CIS Adapts Critical Security Controls to Industrial Control Systems

Ted Gary

The Center for Internet Security (CIS) recently updated its popular CIS Controls – formerly known as the SANS Top 20 – and published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments.

Moving toward a common set of IT/OT controls

As organizations address the challenge of IT/OT convergence, a common set of IT/OT controls is especially valuable.

Most security frameworks focus on either IT or OT. For example, ISO/IEC 27000 focuses on information security management, and ISA99 focuses on manufacturing and control system security. The difference in focus is understandable because IT and OT environments have important differences such as real-time requirements, network protocols and the ability to tolerate active network scanning. These differences have made OT security professionals reluctant to use IT-born security frameworks and solutions in their OT environments.

The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity spans IT and OT to promote the protection and resilience of critical infrastructure. Virtually all industry sectors are adopting the NIST Cybersecurity Framework (CSF), first published in 2014. However, CSF Functions (Categories and Subcategories) neither suggest an implementation order nor do they provide detailed control recommendations. Therefore, many organizations adopting the CSF are also adopting the CIS Controls to help them prioritize control implementation and define more granular security controls.

CSF and CIS Control adopters applying the controls in both IT and OT were required to adapt the CIS Controls before implementing them in OT to ensure sensitive OT networks and devices were not degraded or disrupted. The CIS recognized the need to help organizations adapt the CIS Controls to OT – and, voilà, the CIS Controls Implementation Guide for Industrial Control Systems was born.

CIS Controls Implementation Guide for Industrial Control Systems: How it can help

“ICS Environments may also have many embedded, IP connected devices. These devices often lack the capability to support traditional Information Technology (IT)-grade security control technologies since many run specialized firmware and Real-time Operating Systems (RTOS), have proprietary protocols such as Profibus, COTP, TPKT Modbus and EtherNet/IP, or do not have the ability to support contemporary endpoint of supplicant software that is commonly used in IT systems.”
CIS Controls Implementation Guide for Industrial Control Systems.

The CIS Controls Implementation Guide for Industrial Control Systems is a companion document to use with the 20 prioritized CIS Controls. Each control includes an introduction, applicability description and additional considerations.

Here are excerpts from the first (and most important) control, Inventory of Authorized and Unauthorized Devices, that will give you a flavor of the guidance provided for each control:

Excerpts from CIS Controls Implementation Guide for Industrial Control Systems

  • Introduction: “Understanding and solving the asset inventory and device visibility problem is critical in managing a business’s security program. This is especially challenging in ICS where network segmentation, dual-homing, and isolation are common themes. Mixtures of old and new devices from multiple vendors, lack of up-to-date diagrams, unique industry and application-specific protocols, some of which are not IP-based, and the difficulty in conducting physical inventories in dispersed or hostile environments compound these challenges.”
  • Applicability: “The conventional approach of using ping responses, TCP SYN or ACK scans can also be problematic in ICS due to device sensitivity since even seemingly benign scanning employed in IT environments can disrupt communications, or in some cases even impact device operations. Methods that are more passive to locate connected assets are preferred, as they are less likely to impact system availability or interact with vendor systems in a manner that could cause warranty issues.”
  • Considerations: “Ensure that all equipment acquisitions and system modifications follow and approval process and the technical drawings (if applicable, automated inventory systems) are updated at the time of the change.”

Resources: Securing converged IT/OT systems

Need a prioritized, common control framework to secure converged IT/OT systems or a common language to facilitate communication? Join me on July 18 for the “Six Common Controls Unite and Strengthen OT/IT Security” webinar.

Also, in case you missed our announcement last year, we’ve partnered with Siemens and released Industrial Security, an on-premises security solution purpose-built for OT. It addresses the guide’s recommendation to passively and safely monitor OT networks to deliver asset discovery. Industrial Security also passively assesses vulnerabilities. For a demo or evaluation of Industrial Security, contact your authorized Tenable representative.

Read more >

Published on Jun 29, 2018

People also viewed

Channel Sales Engineer

Santiago Santiago Chile Santiago, Chile Sales Engineering Sales
Your Role:The Channel Sales Engineer will support and will be working with production, engineering, and research and development, as well as external sales firms to determine how Tenable products and services could be designed or modified to best ...

Engineering Manager - UI

Los Angeles California United States West Jefferson Boulevard, Playa Vista, Los Angeles, California, United States, 90066 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Engineering Manager - UI

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Engineering Manager - UI

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 20146 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Commercial Territory Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 20146 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Recruiter - UK

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Human Resources Human Resources
Your Role:Tenable is seeking a talented Recruiter who will source, screen and ultimately close exceptional sales, marketing and professional services talent. You’ll partner with Tenable’s Sales leadership to create and maintain a talent pipeline, ...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.