The Center for Internet Security (CIS) recently updated its popular CIS Controls – formerly known as the SANS Top 20 – and published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments.
Moving toward a common set of IT/OT controls
As organizations address the challenge of IT/OT convergence, a common set of IT/OT controls is especially valuable.
Most security frameworks focus on either IT or OT. For example, ISO/IEC 27000 focuses on information security management, and ISA99 focuses on manufacturing and control system security. The difference in focus is understandable because IT and OT environments have important differences such as real-time requirements, network protocols and the ability to tolerate active network scanning. These differences have made OT security professionals reluctant to use IT-born security frameworks and solutions in their OT environments.
The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity spans IT and OT to promote the protection and resilience of critical infrastructure. Virtually all industry sectors are adopting the NIST Cybersecurity Framework (CSF), first published in 2014. However, CSF Functions (Categories and Subcategories) neither suggest an implementation order nor do they provide detailed control recommendations. Therefore, many organizations adopting the CSF are also adopting the CIS Controls to help them prioritize control implementation and define more granular security controls.
CSF and CIS Control adopters applying the controls in both IT and OT were required to adapt the CIS Controls before implementing them in OT to ensure sensitive OT networks and devices were not degraded or disrupted. The CIS recognized the need to help organizations adapt the CIS Controls to OT – and, voilà, the CIS Controls Implementation Guide for Industrial Control Systems was born.
CIS Controls Implementation Guide for Industrial Control Systems: How it can help
“ICS Environments may also have many embedded, IP connected devices. These devices often lack the capability to support traditional Information Technology (IT)-grade security control technologies since many run specialized firmware and Real-time Operating Systems (RTOS), have proprietary protocols such as Profibus, COTP, TPKT Modbus and EtherNet/IP, or do not have the ability to support contemporary endpoint of supplicant software that is commonly used in IT systems.”
–CIS Controls Implementation Guide for Industrial Control Systems.
The CIS Controls Implementation Guide for Industrial Control Systems is a companion document to use with the 20 prioritized CIS Controls. Each control includes an introduction, applicability description and additional considerations.
Here are excerpts from the first (and most important) control, Inventory of Authorized and Unauthorized Devices, that will give you a flavor of the guidance provided for each control:
Excerpts from CIS Controls Implementation Guide for Industrial Control Systems
- Introduction: “Understanding and solving the asset inventory and device visibility problem is critical in managing a business’s security program. This is especially challenging in ICS where network segmentation, dual-homing, and isolation are common themes. Mixtures of old and new devices from multiple vendors, lack of up-to-date diagrams, unique industry and application-specific protocols, some of which are not IP-based, and the difficulty in conducting physical inventories in dispersed or hostile environments compound these challenges.”
- Applicability: “The conventional approach of using ping responses, TCP SYN or ACK scans can also be problematic in ICS due to device sensitivity since even seemingly benign scanning employed in IT environments can disrupt communications, or in some cases even impact device operations. Methods that are more passive to locate connected assets are preferred, as they are less likely to impact system availability or interact with vendor systems in a manner that could cause warranty issues.”
- Considerations: “Ensure that all equipment acquisitions and system modifications follow and approval process and the technical drawings (if applicable, automated inventory systems) are updated at the time of the change.”
Resources: Securing converged IT/OT systems
Need a prioritized, common control framework to secure converged IT/OT systems or a common language to facilitate communication? Join me on July 18 for the “Six Common Controls Unite and Strengthen OT/IT Security” webinar.
Also, in case you missed our announcement last year, we’ve partnered with Siemens and released Industrial Security, an on-premises security solution purpose-built for OT. It addresses the guide’s recommendation to passively and safely monitor OT networks to deliver asset discovery. Industrial Security also passively assesses vulnerabilities. For a demo or evaluation of Industrial Security, contact your authorized Tenable representative.