Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Unpacking the Impact of NIST 1.1 Updates on ICS

The National Institute of Standards and Technology (NIST) recently updated its cybersecurity framework (CSF), rolling out changes to all five pillars: Identify, Protect, Detect, Respond, and Recover. These changes present some challenges for industrial organizations that want or need to comply with this CSF.

The National Institute of Standards and Technology (NIST) recently updated its cybersecurity framework (CSF), rolling out changes to all five pillars: Identify, Protect, Detect, Respond, and Recover. These changes present some challenges for industrial organizations that want or need to comply with this CSF.

Here’s a quick overview of the changes introduced with NIST 1.1

Identify 

Asset Management. Data, personnel, devices, systems, and facilities must be identified and managed consistent with business objectives and an organization’s risk strategy. This requires the ability to automatically discover and map all ICS devices and keep an up-to-date inventory of those assets.

Governance. The policies, procedures, and processes for managing and monitoring an organization’s regulatory, legal, risk, environmental, and operational requirements should pinpoint and inform the management of cybersecurity risk. A policy management and security alerting infrastructure is needed to meet this requirement. 

Risk Assessment. An organization must understand the cybersecurity risks to operations, assets, and individuals. Detailed risk assessment reporting must be implemented that spans network behavior, asset inventory, and risk posture. It should include details for each vulnerability, including affected assets, severity, and mitigation steps.

Protect

Access Control. Access to assets and associated facilities must be limited to authorized users, processes, and devices, and to authorized activities and transactions. Since industrial controllers usually don’t support authentication of any sort, organizations need to monitor and audit successful and unsuccessful attempts to access the network and assets. This includes monitoring physical  access to controllers.

Advertisement. Scroll to continue reading.

Learn More at SecurityWeek’s ICS Cyber Security Conference

Data Security. Information and records must be managed consistent with an organization’s risk strategy. Because data-at-rest and data-in-transit on controllers are not protected, organizations need to implement a method for monitoring access and changes to data. Real-time alerts should be issued for any unauthorized access or suspicious activity, and for any changes made to data.

Information Protection. Security policies, processes, and procedures must be maintained and used to manage protection of information systems and assets. This requires establishing a baseline configuration of their ICSs, facilities for monitoring all changes to configurations, and the implementation of a vulnerability management plan. 

Remote maintenance. Remote maintenance and repairs of ICS components must be performed consistent with policies and procedures. Here organizations need to be able to identify, flag, and log each remote access event, authorized or not. 

Protective Technology. Technology must be managed to ensure the security and resilience of systems and assets, consistent with policies and procedures. Auditing both successful and unsuccessful access attempts, and real-time alerting on suspicious and unauthorized access is required.

Detect

Anomalies and Events. Anomalous activity must be detected in a timely manner, and the potential impact of events must be understood. This involves establishing a baseline of network operations activity using network traffic, and the ability to generate alerts when deviations occur.

Security Continuous Monitoring. The information system and its assets must be monitored at discrete intervals to identify cybersecurity events. This requires continuously monitoring all ICS activities, including those that take place over proprietary control-plane protocols. Such monitoring should be able to identify anomalies in real time, and to automatically issue alerts.

Detection Processes. Processes and procedures must be maintained and tested to ensure timely and adequate awareness of anomalous events. This requires a capability to process event information, such as via a user interface, SIEM alert and email. 

Respond

Communications. Response activities need to be coordinated with external and internal stakeholders, as appropriate, to include support from law enforcement. An infrastructure that supports customizable policies for alerting on specific events based on predefined criteria, such as source device, destination device, user, protocols used, and time of the event can accomplish this.

Analysis. Processes and procedures must be maintained and tested to ensure timely and adequate awareness of anomalous events. The ability to capture forensic information: raw network traffic, audit trail of configuration and code changes, as well as full details and context about the assets is needed here.

Recover 

Recovery Planning. Recovery processes and procedures must ensure the timely restoration of systems and assets affected by cybersecurity events. An accurate and up-to-date inventory  of controller configurations and settings is needed to accelerate recovery processes.

Many of the new requirements in NIST 1.1 overlap with each other. For industrial organizations, establishing an infrastructure that provides visibility, security, control, and is purpose-built for operational technologies
(OT), is the clearest path to compliance. 

 

Learn More at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.