Adapting NIST SP 800-82r3 to tackle complexity of cyber threats across OT environments

Amidst a backdrop of intensifying threats and perilously close near-miss attacks directly targeting operational technology (OT), the National Institute of Standards and Technology (NIST) recently unveiled the third iteration of the NIST SP 800-82 document. The new release underscores an expanded focus on OT, distinct from its prior emphasis on industrial control systems (ICS). Significantly, the NIST SP 800-82r3 publication incorporates critical updates covering the gamut of OT threats and vulnerabilities, while also advancing the field of OT risk management, recommended practices, and architectural considerations.

The document also serves as a beacon for OT asset owners and operators, delivering the most current advancements in OT security protocols. It not only imparts the latest developments in security practices tailored for OT environments but also provides them with critical security capabilities and tools, thus fortifying their defense against potential cyber threats.

Furthermore, NIST SP 800-82r3 introduces an all-encompassing overhaul of OT risk management, emphasizing the necessity for a proactive stance in cybersecurity. The recommended practices put a premium on bolstering the security stance of OT networks, featuring upgraded authentication protocols and the implementation of network segmentation. The updated architectures prioritize resilience, advocating the incorporation of layered defenses and continuous monitoring mechanisms, thereby aligning with prevalent industry standards and best practices.

Exploring evolution of NIST SP800-82r3

In a two-part feature article series, Industrial Cyber contacted cybersecurity experts in the industrial sector for an insightful comparison of the primary disparities between the earlier version of NIST SP 800-82 and the latest iteration, NIST SP 800-82r3, focusing on their respective scopes and objectives. They also delve into the long-term ambitions and anticipations for NIST SP 800-82 concerning its role in bolstering the security of OT and predict its likely trajectory in the years ahead.

Michael Gilsinger, OT chief architect at ARAUCO, a Chilean paper and forest product manufacturer, identified that “in short NIST SP 800-82r2 focused on security requirements for information systems, r3 expands this scope to include operational technology (OT) by identifying typical threats and vulnerabilities to OT systems and making recommendations for security safeguards and countermeasure to manage these risks.”

He told Industrial Cyber that the long-term goals and expectations for the third version of NIST SP 800-82 is to help organizations improve the cybersecurity of their OT systems, reduce the risk of cyberattacks and create a more secure OT ecosystem.

“It is difficult to say how effective these measures will be in defending OT environments from the escalating number and sophistication of cyber threats and attacks,” according to Gilsinger. “However, NIST SP 800-82r3 provides a comprehensive set of security best practices that can help organizations to improve the security of their OT systems.”

The NIST Special Publication 800-82 Revision 3 introduces seven essential enhancements to strengthen the OT systems framework, Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security, told Industrial Cyber. “One critical addition is the Risk Management Framework for OT Systems, offering a comprehensive approach to identify, evaluate, and mitigate risks associated with OT systems.” 

“Additionally, the publication outlines Security Controls Based on Best Practices, encompassing access control, incident response, and network security. It emphasizes Security Assessments, advocating for structured methodologies to pinpoint vulnerabilities and enhance security posture,” Warner noted. 

He also highlighted that the document also provides an incident response framework, guiding organizations in incident reporting, investigation, and recovery from cybersecurity events. “Supply Chain Security is emphasized, covering vendor selection, procurement, and continuous monitoring processes. Cybersecurity training for OT personnel, including security awareness and incident response, is highlighted.” 

“Integration with IT Security is encouraged, fostering unified risk management, especially considering OT’s crucial financial role in businesses,” according to Warner. “The guidelines promote seamless collaboration between OT and IT security teams, ensuring a comprehensive view of cybersecurity risks and aligning with OT’s significance as the business’s ‘cash register.’”

Significant changes from the previous revision of NIST 800-82 include a scope expansion to now include generalized operational technologies, and not just SCADA (supervisory control and data acquisition) systems in control room operations, Mike Hamilton, CISO of Critical Insight, told Industrial Cyber. “This brings in things like HVAC systems and to a lesser extent, medical and industrial IoT. Another is an update to threats and vulnerabilities in those environments. This is important because previous versions did not address the recent efforts by nation-states to specifically target critical infrastructure and the control systems extant therein, including firmware, protocol, and failure-to-patch vulnerabilities,” he added. 

“An additional update is the alignment of OT security with the NIST Cybersecurity Framework,” Hamilton pointed out. “This brings the operational technology environments into conformance with critical infrastructure sectors regarding the use of the framework but is focused on OT regardless of sector. This allows for objective comparison of these environments with others against a standard of practice that helps to guide all operators to appropriate security and risk management practices, regardless of the disparate architectures involved in control systems.”

E. Christian Hager, vice president of business development at Fend Incorporated pointed out that the most obvious difference between the newly released 800-82r3(R3) is that 800-82r2 (R2) was ‘released eight(!) years ago’ at a time when cybersecurity for control systems and SCADA was not as vulnerable as it is today. 

“R3 makes a major case for network (micro) segmentation and asset hardening as being the easiest mitigation strategies to protect what is in operation today,” Hager told Industrial Cyber. “R3 looks at defense-in-depth architecture capabilities utilizing five architecture layers. It explicitly identifies useful components (data diodes and other tools) focusing on framing a risk strategy to guide the cybersecurity program development/enhancement for OT systems. This includes detection, response and recovery.”

Hager also added that a significant enhancement to R2 is that R3 has been expanded to encompass all elements of the broader OT specifically aimed at non-network-controlled field systems (level 0, 1, 2) and other references to the Purdue Model. 

“A lot has changed since 2015 and what NIST did to bring SP 800-82 up to speed included an array of changes,” Jason Rivera, director at Security Risk Advisors, told Industrial Cyber. “With moving from ‘ICS to ‘OT’ centric being one of them, NIST broadened the appeal to meet the widest target audiences where they are. They also clearly tried to make r3 more holistic, not just covering NIST specifications but also making room for the Purdue Enterprise Reference Architecture, bringing more awareness to (vendor agnostic) events like s4 and generally embedding more situational context throughout vs. expecting everyone to already understand the why behind these guidelines,” he added.

Assessing efficacy of NIST SP 800-82r3 in fortifying OT security

The executives offer insights into the adaptation of NIST SP 800-82r3, outlining its tailored approach to tackle the prevalent threats and vulnerabilities within OT environments. Furthermore, they delve into the efficacy of these measures in safeguarding OT systems against the mounting scale and complexity of cyber threats and attacks.

Warner said that the additions in Revision 3 are crucial. “Revision 3 introduces specific controls tailored for OT environments. However, their effectiveness depends on the organization’s resources: financial, skilled personnel, and time to prevent disruptions like power plant shutdowns. Implementing these controls enhances security, strengthening your business’s resilience against attacks,” he added.

“A push toward digital convergence which was significantly expanded during the COVID-19 pandemic, many systems that were air gapped were connected in the name of convenient remote access,” Hager mentioned. “We have discovered that much of that remote access in place today is a high-risk factor and threatens the security of operations in many organizations especially in critical infrastructure sectors.”

Hager anticipates that “R3 should help to phase out convenient linkages, especially to enforce a one-way data flow for monitoring of field systems, transporting historian data from SCADA systems and hardening OT networks with very limited options for remote control.”

NIST 800-82r3 acknowledges that the risk environment around control systems and operational technologies are dynamic, and provides generalized guidance around managing risk in deployed architectures, software development, physical security risk, et al, according to Hamilton. 

“If operators adopt these practices and processes they should be able to minimize the likelihood of an event, but be ready to detect and respond when they occur,” Hamilton added. “Risk management is not perfect but bringing OT operators (for example in manufacturing) into the same mindset as critical infrastructure sectors (banks, hospitals, etc.) regarding comprehensive risk management it is possible to also effectively minimize the impact these threats can produce.”

Rivera highlighted that the NIST made some strategic adjustments for r3 which seem to raise the guidance up a level. “For example, adding and pinning organizational risk assessment ownership to the top of the policy and procedure section says a lot. Another introduction was to incorporate hazard analysis in the risk assessment process, as this is critical when determining risk rating of threats and vulnerabilities.” 

He added that “they also moved up a level by nesting configuration vulnerabilities to the asset vs. as standalone configuration vulnerability in r2. Again, nuanced changes but the intent is clear – widen the purview of even the technical guidance and appeal to OT security more holistically. Changes like these should enable r3 to be more effectively adopted.” 

In the upcoming segment of this series, slated for release on Monday, the executives will address the potential challenges that organizations might encounter when integrating the guidelines presented in NIST SP 800-82r3 into their OT infrastructure. Furthermore, they will delve into the interplay between NIST SP 800-82r3 and other relevant standards and frameworks in the field of cybersecurity for OT, such as ISA/IEC 62443 and ISO 27001. Additionally, they will provide actionable insights to assist organizations in effectively implementing the principles and recommendations outlined in NIST SP 800-82r3, with the aim of reinforcing the security of their OT systems.