National Security for any nation globally depends on the reliability and continuous operations of the nation’s critical infrastructure. Increased complexity and connectivity of critical infrastructure systems are exposing them to cybersecurity threats which put their safety and reliability at risk.
Why was the NIST Cybersecurity Framework Created?
The NIST Framework was created through collaboration between government and the private sector, in response to the Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity. This voluntary framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.
In the most recent NIST NCCoE report about Behavioral Anomaly Detection (BAD) capabilities in industrial control systems (ICS), NIST is a strong proponent of anomaly detection for finding behaviors and potential attacks that do not yet have a signature associated with it. Typically, these types of attacks can be targeted attacks that are not seen widely enough for which to develop a signature, or attacks involving zero-day exploits.
NIST endeavors to provide guidance based on the threat landscape at that point in time, while also trying to not make it overly complicated or cumbersome for operators to follow the guidelines. To that end, this paper does an important service namely to promote anomaly detection as an essential tool in cyber security. At the same time and due to the shifting landscape in ICS security, many organizations are looking to go beyond what NIST suggests, stressing that anomaly detection is clearly not enough. As a result, organizations are proactively deploying additional ICS security to keep them current and more secure from the next threat that is coming their way.
Beyond NIST: Protecting Critical Infrastructure from Cyber Threats
In looking beyond NIST there are some significant steps you can consider that will (a) increase your visibility across the entire organization (b) improve your security stance both now and into the future (c) put you in control by identifying and mitigating threats and unacceptable risk:
- Deep Threat Detection - Deep threat detection uniquely combines network anomaly detection with policy-based detection. By leveraging both statistical network behavior analysis and policy rules, deep threat detection technology finds more threats and risks, faster, and with less false positives. Anomaly detection identifies stealthy deviations in network behavior from the statistical baseline. This capability should be complemented by a policy detection engine, which strictly enforces deterministic rules based on security policy. This holistic approach safeguards networks from known ICS threats, as well as protecting against the next malware incident that has yet to be released in the wild.
- Network & Devices - Network traffic monitoring only provides half of what's needed to secure ICS environments, the other half has to provide additional asset-related data. Indeed, NCCoE report advocates for an agent-based approach to be considered for securing workstations, but obviously it cannot be used for industrial controllers simply because it cannot be loaded on them.
Furthermore, while some attacks traverse networks, many more can occur on the devices. For example, PLC operators may physically connect to (and infect) an OT environment when performing maintenance. Other devices may remain dormant and never send traffic over the network. In both instances, network only monitoring will not detect the threat.
Active threat hunting is an integral part of a comprehensive hybrid threat detection engine and should work in conjunction with passive network monitoring. Using the devices’ native communication protocols, Indegy Device Integrity discovers, classifies and queries all ICS assets for their configuration - even those that are not communicating in the network.
Central to a hybrid threat detection model, Indegy Device Integrity actively collects information that cannot be found using network sniffing but is crucial for protecting the OT environment. By providing complete asset inventory details and enriched context for alerts, it helps eliminate false positives. Having zero impact on network operations, it provides critical information about your ICS environment (specifically your industrial controllers) that cannot be gathered solely by listening to network traffic.
- Automated Vulnerability & Inventory Management - With new ICS vulnerabilities regularly being published, it is essential to identify devices at risk and quickly address the vulnerability before it is exploited. Industrial organizations require detailed and up-to-date asset inventories to determine which devices are affected by known vulnerabilities. By automating inventory management, you’ll gain an understanding of each device's function and its exact classification within the ICS network. Device analysis should consider firmware and OS versions, open port list, default passwords, and the device's role. This creates an actionable and prioritized risk analysis that allows you to quickly address new vulnerabilities when they are announced.
The old adage of “the only thing that may be constant is change”, never held truer. With the quantum shifts occurring in critical infrastructure and other industrial environments NCCoE’s papers as well as NIST guidelines are essential to the ICS security ecosystem and constantly continuing to evolve.
Looking beyond NIST to secure your industrial environment can not only help ensure that you are employing best security practices but will also help ensure that your organization will be forward compatible to future threats that are just on the horizon.