NCCoE project on manufacturing focuses on Respond and Recover elements, guides mitigation of cyber incidents

The National Institute of Standards and Technology (NIST) released Thursday a bulletin inviting industry participants and other interested collaborators to participate in the National Cybersecurity Center of Excellence (NCCoE) project, which focuses on responding to and recovering from a cyber incident within an operational technology (OT) environment. The NCCoE project focuses on the Respond and Recover portions of the NIST Cybersecurity Framework (NIST CSF) while guiding manufacturing organizations in designing mitigations into an OT environment to address cyber incidents.

“Manufacturing organizations rely on OT to monitor and control physical processes that produce goods for public consumption,” the NCCoE document identified. “These same systems are facing an increasing number of cyber incidents resulting in a loss of production from destructive malware, malicious insider activity, or honest mistakes. This creates the imperative for organizations to be able to quickly, safely, and accurately recover from an event that corrupts or destroys data (e.g., database records, system files, configurations, user files, application code),” it added. 

The bulletin added that the industrial control systems (ICS) and devices that run manufacturing environments play a critical role in the supply chain. These same systems face an increasing number of cyber attacks that present a threat to safety, production, and economic impact on manufacturing organizations. 

With the proliferation of Industry 4.0, enterprises are connecting business systems and IT networks to OT networks to improve business agility and operational efficiency. However, recent attacks on OT have shown that malicious actors are pivoting into the OT environment from business systems and IT networks. Most OT systems have been historically isolated from business systems and IT networks, and therefore, were not designed to withstand cyberattacks. 

The cyber risk mitigation technologies used in IT networks are often not suitable for OT networks because of the real-time and deterministic nature of the OT. These lead to the increasing likelihood that organizations may have to respond or recover from an OT cyber incident. 

The NCCoE, in collaboration with members of the business community and vendors of cybersecurity solutions, will identify standards-based, commercially available, and open-source hardware and software components to design a manufacturing lab environment to address the challenge of responding to and recovering from a cyber incident in an OT environment.

The NCCoE project assumes that the cyber incident is discovered after some impact has occurred or before the impact occurs. It also supposes that the lab infrastructure for the project has a relatively small number of robotic and manufacturing process nodes, which are representative of a larger manufacturing facility, and the effectiveness of the example solutions is independent of the scale of the manufacturing environment.

It is assumed that the Identify, Detect, and Protect functions have been implemented to some maturity level. Certain capabilities are operationalized including necessary technologies such as managed and protected physical access to the site, segmentation of OT assets from IT assets, authentication and authorization mechanisms for accessing OT assets and fully managed remote access to the OT environment and OT assets.

Once a cybersecurity event is detected, event reporting, log review, event analysis, incident handling and response, and eradication and recovery take place before the event is satisfactorily resolved. The project also builds upon NIST Special Publication 1800-10: Protecting Information and System Integrity in Industrial Control System Environments by identifying and demonstrating capabilities to improve response to and recovery from cyber incidents in the OT environments. 

The NIST CSF Respond and Recover functions and categories have been used to guide this project. The objective of the ‘Respond function’ is to develop and implement the appropriate activities to take action regarding a detected cybersecurity event, while that of the ‘Recover function’ is to develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. 

Some of the challenges that the NCCoE project cover implementations that provide recovery solutions and procedures need to acknowledge that restoration procedures that involve the use of backups are designed to restore the system to some previous state, but the ‘last known good state’ may not necessarily be free of vulnerabilities. When it comes to backup, some of the challenges acknowledged include vulnerabilities that may exist in backup data, backup data may be compromised while in storage, and dormant or inactive malware may exist in backup data.

The NCCoE project will demonstrate an approach for responding to and recovering from an OT cyber incident within the manufacturing sector. The cybersecurity capabilities of event reporting, log review, event analysis, incident handling, and eradication and recovery are the typical sequential tasks that take place as part of an Incident Response and Recovery process once a cybersecurity event is detected.

These capabilities are also described in detail in ISA/IEC 62443-2-1, Security Program Requirements for IACS Asset Owners. ISA/IEC 62443 is a collection of international standards for industrial automation and control system (IACS) cybersecurity published by the International Society of Automation. The NCCoE project assesses that systematically executing these capabilities requires appropriate Respond and Recover roles and personnel assigned to these roles. 

The NCCoE project also demonstrated using a couple of scenarios the NIST CSF Respond and Recover functions, which could subsequently impact plant operations. “We expect different incidents to require different response and recovery steps and these scenarios provide an opportunity to demonstrate varied capabilities that will address response and recovery,” it added.

In its ‘Architecture and Capabilities of Lab Environment,’ the NCCoE project describes the OT testbed systems in the lab, which will be used to demonstrate the cybersecurity capabilities for Respond and Recover functions. 

It identified that in the manufacturing process, the system is a model manufacturing line consisting of a sorting conveyor system, a robotic arm for parts handling and assembly, and a storage area for finished parts. “Three types of parts (top, bottom, and reject) are inserted into an infeed magazine which dispenses them one at a time to the conveyor. Sensors on the conveyor classify the parts by type. Top and bottom pieces are transported to the end station for pickup by the robot. Reject pieces and out-of-order top and bottom pieces are rejected down a chute,” it added. 

The NCCoE project also said that a robotic arm retrieves the bottom and top halves from the end of the conveyor and places them in an assembly station. “Once both halves arrive, the robot assembles the two parts before placing them into storage racks. Sensors on the assembly station and in the storage racks verify the presence of parts. The Supervisor PLC controls coordinate the two lower-level systems,” it added.

The project also includes characteristics of the commercial products that the NCCoE will apply to the cybersecurity challenge to the applicable standards and best practices described in the NIST CSF. The exercise is meant to demonstrate the real-world applicability of standards and best practices but does not imply that products with these characteristics will meet an industry’s requirements for regulatory approval or accreditation.

In November, the NCCoE published a document that focuses on a manufacturing sector problem of responding to and recovering from a data integrity incident. The issue is also relevant and significant to the other industry sectors. The NCCoE document addresses the challenge through collaboration with members of the manufacturing sector and vendors of cybersecurity solutions.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.