NCCoE document advances work on responding to and recovering from cybersecurity incidents within manufacturing sector

The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST), published a document that focuses on a manufacturing sector problem of responding to and recovering from a data integrity incident. The issue is also relevant and significant to the other industry sectors. 

The NCCoE document addresses the challenge through collaboration with members of the manufacturing sector and vendors of cybersecurity solutions. The resulting reference design will detail an approach that can be incorporated by manufacturing sector organizations. It builds on the March 2022 NCCoE ‘project description’ document to assist manufacturers in responding to and recovering from a cyber attack within the sector. In the coming months, the NCCoE manufacturing team will be publishing a Federal Register Notice based on the final project description. 

Titled “Responding to and Recovering from a cyber attack – cybersecurity for the manufacturing sector,” the project document identifies that the operational technology (OT) systems that run manufacturing environments play a critical role in the supply chain. Industrial control systems (ICS) and devices that run manufacturing environments play a critical role in the nation’s economy. 

Manufacturers rely on ICS to monitor and control physical processes that produce goods for public consumption. These same systems face an increasing number of cyber attacks, presenting a real threat to manufacturing safety and production. Though defense-in-depth security architecture helps to mitigate cyber risks, it cannot guarantee the elimination of all cyber risks. Thus, manufacturing organizations should put in place a plan that works towards recovering and restoring operations should a cyber incident impact operations. 

The goal of the NCCoE project is to demonstrate means to recover equipment from a cyber incident and restore operations. The NCCoE, part of NIST’s Information Technology Laboratory, in conjunction with the NIST Communications Technology Laboratory (CTL) and industry collaborators, will demonstrate an approach for responding to and recovering from an OT attack within the manufacturing sector by leveraging event reporting, log review, event analysis, and incident handling and response. 

The NCCoE document said that once an event is detected, it should be reported to the appropriate predetermined stakeholders for initial triage. The triage process will assign an appropriate priority for handling the incident. Based on the priority, predetermined administrative processes will be activated to distribute information about the risk to the appropriate personnel for timely follow-up actions. 

Events should be written to one or more protected event/audit logs and retained for an adequate time. Logging events is a primary activity for reviewing and analyzing events. Retaining event/audit logs provides support for forensics, which allows the identification of root causes, technical vulnerabilities, behavioral vulnerabilities, and improvement opportunities.

The document said that reviewing events to detect and identify suspicious activities and security violations to prioritize them should occur. With an appropriate history of events, an event analysis can be conducted to correlate events and to better understand circumstances surrounding event occurrences. All of these activities support an event response, including determining root causes and taking actions to minimize impacts and better protect the system from suspicious activities and security violations in the future.

The security-related events should be analyzed to identify and characterize attacks, security compromises, and security incidents. The two primary reasons events are analyzed to identify compromises and suspicious conditions, which is often achieved by correlation of related events, thereby identifying conditions surrounding event occurrences with attempts to discover root causes, how to handle them, and protect from recurrences. It also analyzes events to prioritize and categorize the incident based on the risk they pose. 

The NCCoE document also lays down that an incident response process should be employed and kept current for evaluating and responding to OT cyber incidents. A process for evaluating cyber incidents should be used that identifies the potential impacts, threats, and vulnerabilities that allowed the incident to occur. Evaluation of OT security incidents allows manufacturers to determine their impact so that an appropriate response can be developed and implemented. An appropriate response should include containment, reducing the impact, applying countermeasures to mitigate root causes, and protecting the OT against future threats.

The objective of the eradication and recovery phase is to allow the return of normal operations by eliminating artifacts of the incident and mitigating the vulnerabilities or other conditions that were exploited. Once the incident is contained, all means of persistent access into the network should be eradicated so that any malicious actor activity is sufficiently limited, and that all evidence has been collected. It may also involve hardening or modifying the environment to protect targeted systems and remediating the infected systems. This is often an iterative process. The impacted systems should be restored to operation with verification that they are operating as expected.

The NCCoE will map the security characteristics to the NIST Cybersecurity Framework and NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations and will provide commercial off-the-shelf (COTS) based modular security controls for manufacturers. NCCoE will implement each of the listed capabilities in a discrete-based manufacturing work cell that emulates a typical manufacturing process. The project will result in a freely available NIST Cybersecurity Practice Guide.

The NCCoE document assumes that the cyber incident is discovered after some impact has occurred or before the impact occurring. A cyber incident can be caused by a variety of factors including but not limited to a well-intentioned insider making a change without proper testing, a malicious insider, or an outside adversary. 

It also identifies that a comprehensive security architecture should be designed to detect cyber incidents before impact including detection of initial access, discovery, and lateral movement. However, a comprehensive defense should also be prepared to restore and recover if a cyber incident is not detected until it is too late. The guide focuses on the hopefully rare event of a cyber incident causing an impact. 

The project also assumes that the lab infrastructure has a relatively small number of robotic and manufacturing process nodes which are representative of a larger manufacturing facility. The effectiveness of the example solutions is independent of the scale of the manufacturing environment. Additionally, the project focuses on the ‘respond’ and ‘recover’ portions of the NIST Cybersecurity Framework. It is assumed that the ‘identify,’ ‘detect,’ and ‘protect’ functions have been implemented to some maturity level and operationalized.

The NCCoE document describes challenges arising from implementations that provide recovery solutions and procedures need to acknowledge that restoration procedures that involve the use of backups are designed to restore the system to some previous state, but the ‘last known good state’ may not necessarily be free of vulnerabilities. Some of the challenges associated with backups include that vulnerabilities may exist in backup data, backup data may be compromised while in storage, or dormant or inactive malware may exist in backup data.

In March, the NCCoE introduced a document in collaboration with NIST’s Engineering Laboratory (EL) and cybersecurity technology providers that addresses cybersecurity challenges facing the manufacturing sector. The document offers data-driven insights and is based on lab-tested analysis of several essential manufacturing system testbeds.

Earlier this week, the NCCoE published a draft project description seeking feedback from all stakeholders in the water and wastewater utilities sector. The NCCoE project is working to ensure that its guidance can benefit the broadest audience and is especially interested in hearing from water utilities of all sizes. The public comment period is open until Dec. 19, 2022.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.