OT Cybersecurity Framework/Standards: a Comprehensive Guide

It’s every system administrator’s nightmare:

You pick up the phone and your COO is on the line. “In two weeks we want you to come up with a plan to completely secure OT operations across our 17 facilities nationwide. Oh, and we want this to be your own original work. No using anyone else’s designs or ideas.”

[Insert panic reaction.]

Designing OT cybersecurity plans is never a piece of cake. Fortunately, in the real world, you don’t need to construct OT security plans from scratch.

OT cyber security frameworks & standards enable you to do a much better job in much less time (although a two-week deadline might still qualifies as a nightmare). It also tends to reduce costs (up to 30%, according to the ISA!)

OT cyber security frameworks come in different flavors: some are general, others are industry-specific; some are put forward by public-sector agencies, others by private sector organizations; some are government- or industry-mandated, others are purely suggestions.

So which framework is best for securing your organization’s OT? Let’s take a look at seven of the most popular OT cyber security frameworks, who should use them and what they contain.

CISA Cybersecurity Best Practices for Industrial Control Systems

• Created by: US Government’s Cybersecurity and Infrastructure Security Agency (CISA)
• Last updated: 2020
• Intended for: ICS owners and operators, especially those that support US critical infrastructure

Overview: The Cybersecurity Best Practices for ICS, a two-page document covering 8 areas, is an easy read. It covers:

• Risk Management and Cybersecurity Governance
• Physical Security
• ICS Network Architecture
• ICS Network Perimeter Security
• Host Security
• Security Monitoring
• Supply Chain Management
• Human Element

Highlighted suggestions on their guidance list include:

• Check, prioritize, test, and implement ICS security patches
• Backup system data and configurations
• Identify, minimize and secure all network connections to ICS
• Continually monitor and assess the security of ICS, networks, and interconnections
• Disable unnecessary services, ports and protocols
• Enable available security features and implement robust configuration management practices
• Leverage both application whitelisting and antivirus software
• Provide ICS cybersecurity training for all operators and administrators
• Maintain and test an incident response plan
• Implement a risk-based defense-in-depth approach to securing ICS hosts and networks

NCSC Cyber Security Design Principles

• Created by: UK Government’s National Cyber Security Centre (NCSC)
• Last updated: May 2019
• Intended for: Digital and cyber-physical system designers

Overview: NCSC sets out five primary cybersecurity design principles that build on each other in an arc that moves from prevention to remediation:

• Establish context before designing a system
• Make compromises difficult
• Make disruptions difficult
• Make compromise detection easier
• Reduce the impact of a compromise

ISA/IEC 62443 Standards for Security of Industrial Automation and Control Systems

• Created by: The International Society of Automation (ISA) and the International Electro-technical Commission (IEC)
• Last updated: 2020
• Intended for: IACS asset owners, automation product suppliers, system integrators and maintenance providers

Overview: The ISA/IEC 62443 series of standards that takes into account the multiple roles involved in the design and operation of industrial automation and control systems. While the asset owners have overall responsibility for the security of their OT system, they need the cooperation of their product suppliers, their system integrators and their maintenance providers.

The core ISA/IEC 62443 Standard is Part 2-1, which sets the requirements for security plans. The other standards derive their definitions and directions from Part 2-1, including:

• Part 3-2: how to divide an IACS into zones and conduits (to reduce cross-contamination), how to assess the risk of each zone and how to define its target security level. It also discusses how to create cyber security specifications for the automation solution. The results of this part informs the application of:
  • Part 3-3: automation system security requirements. This is most relevant to automation system integrators.
  • Part 4-1: product development and life-cycle security requirements. This is most relevant to product suppliers.
  • Part 2-4: security requirements for service providers that support the IACS through integration or maintenance services.
• Part 2-3: requirements for the patch management process. Inevitably there will be a need for fixing security issues in the IACS, and you need to establish in advance how you are going to deal with those fixes without causing an unacceptable system disruption.

Other standards in the series include defining security program ratings and technical security requirements for IACS components.

ISA/IEC 62443 is one of the most comprehensive OT cyber security frameworks out there, and there’s no surprise it’s been integrated into the UN’s Economic and Social Council’s draft proposal for a common regulatory framework on cyber security in Europe.

Note: while the ISA/IEC offer the complete ISA/IEC 62443 documentation as a paid product, they do offer a quick start guide for free.

ENISA Good Practices for Security of Internet of Things in the Context of Smart Manufacturing

• Created by: the European Union Agency for Cybersecurity (ENISA)
• Last updated: November 2018
• Intended for: IIoT operators, manufacturers and users

Overview: ENISA’s “Good Practices for Security of IoT in the Context of Smart Manufacturing” covers best practices in 20 domains within the Industry 4.0 landscape, divided into three main groups: policies, organizational practices and technical practices.

Policies: These are policies and procedures that should be adopted in all organizations that use IIoT, covering the areas of:

• • • Designing systems for security
    • Designing systems for privacy
    • Security measures regarding asset discovery, administration, monitoring and maintenance
    • Intelligent risk and threat management in Industry 4.0 environments

Organizational practices

These are recommended organizational rules, responsibilities and approaches toward employees and third-party contractors regarding:

• Ensuring security of IIoT solutions throughout their lifecycle
• Establishment of security architecture
• Managing vulnerabilities
• Handling cybersecurity incidents
• Security training and raising employee awareness
• Third-party management and access control

Technical practices

These are recommended technical security measures covering:

• Ensuring integrity and reliability of data and devices
• Security aspects of cloud computing
• Effective business continuity and disaster recovery
• Machine-to-machine communications security
• Protection of confidential data and management of access to data
• Software/firmware updates and patch management
• Control of remote access, authentication, privileges, accounts and physical access
• Securing communications through proper protocol implementation, encryption and network segmentation
• Monitoring and auditing of network traffic
• Configuration management

The ENISA framework is divided into a high-level overview of best practices for each of the above domains (approx. 8 pages) and a very detailed list of best practices (approx 55 pages).

NIST Guide to Industrial Control System (ICS) Security

• Created by: the US Government’s National Institute of Standards and Technology (NIST)
• Last updated: May 2015
• Intended for: almost anyone responsible for any aspect of industrial control systems, including:
  • Control engineers, integrators, and architects who design or implement secure ICSs
  • System administrators, engineers, and other IT professionals who administer, patch or secure ICSs
  • Facility management directly responsible for ICSs
  • Senior management seeking to understand the business implications and consequences of ICS security
  • Vendors developing products that will be deployed as part of an ICS
  • Security consultants

Overview: At 247 pages long, the NIST guide is a very comprehensive framework that provides guidance on how to secure Industrial Control Systems (ICSs) while taking into account the unique functionality and requirements of industrial OT.

The guide covers Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC).

The main body of the NIST guide includes:

• How to effectively conduct a ICS risk assessment
• Developing and deploying an ICS security program to mitigate risk
• Recommendations for integrating security into network architectures typical to ICSs, with an emphasis on network segregation practices

The appendices are an inseparable part of the guide’s value, providing lists of:

• ICS threats, vulnerabilities and incidents
• ICS security activities
• ICS security capabilities and tools

Industrial Internet Security Framework

• Created by: the Industrial IoT Consortium
• Last updated: 2016
• Intended for: owners, operators, integrators and architects of IIoT systems, as well as business decision-makers and other stakeholders for whom security and trustworthiness of IIoT systems is crucial.

Overview: This guide relates to IIoT security from both the business perspective – discussing risk management and the permeation of trust in the IIoT system life cycle – as well as from a functional and implementation perspective. The latter makes up the bulk of the framework and covers:

• Endpoint protection, including the physical, identity, access, data and integrity aspects of endpoints
• Communications and connectivity protection, touching on both cryptographic and information flow protection
• Security monitoring and analysis, including incident prevention and response
• Security configuration and management, including policy establishment, identity management and secure updates and patching

CIS Critical Security Controls ICS Companion Guide

• Created by: the Center for Internet Security (CIS)
• Last updated: March 2018
• Intended for: anyone responsible for securing ICS environments

Overview: The CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions that collectively form a set of defense-in-depth best practices that mitigate the most common attacks against systems and networks.

Because some industries have unique requirements that limit their ability to apply the CIS Controls as-is, CIS will sometimes issue a companion guide for their Controls explaining how to apply and implement the Controls for a particular industry.

The CIS Critical Security Controls ICS Companion Guide explains how to implement the security best practices in CIS Controls Version 7 in ICS environments.

Version 7 of the framework includes the following 20 CIS Controls (note: the latest version of the CIS Controls is Version 8):

• Inventory and control of hardware assets
• Inventory and control of software assets
• Continuous vulnerability management
• Controlled use of administrative privileges
• Secure configuration for hardware and software on mobile devices, laptops, workstations and servers
• Maintenance, monitoring and analysis of audit logs
• Email and web browser protection
• Malware defenses
• Limitation and control of network ports, protocols and services
• Data recovery capabilities
• Secure configuration for network devices, such as firewalls, routers and switches
• Boundary defense
• Data protection
• Controlled access based on the need to know
• Wireless access control
• Account monitoring and control
• Implement a security awareness and training program
• Application software security
• Incident response and management
• Penetration tests and red team exercises

The ICS Companion Guide addresses, adds to or modifies all of these 20 controls, taking into account the unique mission/business requirements found in ICS environments (with a focus on performance and real-time requirements).

The companion also accounts for each ICS environment’s unique risks (vulnerabilities, threats and consequences), which in turn drive the priority of corresponding security requirements (e.g. availability, integrity, and confidentiality of process data).

We all need a framework to lean on

While you may have been given the (daunting!) task of conducting an OT security assessment or (even more daunting!) actually securing an OT system, there’s no reason to reinvent the wheel. With such a wide variety of OT cyber security frameworks, you should be able to find the framework that best fits your organization.

Once you’ve decided upon a framework, Radiflow can support you in implementation with its complete suite of OT security solutions. Radiflow has been recognized by Gartner as representative vendor in both the “OT network monitoring and visibility”, and the “Cyber-physical systems (CPS) risk management” categories.

Radiflow’s CIARA automated risk analysis platform uses a Radiflow-generated virtual network model (digital image) of the entire IT/OT network, including all assets, protocols, connections and IT systems for its non-invasive breach attack simulations (BAS) to gain a clear understanding of networks’ security status. The results of the simulation enable drafting prioritized guidelines for any changes or updates to the organization’s OT security system.

To find out more about Radiflow’s OT cyber security solutions, contact us today.