Empowering OT security to navigate infrastructure cyber threats using NIST SP 800-82r3 recommendations
With repercussions from cybersecurity threats and attacks on infrastructure control system owners/operators becoming increasingly significant and apparent, the National Institute of Standards and Technology (NIST) responded last month by introducing the NIST SP 800-82r3 document. The guidance centers on safeguarding operational technology (OT), pivotal for overseeing crucial infrastructure across sectors such as energy, water, transportation, and manufacturing. Dealing with the complex landscape of cybersecurity threats, vulnerabilities, and risks poses a significant challenge for infrastructure control system owners and operators, particularly in light of resource constraints.
The NIST SP 800-82r3 document serves as a crucial resource, offering comprehensive guidance on fortifying the security of OT systems. It addresses the specific challenges faced by OT environments in various sectors, emphasizing implementation of robust security measures to mitigate risks and ensure the resilience of critical infrastructure. By delineating best practices and risk management strategies tailored to the intricacies of OT, the NIST SP 800-82r3 document facilitates a proactive approach to cybersecurity, enabling organizations to safeguard their operations against emerging threats.
In the first part of this series, Industrial Cyber reached out to industrial cybersecurity experts, who delved into the progression of NIST SP 800-82r3 release and evaluated its effectiveness in bolstering OT security.
Overcoming integration challenges of NIST SP 800-82r3 in OT infrastructure
The executives shared insights on the potential challenges organizations might confront while incorporating the guidelines from NIST SP 800-82r3 into their OT infrastructure. They also provide an analysis of how the document adeptly addresses these issues.
Michael Gilsinger, OT chief architect at ARAUCO, outlined that the typical challenges an organization might encounter when implementing the guidelines from NIST SP 800-82r3 in their OT infrastructure include a lack of resources, complexity of the OT system, lack of expertise, and existing integrations with other systems.
He told Industrial Cyber that he expects r3 to help address some of these challenges by providing guidance on how to implement security controls with limited resources, recommending a risk-based approach to security, providing a comprehensive set of security controls that can be tailored to the organization’s specific needs, and providing guidance on how to integrate security controls with existing systems.
“The biggest challenges are resources, specifically finding qualified personnel with experience to handle 16 different types of OT organizations and the financial means to support these efforts,” Chris Warner, senior security consultant for OT governance and risk at GuidePoint Security, told Industrial Cyber. “Most importantly, the time it will take to perform these activities will assist organizations to employ consultants or advisors to assist in what has needed to be done over a decade when attacks first started happening.”
Warner added that “we’ve seen drastic increases in attacks in the last 5-8 years yet organizations have not had the resources or focus due to compliance demands which is not security and finding qualified, experienced OT/IT security personnel that understand both to ensure we move into Industry 4.0 with business resilience as these organizations are on the front lines protecting countries critical infrastructure.”
Mike Hamilton, CISO of Critical Insight, told Industrial Cyber that one of the keys to managing risk is addressing impact, and to ‘buy down’ risk addressing the impact term operators must monitor their environments to detect when preventive controls have failed. “This is paramount in today’s threat environment, where cyber tools in use by nation-states and criminals have evolved to be extremely stealthy.”
“Monitoring the protocols specific to SCADA and other OT environments is a challenge, and 800-82r3 somewhat addresses this; active, and not passive monitoring is becoming more prevalent to detect not only aberrational events, but to identify vulnerabilities that must be addressed,” Hamilton added. “Active monitoring in a control room setting can be tricky, and very specific products that are engineered for the purpose are now more available.”
“The R3 is very comprehensive and while it doesn’t specifically engineer cyber threats ‘out’ as INL’s Consequence-Driven Cyber Engineering is intended to do, it does engineer security in,” E. Christian Hager, vice president of business development at Fend Incorporated, told Industrial Cyber. “The problem we have seen with OT cyber operations especially smaller operators of water/wastewater facilities, electric co-ops and smaller manufacturing operations, is that there is a significant lack of resources to address day-to-day issues in IT, let alone what is needed for a ‘heavy lift,’ such as a cybersecurity program development or a re-engineering effort.”
He added that “we need to remember a large portion of the 153,000 water/wastewater operators and 900 electric coops in the US are small or very small and do not have budgets for cyber.”
“In many cases, an OT program is a ‘nice-to-have,’ if they even have an in-house IT program,” according to Hager.
“The R3 lays out numerous components that can be implemented as a service subscription through an integrator/ service provider for example network monitoring, asset assessments, threat detection and response, and SCADA-as-a-service tools such as one-way gateways (data diodes) that will lend themselves to a Defense-in-Depth strategy,” Hager added. “The thought here is to prevent the less sophisticated attacks and ransomware lockouts to keep the operations running.”
Jason Rivera, director at Security Risk Advisors, cautioned that he doesn’t “think r3 itself is going to change the landscape of adoption or implementation of any guidelines. While r3 clearly moves the guidance closer to today’s reality of OT cybersecurity possibilities, the same challenge affecting adoption of these standards is the same challenge impacting the adoption of any security measures for OT today: budget and organizational or executive buy-in.”
“But I think NIST may have a leg up in helping to build and improve OT security maturity because r3 is generally achievable, and both IT and OT leadership can understand it which should ultimately mean more support,” he told Industrial Cyber.
Alignment of NIST SP 800-82r3 with existing OT cybersecurity standards
The experts examine the alignment of the third revision of NIST SP 800-82 with other pertinent standards and frameworks in the realm of OT cybersecurity, including but not limited to ISA/IEC 62443 and ISO 27001.
Gilsinger said that the NIST SP 800-82 aligns with other relevant standards and frameworks in the field of cybersecurity for OT, such as ISA/IEC 62443 and ISO 27001 as all three standards and frameworks are formed on a risk-based approach to security and cover a wide range of security topics. “Specifically, NIST SP800-82r3 references ISA/IEC 62443 through the document and uses the ISA/IEC 62443 terminology for security controls and covers all of the controls required for ISO 27001 compliance,” he added.
“For the first time NIST has worked to align with global standards such as ISA/IEC 62443 by creating cross-walks and mapping spreadsheets,” Warner said. “NIST has also worked hard in cross-walking to several other OT/ICS specific frameworks, helping the 16 critical organizations align to frameworks that best fit their organization.”
While IEC 62443 is a framework of standards, R3 provides solid recommendations including specific tool types to improve the security of OT systems, Hager said. “It is designed to assist in improving the defensive posture of existing OT & SCADA systems and should fit nicely into consequence-driven cyber-informed engineering.”
“From one important perspective, the R3 was released at almost the same time as the DoD’s Unified Facilities Criteria (UFC 4-010-06) for Cybersecurity of Facility-Related Control Systems (FRCS) which sets the guidelines for mission critical control systems on military installations,” Hager identified. “While not specifically aligned with R3, it does call for alignment with 800-82 and addresses some of the same criticalities in securing Level 0 & level 1 non-networked field control systems, especially calling out the need for (micro) segmentation. The UFC also mentions the use of data diodes (unidirectional gateways) as a secure network monitoring tool that are now available in a much more affordable price class.”
Rivera noted that to an extent, NIST and ISA/IEC 62443 are competing for adoption. But while they share some common objectives, they’re two entirely different intents. “NIST is wide ranging and dials into unique sectors (like OT) with Special Publications whereas ISA/IEC 62443 is dead specific for OT. 62443 is also generally more adopted in regulated industries. ISO 27001 is so heavily focused on confidentiality, integrity and availability over safety, reliability, and availability, that I don’t think it warrants a standalone role in OT even with the IT/OT convergence we’re seeing.”
He suggests that the best approach is to integrate only the standards and frameworks which are applicable to an organization’s risk.
Enhancing OT security through NIST SP 800-82r3 implementation
The executives offer actionable advice and guidance to organizations aiming to efficiently implement the principles and recommendations delineated in NIST SP 800-82r3, thereby fortifying the security of their OT systems.
“Start with a risk assessment. Then develop a security plan. Implement this plan and security controls in a phased approach and monitor your security posture looking for opportunities for improvement on an ongoing basis,” Gilsinger put forward.
Focusing on the critical items to remember when implementing NIST SP 800-82r3, he pointed out that to “get buy-in from management, this is imperative for obvious reasons. Remember this is not a destination, it is a journey. Educate your employees, the majority of incursions can be avoided through human behavior. Use a risk-based approach, not everything needs to be locked up in Fort Knox.”
And last but not least, BE PATIENT, Gilsinger said. “It took years to get here, it will take time to resolve the collection of vulnerabilities that have existed in our OT environments from day 1.”
First and foremost, conducting a comprehensive security program review is essential, Warner said. “This includes a meticulous enumeration of the environment, encompassing all Operational Technology (OT) and associated IT systems. Following this, perform a Risk Assessment that identifies critical assets and vulnerabilities within these systems. A vital step involves developing a precise Risk Management Plan and implementing micro-segmentation, enclaves, and safe restart zones to effectively segment the network.”
Warner also raised the need for continuous vigilance to be maintained through monitoring network traffic and implementing stringent access controls. “Establish a detailed Incident Response Plan and provide ongoing training to personnel. It is imperative to revisit and refine these strategies annually, acknowledging that cybersecurity is an ever-evolving landscape that demands proactive measures and continuous improvement through program reviews and assessments.”
Hager said that while it is impossible to generalize what each OT operator needs, especially not knowing what their budget is, there are some tools available that certainly can benefit OT/ICS/SCADA networks. “CISA offers a free tool for critical infrastructure that will run network assessments and analyses, giving the client the chance to see their network through the eyes of a threat actor. These analyses will show vulnerabilities and provide suggested mitigations,” he added.
The R3 provides a solid base for a defense-in-depth strategy that can augment an existing OT system, help patch remote access vulnerabilities, or assist with a fortification of the network segmentation, Hager noted.
“I suggest every organization understand the principles outlined in NIST SP 800-82r3 and create their own unique, fit for purpose and right-sized plan based on some its aspects,” Rivera said. “Gaining executive and organizational level buy-in to resource and support these initiatives is probably a bigger challenge than simply learning and implementing r3. Starting or maturing an OT cybersecurity program in alignment with NIST is likely to gain favor in lesser regulated industries due to being competent enough for OT and already widely adopted for IT (which every organization also has),” he concluded.
Related
