NIST SP 800-82 guidance recognizes importance of bringing about cybersecurity to OT systems

NIST SP 800-82 guidance recognizes importance of bringing about cybersecurity to OT systems

With the release of the NIST SP 800-82 Revision 3 document, there is a recognition of a newly expanded scope beyond industrial control systems (ICS) to operational technology (OT) systems. The new shift takes into account the needs of the critical infrastructure sector, which helps to manage risk across industries and technologies ranging from information technology (IT), ICS, cyber-physical systems (CPS), and the extended Internet of Things (XIoT).

The NIST SP 800-82 document is not a ‘one-size-fits-all’ approach to managing cybersecurity risk because each space has unique threats, vulnerabilities, and risk tolerances. Each will vary in how they customize practices, but having an overarching strategy goes toward safe and efficient operations. The document serves as a new dynamic for OT, shielded by self-contained, air-gapped networks that largely protect the logic executing on field devices. But, those traditional measures are no longer realistic as systems are more interconnected for productivity or efficiency reasons.

Overall, the NIST SP 800-82 document is a good thing in the right direction. However, there have been certain opinions expressed that the document’s authors come from primarily computer science and information system backgrounds, without enough consultation with the engineers who know how the critical infrastructure sector runs. 

Industrial Cyber reached out to experts to analyze the role that the NIST SP 800-82 document would play in improving the cybersecurity of OT systems while accounting for their unique performance, reliability, and safety requirements.

“NIST SP 800-82 has always played an important role in helping OT security professionals understand unique requirements for control systems,” Jason Christopher, director of cyber risk at industrial cybersecurity firm Dragos, told Industrial Cyber. “The document does a great job of highlighting how traditional IT-centric security controls simply won’t work in OT environments,” he said. 

Jason Christopher, director of cyber risk at Dragos
Jason Christopher, director of cyber risk at Dragos

As an ‘overlay’ for NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations), NIST SP 800-82 provides context for IT security professionals that are new to OT devices, while also helping operators and engineers understand how security requirements can be applied to OT, according to Christopher. “Moreover, due to the nature of NIST here in the United States, the resource is not locked behind some paywall—it’s freely available for everyone, which makes it especially helpful for resource-constrained organizations that may not leverage other security standards,” he added.

“The document may play a potentially disappointing role if we are seeking to protect the technologies used to monitor and control a physical process governed by the laws of physics and chemistry,” Vytautas Butrimas, an industrial cybersecurity subject matter expert, told Industrial Cyber. 

Vytautas Butrimas, an industrial cybersecurity subject matter expert
Vytautas Butrimas, an industrial cybersecurity subject matter expert

“A potential danger arises from setting up a binary system (IT and OT) to describe something that really has three parts. It is not just about IT and OT,” according to Butrimas. “There is also the engineering part which addresses the physical process of generating and distributing electricity, refining fuel at a petrochemical plant, pumping fuel or compressing gas down a pipeline, or treating and supplying clean water. Many engineering activities go into the design, hazard analysis, and protection measures that are fundamentally vital to monitoring and controlling a physical process,” he added.

“It seems that a lot of intelligent, professional but mostly computer science/IT-oriented people have tried to extend their IT knowledge to encompass the technologies used to monitor and control a physical process governed by the laws of physics and chemistry,” Butrimas pointed out. “IT bias at the expense of engineering is evident in several places.  For example early on in the executive summary when discussing OT, it is actually the IT security priorities of confidentiality, integrity, and availability that are listed.  That is a list that prioritizes the protection of ‘information’ or ‘data,’” he added. 

Butrimas

He also spoke of roles, including who should take the lead in implementing the recommendations in this document. “Many enterprise officials are mentioned but no one is singled out to be the lead. The lead role may likely be given to the computer science-trained CISO of the company. If that is the case then the document may fail to painlessly achieve the results hoped for by the authors,” Butrimas added.

“The NIST SP 800-82 document is a step forward in the right direction, providing a comprehensive framework for thinking and designing an OT cybersecurity program, which needs to put availability, safety, and environmental considerations first,” Julia O’Toole, founder and CEO of cybersecurity company MyCena, told Industrial Cyber. 

Julia O’Toole, founder and CEO of MyCena
Julia O’Toole, founder and CEO of MyCena

“It also accurately points out the differences in architecture, security categorization, and risk tolerance between IT and OT systems,” according to O’Toole. “As an example, where OT cybersecurity needs to maintain system integrity in normal operations and during cyberattacks, IT cybersecurity programs are not concerned with that level of resilience,” she added.

Examining how privately owned and operated critical infrastructure operators, with a minimal budget, time, and human capital to spend, derive value that can be subsequently adapted into their environments from the NIST SP 800-82 document, Dragos’ Christopher said that one of the easy wins for using NIST SP 800-82 is that it is a free, yet comprehensive resource. 

“While portions of the document may be mandatory for federal entities, there is a lot of value to using this standard as an informative reference for building, scaling, or sustaining any OT security program, including in the private sector,” according to Christopher. “For example, if you’re new to OT from an IT security background—focus on Chapter 2, which outlines what OT is and how it works. If you’re a manager, either in OT or enterprise IT security, Chapter 3 may have some useful information for building an OT security team and program. Will everything apply? Likely not, but there’s a good set of guiding principles, even if you’re resource-constrained,” he added. 

“Nothing says you need to do everything in the guidance,” Christopher said. “Assess where you are in your OT journey, figure out how mature you want to be, then use something like NIST SP 800-82 to help you get there,” he added.

“It will be a challenge to apply and adapt the recommendations in this document,” Butrimas said. “First, there is the awesome task of digesting a document that is over 300 pages long. One wonders how much time the senior plant engineer will spend reading and applying the recommendations when he or she is fully engaged every day, monitoring and making sure the physical processes of the enterprises’ operations are running smoothly and without something going ‘boom in the night,’ he added.

Butrimas also raised the issue of whether the plant engineer will have the support of an industrial cybersecurity operations center staffed with people who share his or her understanding of what is going on in the physical process. “Will he or she have the support to implement a patching policy? Not just applying the patch immediately but with the decision that must be made about applying and actually implementing a patch: never, next or now,” he added.  

“I am afraid that the leadership for adapting may be given to the IT department or CISO.  If this happens I hope the senior plant engineer will still have the final say on whether to implement a recommendation or not,” according to Butrimas. “We should take a lesson of caution from the emergency (SCRAM) shutdown of the Hatch reactor when someone tried to perform a software update on one computer in the control room,” he added.

“Working with a small budget, time, and human capital, privately owned and operated critical infrastructure operators can leverage the document frameworks as a security checklist and prioritize their investment to maximize risk reduction in accordance with their physical, economic and social impact,” O’Toole said. 

“As cyberattacks mostly involve a malicious actor remotely accessing an IT system, escalating privileges, scanning the network, extracting files, and encrypting data, priority should be to segment and secure remote access to each system, keeping systems isolated and air-gapped so that in case one got breached, the other systems remain functional,” she added.

Moving over to whether the steps provided in the NIST SP 800-82 document are sufficient for an organization to build their OT cybersecurity architecture, Christopher said that the previous revision of NIST SP 800-82 has a very tactical interpretation of ICS security architecture focusing on network segmentation, incident detection, and system recovery. 

“This new revision takes a broad look at ‘security architecture’ to include strategy and governance, as well as the usual technology-based considerations,” Christopher highlighted. “I don’t think anyone will argue that we need better management and strategy considerations in OT security, so this is absolutely the right change to see in this update.” 

“That said, the technical discussions in Chapter 5 likely need some prioritization associated with the concepts—a few of which may not be ideal starting points for resource-constrained asset owners/operators,” according to Christopher. “A clearer link between Chapter 5 and Chapter 6 (Applying the Cybersecurity Framework to OT) may help organizations establish the right current and target profiles for continual improvement in their OT security program. These projects may take years to implement, and being realistic about what can be accomplished—and what should be prioritized— is an important attribute for any security strategy,” he added.

Butrimas said that in developing a security policy, three important questions must first be answered in developing a security policy. The first question is “What to protect? Then we need to think about the threats to those assets. Is the threat just from ransomware which has become very dominant in the news (Colonial pipeline incident of 2021) or do we have to account for the actions of advanced persistent threat actors who may try to take the view and control of a physical process away from operators in the control room (Stuxnet, cyberattacks on Ukraine’s power grid in 2015 and 2016 and Saudi petrochemical plant in 2017)?”   

After these two questions are answered, there is a rational basis to answer the third question – how will identified assets be protected from identified threats in the most cost-efficient way, according to Butrimas. “The work to answer the first two questions (what to protect? and from what?) should be within the powers of any enterprise, large or smaller.  When that is done an informed choice for answering the how questions can begin,” he added.  

“The Chapter 5 recommendations can be looked at as well as other offerings,” Butrimas said. “The final decision on which path to take (implementing the how) can be made easier by answering the first two questions (what to protect and from what threats). Getting the ‘how’ right is most important for that is the end result of all the hard work recommended in this document,” he added.

O’Toole said that Chapter 5 gives a good overview of critical infrastructure standards and regulatory requirements to build an OT cybersecurity architecture but fails to mention the biggest threat to that architecture: the loss of access control. “This happens with people mixing identity and access when moving from a physical to a digital world. In the physical world, the difference is clear. But in the digital world, identity and access got mixed up. Employees use their identity and make their own access keys or passwords to open the company’s doors and access networks, systems, and data,” she added. 

Since organizations no longer have access control, they are exposed to new risks, such as password phishing, unauthorized sharing, loss, and fraud, according to O’Toole. “Having lost access control means their passwords are deemed compromised by default and with the convergence of OT and IT, unable to guarantee legitimate access to neither IT nor OT systems.”

“As passwords remain encrypted from creation, distribution, storage, use, to expiry, organizations can eliminate the risks of human error, password fraud, and man-in-the-middle attacks,” O’Toole said. For critical infrastructure, this prevents malicious access to controllers which alteration could endanger people, production, or the environment. And if one system is breached, for example, in a supply-chain attack, that infection is contained while the rest of the network stays safe. This is the first step to building a strong OT cybersecurity architecture, she added.

“Using Table 4 of the document to assess the likelihood and impact of threat events, organizations also can, for devices and communication protocols at the Field I/O level (e.g., sensors, actuators) that do not yet have the ability to be authenticated, assess the need to add an authentication layer using existing technology,” she added.

Surveying the biggest takeaways from the NIST SP 800-82 draft document, Christopher said that the “biggest takeaway for asset owners: ‘you don’t need to figure this all out in a vacuum.’ Standards have a place in the security ecosystem—they help us identify best practices, we can measure our overall progress based on the requirements, and we can have fruitful discussions around resources based on the security controls within their pages,” he added. 

While NIST SP 800-82 may not be the right fit for everyone, it represents hundreds of pages of specific recommendations for OT security that can help asset owners understand what capabilities they need to better protect critical infrastructure, according to Christopher.

Butrimas said that forgetting for a moment my initial criticism of the document binary IT-OT approach to industrial cybersecurity at the expense of attention to the physical process (engineering),  “the biggest takeaway is that operators can no longer accept believing that their operations are not potential targets by threat actors seeking to degrade or deny the safety, reliability, performance, and resilience of their operations.  The alarm clocks and phones ringing with the ‘wake-up calls’ need to be promptly answered,” he added.  

The latest NIST document is a step in the right direction, according to Butrimas. “But it is not the only step and not the only step that requires a lot of preparation, awareness-raising, and willingness to do something about improving the safety, reliability, performance, and resilience of those processes critical to modern economic activity, national security, and well-being of society,” he added.

“One of the biggest takeaways of the document is actually in the first two chapters, where we are reminded of the deep and comprehensive knowledge of security that exists in the field and which is currently under-utilized,” O’Toole said. “IT and OT may have converged, but the principles of segmentation, isolation, air gapping, setting redundancy and safety mode, and avoiding single access control, should still apply to OT and IT cybersecurity as well. In any circumstance, the priorities of availability, safety, and environmental considerations of OT systems should prevail,” she added.

That means that rather than applying IT cybersecurity principles to OT systems, a much safer approach would be integrating OT security standards into IT and OT cybersecurity, O’Toole pointed out. “That means rigorously applying the principles of segmentation, isolation, air gapping, setting redundancy and safety mode for overall risk reduction, and using a multi-layered security approach.” 

“Because of the significant differences in the cultures of control engineering and IT, the OT security team who should be leading the overall security program, as they understand that any tampering with OT settings, however insignificant, can have disastrous consequences, especially in chemical, refinery or nuclear process,” O’Toole concluded.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related