CIS Adapts Critical Security Controls to Industrial Control Systems

Ted Gary

The Center for Internet Security (CIS) recently updated its popular CIS Controls – formerly known as the SANS Top 20 – and published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments.

Moving toward a common set of IT/OT controls

As organizations address the challenge of IT/OT convergence, a common set of IT/OT controls is especially valuable.

Most security frameworks focus on either IT or OT. For example, ISO/IEC 27000 focuses on information security management, and ISA99 focuses on manufacturing and control system security. The difference in focus is understandable because IT and OT environments have important differences such as real-time requirements, network protocols and the ability to tolerate active network scanning. These differences have made OT security professionals reluctant to use IT-born security frameworks and solutions in their OT environments.

The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity spans IT and OT to promote the protection and resilience of critical infrastructure. Virtually all industry sectors are adopting the NIST Cybersecurity Framework (CSF), first published in 2014. However, CSF Functions (Categories and Subcategories) neither suggest an implementation order nor do they provide detailed control recommendations. Therefore, many organizations adopting the CSF are also adopting the CIS Controls to help them prioritize control implementation and define more granular security controls.

CSF and CIS Control adopters applying the controls in both IT and OT were required to adapt the CIS Controls before implementing them in OT to ensure sensitive OT networks and devices were not degraded or disrupted. The CIS recognized the need to help organizations adapt the CIS Controls to OT – and, voilà, the CIS Controls Implementation Guide for Industrial Control Systems was born.

CIS Controls Implementation Guide for Industrial Control Systems: How it can help

“ICS Environments may also have many embedded, IP connected devices. These devices often lack the capability to support traditional Information Technology (IT)-grade security control technologies since many run specialized firmware and Real-time Operating Systems (RTOS), have proprietary protocols such as Profibus, COTP, TPKT Modbus and EtherNet/IP, or do not have the ability to support contemporary endpoint of supplicant software that is commonly used in IT systems.”
CIS Controls Implementation Guide for Industrial Control Systems.

The CIS Controls Implementation Guide for Industrial Control Systems is a companion document to use with the 20 prioritized CIS Controls. Each control includes an introduction, applicability description and additional considerations.

Here are excerpts from the first (and most important) control, Inventory of Authorized and Unauthorized Devices, that will give you a flavor of the guidance provided for each control:

Excerpts from CIS Controls Implementation Guide for Industrial Control Systems

  • Introduction: “Understanding and solving the asset inventory and device visibility problem is critical in managing a business’s security program. This is especially challenging in ICS where network segmentation, dual-homing, and isolation are common themes. Mixtures of old and new devices from multiple vendors, lack of up-to-date diagrams, unique industry and application-specific protocols, some of which are not IP-based, and the difficulty in conducting physical inventories in dispersed or hostile environments compound these challenges.”
  • Applicability: “The conventional approach of using ping responses, TCP SYN or ACK scans can also be problematic in ICS due to device sensitivity since even seemingly benign scanning employed in IT environments can disrupt communications, or in some cases even impact device operations. Methods that are more passive to locate connected assets are preferred, as they are less likely to impact system availability or interact with vendor systems in a manner that could cause warranty issues.”
  • Considerations: “Ensure that all equipment acquisitions and system modifications follow and approval process and the technical drawings (if applicable, automated inventory systems) are updated at the time of the change.”

Resources: Securing converged IT/OT systems

Need a prioritized, common control framework to secure converged IT/OT systems or a common language to facilitate communication? Join me on July 18 for the “Six Common Controls Unite and Strengthen OT/IT Security” webinar.

Also, in case you missed our announcement last year, we’ve partnered with Siemens and released Industrial Security, an on-premises security solution purpose-built for OT. It addresses the guide’s recommendation to passively and safely monitor OT networks to deliver asset discovery. Industrial Security also passively assesses vulnerabilities. For a demo or evaluation of Industrial Security, contact your authorized Tenable representative.

Read more >

Published on Jun 29, 2018

People also viewed

Technical Support Engineer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Technical Support Technical Support
Your Role:Tenable is looking for motivated individuals to join our Technical Support Team. The Technical Support Engineer (TSE) is the first contact for all customers when they require technical assistance.  In a time when the next Spectre and Mel...

Sales Development Representative

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Lead Generation Sales
Your Role:The Sales Development Representative supports remote sales teams in and is responsible for generating new business via inbound and outbound phone opportunity qualification. Your Opportunity: Perform outbound calling to generate new sales...

Customer Success Manager - APAC Nessus

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Customer Success Sales
Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography. You will be expected to penetrate and prospect na...

Commercial Sales Engineer - Mexico

Mexico City Mexico Mexico Presidenta Masarik, Polanco V Seccion, Mexico City, Mexico, 21045 Sales Engineering Sales
Your Role:Tenable is seeking a Commercial Sales Engineer to assist and drive Business and Technical aspects of strategic selling in your assigned region. You will be partnering with Territory Managers and a strong team of peers to: differentiate t...

Director of Engineering - Shared Services Infrastructure

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sensors Engineering
Your Role:Tenable is looking for a talented and energetic Director of Software Engineering to lead the Shared Services Infrastructure (SSI) development team. The SSI team helps organizations address key challenges of traditional vulnerability scan...

Principal UX Designer

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Cloud Platforms Engineering
Your Role:Tenable is looking for an extraordinary Principal UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital ...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.