Attacks and Vulnerabilities
Control device security
Critical infrastructure
ICS Security Framework
Industrial Cyber Attacks
IT/OT Collaboration
Malware, Phishing & Ransomware
News
NIST
Regulation, Standards and Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

New NIST SP 800-82r3 document published focusing on expansion in scope from ICS to OT

September 29, 2023
New NIST SP 800-82r3 document published focusing on expansion in scope from ICS to OT

The National Institute of Standards and Technology (NIST) published Thursday the third revision of NIST SP 800-82, with updates focusing on the expansion in scope from industrial control systems (ICS) to operational technology (OT); updates to OT threats and vulnerabilities; and updates to OT risk management, recommended practices, and architectures. The NIST SP 800-82r3 document provides OT asset owners and operators with updates to current activities in OT security; and updates to security capabilities and tools for OT.

The document also delivers additional alignment with other OT security standards and guidelines, including the Cybersecurity Framework. The new tailoring guidance for NIST SP 800-53, Rev. 5 security controls. It includes an OT overlay for NIST SP 800-53, Rev. 5 security controls that provide tailored security control baselines for low-, moderate-, and high-impact OT systems. 

The NIST document ​​provides guidance on how to secure OT while addressing their unique performance, reliability, and safety requirements. OT encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events.

The intended audience is varied and includes control engineers, integrators, and architects who design or implement OT systems; system administrators, engineers, and other information technology (IT) professionals who administer, patch, or secure OT systems; and security consultants who perform security assessments and penetration testing of OT systems. 

Additionally, it is also aimed at managers who are responsible for OT systems; senior management who need to better understand the risks to OT systems as they justify and apply for an OT cybersecurity program; researchers and analysts who are trying to understand the unique security needs of OT systems; and vendors who are developing products that will be deployed as part of an OT system. 

The NIST SP 800-82r3 offers an overview of OT, including a comparison between OT and IT systems. It also discusses the development and deployment of an OT cybersecurity program to mitigate risk for vulnerabilities. It proceeds to examine OT security risk management and apply the Risk Management Framework to OT systems. It also provides recommendations for integrating security into network architectures typically found in OT systems, with an emphasis on network segmentation and separation practices, and lastly, offers guidance on applying the Cybersecurity Framework to OT systems.

OT is vital to the operation of U.S. critical infrastructures, which are often highly interconnected and mutually dependent systems, both physically and through a host of information and communications technologies. These systems encompass a range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through the monitoring and/or control of devices, processes, and events.

The NIST SP 800-82r3 document recognizes that “much of today’s OT evolved from the insertion of IT capabilities into existing physical systems, often replacing or supplementing physical control mechanisms. Improvements in cost and performance have encouraged this evolution and resulted in many of today’s ‘smart’ technologies, such as the smart electric grid, smart transportation, smart buildings, smart manufacturing, and the Internet of Things.” 

“While this increases the connectivity and criticality of these systems, it also creates a greater need for their adaptability, resilience, safety, and security,” the document identified. “Engineering OT continues to provide new capabilities while maintaining the typical long life cycles of these systems. The introduction of IT capabilities into physical systems presents emergent behavior with security implications. Engineering models and analysis are evolving to address these emergent properties, including safety, security, privacy, and environmental impact interdependencies.”

The document addresses OT system operation, architectures, and components covering OT system design considerations; SCADA (supervisory control and data acquisition) systems; distributed control systems; Programmable Logic Controller (PLC)-based topologies; building automation systems; physical access control systems; safety systems; and industrial Internet of Things (IIoT). 

The NIST SP 800-82r3 document said that to mitigate cybersecurity risks to their OT systems, organizations need to develop and deploy an OT cybersecurity program. It should be consistent and integrated with existing IT cybersecurity programs and practices but also account for the specific requirements and characteristics of OT systems and environments. Organizations should regularly review and update their OT cybersecurity plans and programs to reflect changes in technologies, operations, standards, regulations, and the security needs of specific facilities. 

“Effective integration of cybersecurity into the operation of OT requires defining and executing a comprehensive program that addresses all aspects of cybersecurity,” according to the NIST document. “This includes defining the objectives and scope of the program; establishing a cross-functional team that understands OT and cybersecurity; establishing policies and procedures; identifying cyber risk management capabilities that include people, processes, and technologies; and identifying day-to-day operations of event monitoring and auditing for compliance and improvement. When a new system is being designed and installed, it is imperative to take the time to address security throughout the life cycle, including architecture, procurement, installation, maintenance, and decommissioning.” 

It added that deploying systems to the field based on the assumption that these systems will be secured later introduces significant risks to the systems and the organization. “If there is not enough time and resources to properly secure the system before deployment, it is unlikely that security will be addressed at a later time. Since new OT systems are designed and deployed less frequently than IT systems, it is much more common to improve, expand, or update an existing OT system than to design a new one.”

The NIST SP 800-82r3 document moves on to establish a cybersecurity program charter for the OT cybersecurity program that should include program objectives, scope, and responsibilities. Senior management establishes the OT cybersecurity program charter and identifies an OT cybersecurity manager with the appropriate authority to lead the OT cybersecurity program. 

The document also addresses OT cybersecurity that supports the mission and business functions of the organization and provides additional benefits, including improving OT system safety, reliability, and availability; improving OT system efficiency; reducing community concerns; reducing legal liabilities; meeting regulatory requirements; and helping with insurance coverage and costs. 

Additionally, the NIST SP 800-82r3 document said that a well-defined business case for an OT cybersecurity program is essential for management buy-in to ensure the long-term commitment of the organization and the allocation of resources needed for the development, implementation, and maintenance of the program. It also covered resources for building a business case and presenting the OT cybersecurity business case to leadership. 

The NIST document provides recommendations for establishing, implementing, maintaining, and continually improving an OT cybersecurity program. These recommendations are independent, which allows the organization to select the approaches and technologies that are most suitable to its needs. 

Moreover, an OT cybersecurity program is typically tailored to a specific OT environment. “An organization may have multiple sites, each with multiple specific OT environments. In such situations, an organizational-level OT security program should be defined with recommendations that cascade down and adapt to the needs of individual sites and OT environments,” it added.

The OT cybersecurity program should establish OT cybersecurity governance, build and train a cross-functional team to implement the OT cybersecurity program, define the OT cybersecurity strategy, define OT-specific policies and procedures, establish a cybersecurity awareness training program for the OT environment, implement a risk management framework for OT, develop a maintenance tracking capability, develop an incident response capability, develop a recovery and restoration capability, and provide a summary of OT cybersecurity program content. 

The NIST SP 800-82r3 document moves on to focus primarily on OT system considerations at the system level, though the risk management activities, information, and artifacts at each level impact and inform the other levels. 

A risk management process is deployed throughout an organization using a three-level approach to address risk at the organization level, mission and business process level, and system level – IT and OT, NIST laid down. “The risk management process is carried out seamlessly across the three levels with the overall objective of continuous improvement in the organization’s risk-related activities and effective inter-tier and intra-tier communication among all stakeholders with a shared interest in the success of the organization,” it added. 

The NIST SP 800-82r3 document detailed that when designing a security architecture for an OT environment, it is generally recommended to separate the OT network(s) from the corporate network. The nature of network traffic on these two network types is different. “Practical considerations – such as digital transformation, the cost of OT installation, or maintaining a homogenous network infrastructure – often mean that a connection is required between OT and corporate or other IT networks. This connection represents additional risk, and organizations may want to minimize these connections and consider additional security controls for them,” it added.

When it came to applying the Cybersecurity Framework to OT, the NIST document said that many public and private-sector organizations have adopted the NIST Cybersecurity Framework (CSF) to guide cybersecurity activities and consider cybersecurity risks. The Framework consists of five concurrent and continuous Functions – Identify, Protect, Detect, Respond, and Recover – for presenting industry standards, guidelines, and practices in a manner that allows for the communication of cybersecurity activities and outcomes across the organization. 

When considered together, these Functions provide a high-level, strategic view for cybersecurity risk management.

Earlier this week, the National Cybersecurity Center of Excellence (NCCoE), a part of the NIST, published the final NIST IR 8441, cybersecurity framework (CSF) profile for hybrid satellite networks (HSN). The HSN CSF Profile (HSN Profile) serves as a guiding resource for space stakeholders and is ideal for applications that entail multiple stakeholders participating in activities related to imagery, sensing, broadcasting, communication, or other space-based architectures.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation