Establishing OT Cybersecurity Fundamentals with the CIS Controls

October 1, 2020

In their video on the CIS Controls®, Tony Sager uses the term “Fog of More” to describe the state of cybersecurity. We have so many choices that we are crippled by them. The problem is not that the attackers have an overwhelming technological advantage; it’s that we struggle to make the right investments in the right controls to give ourselves a fighting chance.

The real beauty of the CIS Controls is also described in this video by Lawrence Wilson, the former CISO for the UMASS President’s Office, when he said, “I looked at the CIS Controls, and they made perfect sense to me. They were very easy to communicate, so when I’m not around they are still being implemented. They are still being managed. They are still being monitored, and I know our security program continues to improve.”

That’s the real power of these controls. They’re designed by the community of practitioners for the community of practitioners, who know that in order to build an effective program you need a framework that is measurable and manageable and also accounts for the most common attack vectors in today’s enterprises. These controls are, in essence, about getting security done.

For those of you who might not be familiar, the CIS Controls are a prioritized list of cyber security controls. As of version 8, these 18 controls are grouped into three major categories: Basic Controls, Foundational Controls, and Organizational Controls.

  • Basic: Key controls which should be implemented in every organization to provide the building blocks for cyber defense readiness.
  • Foundational: Technical best practices which provide clear security benefits and are a smart move for any organization to implement.
  • Organizational: These controls are focused more on the people and processes involved in cybersecurity.

It’s this prioritization, along with their mapping of sub-controls into digestible implementation groups, that make this controls framework a winner, especially for ICS security teams.

This framework doesn’t put the cart before the horse, which is something that has been happening in the ICS security community over the last few years. We have chased network-based anomaly detection to feed SOCs with alerts that they can’t do much with. In many cases, no one has even logged into these tools after the initial deployment, and the SOC is largely ignoring all but the most obvious alerts. There is no context to alerts for nuanced understanding, because there’s no foundational OT endpoint data to provide any kind of useful information like where a device is located, how important it is to an industrial process, or who to call at the plant to investigate this anomaly. We were in such a hurry to implement the very latest IT security technology in our OT environments that we forgot these systems haven’t been a part of the last 20 years of IT controls implementation.

Asset management is the foundation of a sound ICS security program. Threat intelligence and AI are no replacement for these basic controls. If you can’t act on threat intel due to a lack of timely data reporting, then you won’t get the full value of your investment. If your environment is already out of compliance or bases its assumptions on partial views, AI benchmarking will only learn and continue to allow bad habits or provide partial coverage. No one method is the key. Any asset management software needs to be able support multiple methods and be part of the broader ecosystem. The goal is to establish a consistent, accurate and timely view of asset data so you can direct actions when needed. Otherwise, it’s just noise.

And that is the purpose of the CIS Controls. They are there to help you separate the marketing noise from what you truly need to be focusing on, which is establishing the fundamentals of your ICS security program.

This is why we continue to invest in helping our customers better leverage them. Our built-in standards reporting helps you implement, manage and monitor your progress within these controls, because without being able to benchmark your progress, you’ll just plant your investment dollars into poor soil where they’ll never grow.

Outside of the CIS Controls, we also continue to build mappings to the CIS Benchmarks in our policy engine, so you can automate the monitoring of your secure device configurations.

For more information on how to implement these controls in your OT environment, check out the CIS Controls Implementation Guide for ICS. This guide adapts these controls for the unique needs of industrial control systems and offers helpful tips from experts who have real-world experience using these controls in operational technology systems.