NIST cyber resiliency framework will cover critical infrastructure controls, maps with ATT&CK for ICS

The National Institute of Standards and Technology (NIST) has updated its guidance that analyzes the potential effects of cyber resiliency on operational technologies (OT), and in particular, on the tactics, techniques, and procedures (TTPs) identified in the ATT&CK for ICS (industrial control systems) knowledge base. It also helps organizations develop cyber-resilient systems, and applies to architectures for critical infrastructures and services, which frequently support multiple essential functions. 

The NIST guidance has included an appendix containing an analysis of the potential effects of cyber resiliency on adversary TTPs used to attack OT, including ICS. The analysis shows how cyber resiliency approaches and controls described in NIST guidance can be used to reduce the risks associated with adversary actions that threaten ICS and critical infrastructure sectors.

The latest NIST update follows its move in September when it released Draft NISTIR 8374 that prescribes a cybersecurity framework profile to cover ransomware risk management across organizations and operators of ICS or OT environments. These measures come at a time when the industrial sector had to reckon with serious ransomware offensives and supply chain attacks. The surging cybersecurity threat landscape has demonstrated that operational and production disruption is possible. 

In its Special Publication (SP) 800-160 Volume 2, Revision 1, titled, ‘Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,’ NIST also advises organizations on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target. It also works towards helping organizations anticipate, withstand, recover from, and adapt to adverse conditions, stresses, and compromises on systems, including hostile and increasingly destructive cyber-attacks from nation-states, criminal gangs, and disgruntled individuals.

In particular, the NIST guidance provides organizations with improved controls that support cyber resiliency to be consistent with SP 800-53, Revision 5. It also standardizes a single threat taxonomy and framework and provides a detailed mapping and analysis of cyber resiliency implementation approaches and supporting controls to the framework techniques, mitigations, and candidate mitigations.

The NIST guidance also provides an analysis of the potential effects of cyber resiliency on OT, and in particular, on the TTPs identified in the ATT&CK for ICS knowledge base. The ATT&CK for ICS closely parallels ATT&CK for Enterprise but differs in several ways. ATT&CK for ICS provides its numbering scheme for tactics, techniques, and mitigations. About half of the mitigations in ATT&CK for ICS correspond to mitigations in ATT&CK for Enterprise, while the remaining mitigations are unique to ATT&CK for ICS.

The guidance also describes the process that must be adopted to analyze the potential effects of cyber resiliency on adversary TTPs identified in ATT&CK for ICS. It proposes that organizations determine whether and how the ATT&CK for ICS technique relates to techniques in ATT&CK for Enterprise. Some of the ATT&CK for ICS techniques are executed on an organization’s IT network rather than on its OT network. If the ATT&CK for ICS technique resembles the techniques included under an ATT&CK for Enterprise tactic, the mapping of its mitigations and the identification of candidate mitigations are informed by the prior analysis of ATT&CK for Enterprise.

The next step is to analyze an ATT&CK for ICS technique that involves looking at the mitigations identified in the ATT&CK for ICS entry for that technique, the NIST guidance said. Each mitigation, as used for the technique, is analyzed to determine whether it applies any cyber resiliency approaches. If so, the potential effects of the mitigation are then identified, together with the corresponding controls in SP 800-53. Otherwise, the mitigation is not considered further and is not listed in the mapping tables.

Following this, candidate mitigations must be identified. If ATT&CK for Enterprise parallels exist, they are reviewed to identify corresponding candidate mitigations. Additional candidate mitigations are identified by analysis of the technique description, its supporting literature, and a review of information related to cyber resiliency techniques, approaches, technologies, and practices in the ICS domain. 

For each identified candidate mitigation, a technique-specific description is defined. Note, however, that ATT&CK for ICS does not include a section on Detection. Therefore, relatively few Detection candidate mitigations are identified using parallels with ATT&CK for Enterprise techniques, the guidance added.

Analysis of mapping consistency for mitigations is captured in an annotation of the listing of ATT&CK for ICS mitigations, the consistency of mappings for candidate mitigations was addressed through a review of the technique-specific descriptions. Uses of mitigations and candidate mitigations for ATT&CK for ICS with corresponding ATT&CK for Enterprise mitigations and candidate mitigations were analyzed for consistency.

Last month, the NIST released the second public draft of its Cybersecurity Supply Chain Risk Management (C-SCRM) Practices for Systems and Organizations for public comment. The document lays down guidelines for enterprises on how to identify, assess, select, and implement risk management processes, in addition to mitigating controls across the enterprise to help manage cybersecurity risk in the supply chain.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.