Security Experts:

Unpacking the Impact of NIST 1.1 Updates on ICS

The National Institute of Standards and Technology (NIST) recently updated its cybersecurity framework (CSF), rolling out changes to all five pillars: Identify, Protect, Detect, Respond, and Recover. These changes present some challenges for industrial organizations that want or need to comply with this CSF.

Here’s a quick overview of the changes introduced with NIST 1.1


Asset Management. Data, personnel, devices, systems, and facilities must be identified and managed consistent with business objectives and an organization’s risk strategy. This requires the ability to automatically discover and map all ICS devices and keep an up-to-date inventory of those assets.

Governance. The policies, procedures, and processes for managing and monitoring an organization’s regulatory, legal, risk, environmental, and operational requirements should pinpoint and inform the management of cybersecurity risk. A policy management and security alerting infrastructure is needed to meet this requirement. 

Risk Assessment. An organization must understand the cybersecurity risks to operations, assets, and individuals. Detailed risk assessment reporting must be implemented that spans network behavior, asset inventory, and risk posture. It should include details for each vulnerability, including affected assets, severity, and mitigation steps.


Access Control. Access to assets and associated facilities must be limited to authorized users, processes, and devices, and to authorized activities and transactions. Since industrial controllers usually don’t support authentication of any sort, organizations need to monitor and audit successful and unsuccessful attempts to access the network and assets. This includes monitoring physical  access to controllers.

Learn More at SecurityWeek's ICS Cyber Security Conference

Data Security. Information and records must be managed consistent with an organization’s risk strategy. Because data-at-rest and data-in-transit on controllers are not protected, organizations need to implement a method for monitoring access and changes to data. Real-time alerts should be issued for any unauthorized access or suspicious activity, and for any changes made to data.

Information Protection. Security policies, processes, and procedures must be maintained and used to manage protection of information systems and assets. This requires establishing a baseline configuration of their ICSs, facilities for monitoring all changes to configurations, and the implementation of a vulnerability management plan. 

Remote maintenance. Remote maintenance and repairs of ICS components must be performed consistent with policies and procedures. Here organizations need to be able to identify, flag, and log each remote access event, authorized or not. 

Protective Technology. Technology must be managed to ensure the security and resilience of systems and assets, consistent with policies and procedures. Auditing both successful and unsuccessful access attempts, and real-time alerting on suspicious and unauthorized access is required.


Anomalies and Events. Anomalous activity must be detected in a timely manner, and the potential impact of events must be understood. This involves establishing a baseline of network operations activity using network traffic, and the ability to generate alerts when deviations occur.

Security Continuous Monitoring. The information system and its assets must be monitored at discrete intervals to identify cybersecurity events. This requires continuously monitoring all ICS activities, including those that take place over proprietary control-plane protocols. Such monitoring should be able to identify anomalies in real time, and to automatically issue alerts.

Detection Processes. Processes and procedures must be maintained and tested to ensure timely and adequate awareness of anomalous events. This requires a capability to process event information, such as via a user interface, SIEM alert and email. 


Communications. Response activities need to be coordinated with external and internal stakeholders, as appropriate, to include support from law enforcement. An infrastructure that supports customizable policies for alerting on specific events based on predefined criteria, such as source device, destination device, user, protocols used, and time of the event can accomplish this.

Analysis. Processes and procedures must be maintained and tested to ensure timely and adequate awareness of anomalous events. The ability to capture forensic information: raw network traffic, audit trail of configuration and code changes, as well as full details and context about the assets is needed here.


Recovery Planning. Recovery processes and procedures must ensure the timely restoration of systems and assets affected by cybersecurity events. An accurate and up-to-date inventory  of controller configurations and settings is needed to accelerate recovery processes.

Many of the new requirements in NIST 1.1 overlap with each other. For industrial organizations, establishing an infrastructure that provides visibility, security, control, and is purpose-built for operational technologies (OT), is the clearest path to compliance. 


Learn More at SecurityWeek's ICS Cyber Security Conference

view counter
Barak Perelman is CEO of Indegy, an industrial cyber-security firm that improves operational safety and reliability for industrial control networks by providing situational awareness and real-time security.