525

[4] NIST. “Cryptographic Module Validation Program.” nist.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search?SearchMode=Basic&CertificateStatus=Active&ValidationYear=0

[5] M. Turnan, E. Barker, J. Kelsey, K. McKay, M. Baish, and M. Boyle. “NIST 800-90B - Recommendation for the Entropy Sources Used for Random Bit Generation.” nist.gov. Accessed: Aug. 28, 2024. [Online.] Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90B.pdf