It’s every system administrator’s nightmare:
You pick up the phone and your COO is on the line. “In two weeks we want you to come up with a plan to completely secure OT operations across our 17 facilities nationwide. Oh, and we want this to be your own original work. No using anyone else’s designs or ideas.”
[Insert panic reaction.]
Designing OT cybersecurity plans is never a piece of cake. Fortunately, in the real world, you don’t need to construct OT security plans from scratch.
OT cyber security frameworks & standards enable you to do a much better job in much less time (although a two-week deadline might still qualifies as a nightmare). It also tends to reduce costs (up to 30%, according to the ISA!)
OT cyber security frameworks come in different flavors: some are general, others are industry-specific; some are put forward by public-sector agencies, others by private sector organizations; some are government- or industry-mandated, others are purely suggestions.
So which framework is best for securing your organization’s OT? Let’s take a look at seven of the most popular OT cyber security frameworks, who should use them and what they contain.
CISA Cybersecurity Best Practices for Industrial Control Systems
Overview: The Cybersecurity Best Practices for ICS, a two-page document covering 8 areas, is an easy read. It covers:
Highlighted suggestions on their guidance list include:
NCSC Cyber Security Design Principles
Overview: NCSC sets out five primary cybersecurity design principles that build on each other in an arc that moves from prevention to remediation:
ISA/IEC 62443 Standards for Security of Industrial Automation and Control Systems
Overview: The ISA/IEC 62443 series of standards that takes into account the multiple roles involved in the design and operation of industrial automation and control systems. While the asset owners have overall responsibility for the security of their OT system, they need the cooperation of their product suppliers, their system integrators and their maintenance providers.
The core ISA/IEC 62443 Standard is Part 2-1, which sets the requirements for security plans. The other standards derive their definitions and directions from Part 2-1, including:
Other standards in the series include defining security program ratings and technical security requirements for IACS components.
ISA/IEC 62443 is one of the most comprehensive OT cyber security frameworks out there, and there’s no surprise it’s been integrated into the UN’s Economic and Social Council’s draft proposal for a common regulatory framework on cyber security in Europe.
Note: while the ISA/IEC offer the complete ISA/IEC 62443 documentation as a paid product, they do offer a quick start guide for free.
ENISA Good Practices for Security of Internet of Things in the Context of Smart Manufacturing
Overview: ENISA’s “Good Practices for Security of IoT in the Context of Smart Manufacturing” covers best practices in 20 domains within the Industry 4.0 landscape, divided into three main groups: policies, organizational practices and technical practices.
Policies: These are policies and procedures that should be adopted in all organizations that use IIoT, covering the areas of:
Organizational practices
These are recommended organizational rules, responsibilities and approaches toward employees and third-party contractors regarding:
These are recommended technical security measures covering:
The ENISA framework is divided into a high-level overview of best practices for each of the above domains (approx. 8 pages) and a very detailed list of best practices (approx 55 pages).
NIST Guide to Industrial Control System (ICS) Security
Overview: At 247 pages long, the NIST guide is a very comprehensive framework that provides guidance on how to secure Industrial Control Systems (ICSs) while taking into account the unique functionality and requirements of industrial OT.
The guide covers Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).
The main body of the NIST guide includes:
The appendices are an inseparable part of the guide’s value, providing lists of:
Industrial Internet Security Framework
Overview: This guide relates to IIoT security from both the business perspective – discussing risk management and the permeation of trust in the IIoT system life cycle – as well as from a functional and implementation perspective. The latter makes up the bulk of the framework and covers:
CIS Critical Security Controls ICS Companion Guide
Overview: The CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions that collectively form a set of defense-in-depth best practices that mitigate the most common attacks against systems and networks.
Because some industries have unique requirements that limit their ability to apply the CIS Controls as-is, CIS will sometimes issue a companion guide for their Controls explaining how to apply and implement the Controls for a particular industry.
The CIS Critical Security Controls ICS Companion Guide explains how to implement the security best practices in CIS Controls Version 7 in ICS environments.
Version 7 of the framework includes the following 20 CIS Controls (note: the latest version of the CIS Controls is Version 8):
The ICS Companion Guide addresses, adds to or modifies all of these 20 controls, taking into account the unique mission/business requirements found in ICS environments (with a focus on performance and real-time requirements).
The companion also accounts for each ICS environment’s unique risks (vulnerabilities, threats and consequences), which in turn drive the priority of corresponding security requirements (e.g. availability, integrity, and confidentiality of process data).
We all need a framework to lean on
While you may have been given the (daunting!) task of conducting an OT security assessment or (even more daunting!) actually securing an OT system, there’s no reason to reinvent the wheel. With such a wide variety of OT cyber security frameworks, you should be able to find the framework that best fits your organization.
Once you’ve decided upon a framework, Radiflow can support you in implementation with its complete suite of OT security solutions. Radiflow has been recognized by Gartner as representative vendor in both the “OT network monitoring and visibility”, and the “Cyber-physical systems (CPS) risk management” categories.
Radiflow’s CIARA automated risk analysis platform uses a Radiflow-generated virtual network model (digital image) of the entire IT/OT network, including all assets, protocols, connections and IT systems for its non-invasive breach attack simulations (BAS) to gain a clear understanding of networks’ security status. The results of the simulation enable drafting prioritized guidelines for any changes or updates to the organization’s OT security system.
To find out more about Radiflow’s OT cyber security solutions, contact us today.
Standards/frameworks for securing OT systems help expedite security plan implementation and ensure the effectiveness of the system.
Harmonizing risk and consequence strategies across IT and OT environments for greater cyber resilience
Strengthening OT Resilience: Protecting Critical Systems in a Rapidly Evolving Threat Environment
Quarterly ICS Security Report 2024 Q3