The Radiflow Security Blog

Radiflow CIARA: Creating Value by Linking Multiple Standards and Data Sources

By Liron Benbenishti, Cyber Security Researcher at Radiflow | ISA/IEC 62443 Certified | CRISC

February 15, 2021

Overview

Industrial cybersecurity relies on several widely-accepted standards and data sources, all of which share the same purpose: reduction of organizational risk, including prevention or mitigation of cyber-attacks. Which standards (e.g., NIST, IEC 62443, NERC, ISO 27001) to adopt depends on each organization’s sector, locale and specific needs.

In this post I will cover CIARA’s compliance with the IEC 62443 standard  (in addition to IEC 62443, CIARA has been designed with the flexibility to comply with additional standards, e.g. NIST, ISO 27001 and others.)

In addition, I will discuss CIARA’s usage of TTP (Tactics, Techniques and Procedures) data sources such as MITRE and Radiflow Labs ATTs (Adversary Tactics and Techniques), and how CIARA automatically links between data sources and standards. As an example, I’ll describe the linkage between the MITRE ATT&CK framework and the IEC 62443 standard in CIARA.

The IEC 62443 standard

The widely-used IEC 62443 security standard deals with securing industrial automation and control systems (IACS). It has been adopted by many companies in different locales and sectors, including energy, food & beverage, general industry and building management.

While large in scope, IEC 62443 is highly structured. It is divided into 13 parts by subject, each covering different aspects of industrial cybersecurity. The standard is based on a number of key principles:

  • Identifying the SuC (System under Consideration)
  • Partitioning it into different security zones with the same target security level (SL-T)
  • Evaluating the achieved security level (SL-A) of each zone based on the security controls (mitigation measures) in place
  • Adding security controls to meet each zone’s required SL-T

IEC 62443 describes 51 Security requirements (SRs) categorized under seven Fundamental Requirements (FRs).

The MITRE ATT&CK® Framework

MITRE ATT&CK is a globally-accessible open-source knowledge base of adversary Tactics, Techniques and Procedures (TTP) based on real-world observations.

The ‘CK’ in ‘ATT&CK’ stands for Common Knowledge derived from Radiflow Labs’ ATT’s, that are added to the MITRE model.

MITRE is used for analyzing attacker activity, from reconnaissance and resource development through initial access into the network, lateral movement inside the network and advanced stages of the attack.

Integrating and Linking MITRE ATT&CK and IEC 62443

CIARA incorporates an algorithm created by Radiflow’s research team for cross-referencing between the threat landscape (specific attacker groups, attack techniques and corresponding mitigations) unique to each network sector and region, with the IEC 62443 standard.

Unlike other tools on the market that make static use of MITRE, CIARA identifies the adversaries and attacker techniques (and corresponding mitigations) that are relevant to you, and then assigns a weight (calculated by Radiflow researchers) for calculating mitigation effectiveness in relation to specific risk scenarios.

On top of that, CIARA serves as a true simulation engine, not just for a single adversary attack vector, but for simulating multi-attack instances utilizing hundreds of propagations within the model.

Risk Scenario Example: “Loss of Integrity”

CIARA’s integration with MITRE takes advantage of MITRE’s dataset of mitigations as well as Radiflow’s recommendations, associated with different attack techniques. For example: MITRE mitigation M1051 (“Update Software”) is associated with many attack techniques, one of which is the T1195 technique (“Supply Chain Compromise”, which recently made headlines with the SolarWinds attack).

Using the Supply Chain Compromise technique, adversaries can manipulate products or product delivery mechanisms prior to receipt by a final consumer, for the purpose of data or system compromise. This technique can be mapped to the IEC 62443-security requirement (SR) 3.4: “Software and information integrity”, which requires that “The control system shall provide the capability to detect, record, report and protect against unauthorized changes to software and information at rest.”

Security control in IEC 62443 Mapped MITRE mitigation
SR 3.4 – Software and information integrity M1051 (“Update Software”)

Beyond mapping MITRE mitigations to IEC 62443 SRs, CIARA’s provides a number of important added values:

  • Radiflow’s cyber analysts provide the ATT (Adversary Tactics and Techniques) algorithm weights, based on relevance to the customer’s OT network
  • Enrichment of the MITRE ATT database with additional ATTs from Radiflow’s knowledge base
  • APT’s for additional attack scenarios, namely supply chain and insider threat, have been added to the simulation model Radiflow Labs has added APT for chain of supply and insider threat to

The result is a comprehensive mapping of each security requirement (SR) in IEC 62443-3-3 with its appropriate MITRE mitigation(s).

By mapping the junction points of multi-APT attack techniques (i.e. attack techniques used by multiple attackers and attack groups) CIARA’s algorithm is able to assign a weight to the mitigations that correspond to those specific junction points. Multiple adversaries are mapped to their used techniques, techniques are mapped into their mitigations which then mapped in CIARA to the relevant SRs.

Generally, we have found that linking standards to multiple reliable data sources has resulted in increased risk assessment accuracy and improved cost-effectiveness of security mitigations, as the algorithm indicates the mitigations most suitable for each specific network, based on its unique threat landscape (i.e. sector and region).

CIARA’s Risk Assessment Process – Step by Step

  1. The customer selects Sector and Region
  2. Accordingly, CIARA evaluates the network threat landscape
  3. CIARA presents a  risk prioritization and comprehensive mitigation roadmap (fully ISA/IEC 62443-compliant), prioritized by each mitigation control’s contribution to overall risk reduction, thus maximizing the impact of cybersecurity expenditure
  4. The customer chooses several mitigations to implement (SRs) using CIARA’s IEC 62443 questionnaire, Optionally, the customer can enter the cost of implementing mitigations and implementation target dates (by quarter) using CIARA’s project planning feature, to assist with budgeting and project management.
  5. The selected SRs are automatically translated to the related MITRE mitigations in CIARA’s backend.
  6. CIARA calculates the network’s “Control level”, which reflects the security effectiveness percentage, by counting the number of “completed” mitigations out of all the mitigations related to the techniques characteristic to the adversaries active in the selected sector and region.
  7. CIARA displays the updated metrics: control level and risk score.

The ultimate result is a comprehensive real-world assessment report, including network visibility, all threats, vulnerabilities, zone impact, unmitigated & target risk levels, existing countermeasures, likelihood of impact mitigations plan and recommendations (fully ISA/IEC 62443-compliant).

Conclusion

CIARA’s support of multiple data sources and security standards enables maximizing insight and mitigation effectiveness, and helps asset owners both effectively secure their networks and optimize their cyber-security expenditure ROI.