How to Apply the NIST Cybersecurity Framework in ICS

October 6, 2020

According to the 2019 SANS State of OT/ICS Cybersecurity Survey, the NIST Cybersecurity Framework (CSF) is the most popular security framework in use today. The NIST CSF is a voluntary standard that uses business drivers to guide cybersecurity activities as part of an organization’s overall risk management strategy. Version 1.1 of this framework was published in 2018 using feedback NIST received from Version 1.0 to enhance and clarify topics like supply chain risk and access control. A summary of the changes in Version 1.1 can be found here.

The NIST Cybersecurity Framework consists of three main elements:

  1. Framework Core
    The Framework Core is comprised of five Functions: Identify, Protect, Detect, Respond and Recover. These Functions are what people typically think of when they hear “NIST Cybersecurity Framework”. The Core provides organizations with the actions they should take to reduce cyber risk.
  2. Implementation Tiers
    The Implementation Tiers help organizations determine the level of effort their cybersecurity program will require by determining how aggressive their risk reduction strategy is. It’s used as a communication tool to discuss risk appetite, mission priority, and budget.
  3. Framework Profile
    Framework Profiles help identify and prioritize cybersecurity improvements within an organization. Building on the drivers identified in the Implementation Tiers, the Profile aligns a company’s objectives with the five Functions of the Framework Core.

Applying the 5 NIST CSF Functions in Industrial Control Systems (ICS)

These Functions categorize basic cybersecurity activities at a high level so that critical infrastructure companies can organize information to enable better risk management decisions, address cybersecurity threats, and use experience to improve. Benchmarking progress against these Functions helps security practitioners and executive management demonstrate how their industrial control system (ICS) cybersecurity investments are reducing their cyber risk exposure.

The NIST Cybersecurity Framework

These are the 5 Functions of the NIST Cybersecurity Framework and how to apply them in ICS environments:

  1. Identify
    • This first step is all about developing an understanding of your environment to manage cybersecurity risk to systems, assets, data and capabilities. Basically, you need to establish a strong foundation for your cybersecurity program. As the old adage goes, you can’t secure what you don’t know you have.
    • For ICS environments, this means collecting a complete inventory of hardware and software. Because industrial infrastructure tends to be geographically dispersed and complex, getting comprehensive information about OT assets can be tricky. To solve that challenge, security teams should use a blend of collection methods, including agents, agentless, native ICS protocol polling and passive monitoring, to safely create the most thorough asset inventory possible.
  2. Protect
    • To apply this one, organizations must develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event. This includes activities like identity & access management, cybersecurity training for employees, creating and monitoring baseline configurations for assets and managing emerging security vulnerabilities.
    • For ICS security teams, implementing solutions that secure remote and physical access to their control systems, investing in security awareness trainings, and using a configuration management and vulnerability monitoring tool can satisfy this goal. Choose a configuration management tool that automatically collects, normalizes, and reports changes in asset configuration data, including ports and services, users, software, patches and firewall rules, regardless of vendor or location. Passive vulnerability monitoring should be layered on top of a thorough software and firmware inventory and continuously assess CVEs and ICS-CERT analysis, plus notify you if a patch is available.
  3. Detect
    • The Detect Function is about implementing the appropriate measures to quickly identify cybersecurity events. This includes real-time monitoring of asset and network baselines for anomalous activities. When an anomalous event is detected, there should also be actionable information that comes with the alert to reduce MTTR.
    • In the ICS world, many companies are turning to network anomaly detection tools to help with this Function. A word of advice when using this technology: make sure the alerts they provide deliver contextual data about why the anomaly is happening and how critical it is. It should include information like how important that industrial device is, the health status of the device, where it’s located, and who to call at the plant to investigate the anomaly.
  4. Respond
    • Organizations need to develop and implement appropriate activities to take action regarding a detected cybersecurity incident. To do this, you should have a response plan in place to effectively communicate, contain and analyze an incident. You should also use what you learn during an incident to improve future response plans.
    • To understand what went wrong, you need access to forensic information about the threat and how it got into the network in the first place. For ICS teams, this means archiving historical event logs that can provide information about the source of the threat and how it spread. It’s also helpful to have the ability to compare asset states from before and after an incident, to make sure you’ve rooted out all traces of the adversary, as well as understand potential improvement opportunities.
  5. Recover
    • The final Function instructs companies to develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event. Like the Respond Function, you should have a recovery plan in place to restore impacted services and communicate to employees and the public about what happened and how you are fixing it.
    • In industrial environments, this likely means getting an operational process back online. To do this quickly, you need a backup of your last known secure asset configurations to understand where you need to get back to. A good way to test both your response and recovery plans is to conduct a penetration test and/or red team exercises to improve training for defensive practitioners and inspect current performance levels.

We know our customers are always striving to improve their maturity within the NIST Cybersecurity Framework, which is why we released built-in reporting features for the framework in our platform. Our users can now automate executive-level reporting using the complete and accurate OT asset data from Industrial Defender to demonstrate cyber risk reduction efforts for their ICS environments and benchmark their progress towards NIST CSF maturity.

For a glimpse into 40+ report samples from our built-in NIST CSF library, download our NIST Cybersecurity Framework report book.