Analysis
Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Identity and Access Management (IAM)
Industrial Cyber Attacks
Industrial IoT
ISA/IEC 62443
IT/OT Collaboration
News
NIST
OT Network security
Risk & Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Verticals
Vulnerabilities

NIST SP 800-82 addresses OT systems security, including unique performance, reliability, safety requirements

April 27, 2022
NIST SP 800-82 addresses OT systems security, including unique performance, reliability, safety requirements

The National Institute of Standards and Technology (NIST) released on Tuesday an initial public draft that guides how to improve the security of operational technology (OT) systems while addressing their performance, reliability, and safety requirements. The NIST SP 800-82 document provides an overview of OT and typical system topologies, identifies typical threats to organizational mission and business functions supported by OT, describes typical vulnerabilities in OT, and provides recommended security safeguards and countermeasures to manage the associated risks.

The NIST SP 800-82 document updates include expansion in scope from industrial control systems (ICS) to OT, updates to OT threats and vulnerabilities, and updates to OT risk management, recommended practices, and architectures. It also provides updates to current activities in OT security, along with updates to security capabilities and tools for OT. The agency has called for opinions by Jul. 1, using the comment template when preparing and submitting comments. 

The draft document aligns with other OT security standards and guidelines, including the cybersecurity framework and new tailoring guidance for NIST SP 800-53 Revision 5 security controls. It also delivers an OT overlay for NIST SP 800-53 Revision 5 security controls that provide tailored security control baselines for low-, moderate- and high-impact OT systems.

OT covers various programmable systems and devices that interact with the physical environment or manage devices that interact with the physical environment. These systems and devices detect or cause a direct change through monitoring and/or control of devices, processes, and events. OT systems also consist of combinations of control components, such as electrical, mechanical, hydraulic, and pneumatic, which act together to achieve an objective such as manufacturing, transportation of matter, or energy

The NIST SP 800-82 draft document also provides an overview of several types of standard OT systems, including supervisory control and data acquisition (SCADA), distributed control systems (DCS), programmable logic controllers (PLCs), building automation systems (BAS), physical access control systems (PACS), and the industrial Internet of Things (IIoT). 

While the intended audience of the NIST draft document is varied, it includes control engineers, integrators, and architects who design or implement OT systems, vendors developing products that will be deployed as part of an OT system, engineers, system administrators, and other information technology (IT) professionals who administer, patch, or secure OT systems. It also covers security consultants who perform security assessments and penetration testing of OT systems, managers responsible for OT systems, senior management who need to better understand the risk for OT systems as they justify and apply for an OT cybersecurity program, and researchers and analysts who are trying to understand the unique security needs of OT systems.

OT has many characteristics that differ from traditional IT systems, including different risks and priorities, according to the NIST SP 800-82 document. Some of these include significant risks to the health and safety of human lives, serious damage to the environment, and financial issues such as production losses. OT has different performance and reliability requirements and uses operating systems and applications that may be unconventional in a typical IT network environment. In addition, security protections must be implemented to maintain system integrity during normal operations and during times of cyber-attack.

The NIST SP 800-82 document said that OT is critical to the operation of the sixteen U.S. critical infrastructure sectors that are often highly interconnected and mutually dependent systems. While federal agencies operate many critical infrastructures, many others are privately owned and operated. Critical infrastructures are often referred to as a ‘system of systems’ due to interdependencies between various industrial sectors and the interconnections between business partners. Critical infrastructures are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies. Thereby an incident in one infrastructure can, directly and indirectly, affect other infrastructures through cascading and escalating failures.

The document also said that initially, OT systems had little resemblance to IT systems in that OT were isolated systems running proprietary control protocols using specialized hardware and software. However, it also identified that widely available, low-cost Ethernet, Internet Protocol (IP), and wireless devices are now replacing the older proprietary technologies, which increases the likelihood of cybersecurity vulnerabilities and incidents. 

As OT continues to adopt IT technologies to promote corporate connectivity and remote access capabilities, such as using industry-standard computers, operating systems, and network protocols, OT systems, and devices are increasingly resembling IT systems, the document observed. “This integration supports new IT capabilities, but it provides significantly less isolation for OT from the outside world than predecessor systems, creating a greater need to secure them. While security solutions have been designed to deal with these issues in typical IT systems, special precautions must be taken when introducing these same solutions to OT environments. In some cases, new security solutions are needed that are tailored to the OT environment,” the NIST SP 800-82 document added.

The NIST SP 800-82 document also analyzed that the possible incidents an OT system may face include blocked or delayed flow of information through OT networks, which could disrupt OT operation. It also addressed unauthorized changes to instructions, commands, or alarm thresholds, which could damage, disable, or shut down equipment, create environmental impacts, and/or endanger human life. Finally, it also included inaccurate information sent to system operators, either to disguise unauthorized changes or to cause operators to initiate inappropriate actions, which could have various negative effects. 

Additionally, the draft document said that modified OT software or configuration settings, or OT software infected with malware, could have various negative effects. It also included interference with the operation of equipment protection systems, which could endanger costly and difficult-to-replace equipment, and interference with the operation of safety systems, which could endanger human life.

The NIST document said that major security objectives for an OT implementation should restrict logical access to the OT network, network activity, and systems, regulate unauthorized modification of data, and limit physical access to the OT network and devices. It must also protect individual OT components from exploitation, detect security events and incidents, maintain functionality during adverse conditions, and work out a good security program that can be quickly recovered after an incident has occurred.

When considering security for OT, some special considerations include timeliness and performance requirements, availability requirements, risk management requirements, physical effects, system operation, resource constraints, communications, change management, managed support, and component lifetime and location. 

The NIST SP 800-82 document said that organizations need to develop and deploy an OT cybersecurity program to mitigate cybersecurity risk to their OT systems. It should be consistent and integrated with existing IT cybersecurity programs and practices and account for the specific requirements and characteristics of OT systems and environments. In addition, organizations should regularly review and update their OT cybersecurity plans and programs to reflect changes in technologies, operations, standards, regulations, and the security needs of specific facilities. 

Effective integration of cybersecurity into the operation of OT requires defining and executing a comprehensive program that addresses all aspects of cybersecurity, the draft document said. “This includes defining the objectives and scope of the program, establishing a cross-functional team that understands OT and cybersecurity, defining policies and procedures, identifying the cyber risk management capabilities that include people, process, and technology, as well as identifying day-to-day operations of event monitoring and auditing for compliance and improvement,” it added. 

The document further pointed organizations towards the ISA-62443-2-1, Security for Industrial Automation and Control Systems: Security Program Requirements for IACS Asset Owners, which describes another view of the elements of a cybersecurity program for use in the OT environment. In addition, it guides how to meet the cybersecurity requirements described for each element of the cybersecurity program.

Organizations that use OT systems have historically managed risk through good practices in safety and engineering, the NIST document said. Safety assessments are established in most sectors and often incorporated into regulatory requirements, while information security risk management is an added dimension that can be complementary. Privacy is also a risk consideration for some OT systems. 

The risk management process is employed throughout an organization using a three-level approach to address risk at the organization, mission/business, and system levels (IT and OT). The risk management process is carried out seamlessly across the three levels with the overall objective of continuous improvement in the organization’s risk-related activities and effective inter-tier and intra-tier communication among stakeholders having a shared interest in the mission/business success of the organization. 

Last week, the NIST released a draft document that applies the NIST Cybersecurity Framework to the ground segment of space operations, emphasizing assuring satellite command and control. In addition, the Cybersecurity and Infrastructure Security Agency (CISA) also expanded its Joint Cyber Defense Collaborative (JCDC) initiative to include the ICS industry consisting of security vendors, integrators, and distributors. The move will strengthen and bolster the U.S. government’s focus on building cybersecurity posture and resilience of ICS and OT environments.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation