Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CIS Adapts Critical Security Controls to Industrial Control Systems

The Center for Internet Security (CIS) recently updated its popular CIS Controls – formerly known as the SANS Top 20 – and published a companion CIS Controls Implementation Guide for Industrial Control Systems. Cody Dumont and I contributed to this Industrial Control System (ICS) guide in the hope of making it easier for organizations to employ the CIS Controls for protecting OT environments.

Moving toward a common set of IT/OT controls

As organizations address the challenge of IT/OT convergence, a common set of IT/OT controls is especially valuable.

Most security frameworks focus on either IT or OT. For example, ISO/IEC 27000 focuses on information security management, and ISA99 focuses on manufacturing and control system security. The difference in focus is understandable because IT and OT environments have important differences such as real-time requirements, network protocols and the ability to tolerate active network scanning. These differences have made OT security professionals reluctant to use IT-born security frameworks and solutions in their OT environments.

The U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity spans IT and OT to promote the protection and resilience of critical infrastructure. Virtually all industry sectors are adopting the NIST Cybersecurity Framework (CSF), first published in 2014. However, CSF Functions (Categories and Subcategories) neither suggest an implementation order nor do they provide detailed control recommendations. Therefore, many organizations adopting the CSF are also adopting the CIS Controls to help them prioritize control implementation and define more granular security controls.

CSF and CIS Control adopters applying the controls in both IT and OT were required to adapt the CIS Controls before implementing them in OT to ensure sensitive OT networks and devices were not degraded or disrupted. The CIS recognized the need to help organizations adapt the CIS Controls to OT – and, voilà, the CIS Controls Implementation Guide for Industrial Control Systems was born.

CIS Controls Implementation Guide for Industrial Control Systems: How it can help

“ICS Environments may also have many embedded, IP connected devices. These devices often lack the capability to support traditional Information Technology (IT)-grade security control technologies since many run specialized firmware and Real-time Operating Systems (RTOS), have proprietary protocols such as Profibus, COTP, TPKT Modbus and EtherNet/IP, or do not have the ability to support contemporary endpoint of supplicant software that is commonly used in IT systems.”
CIS Controls Implementation Guide for Industrial Control Systems.

The CIS Controls Implementation Guide for Industrial Control Systems is a companion document to use with the 20 prioritized CIS Controls. Each control includes an introduction, applicability description and additional considerations.

Here are excerpts from the first (and most important) control, Inventory of Authorized and Unauthorized Devices, that will give you a flavor of the guidance provided for each control:

Excerpts from CIS Controls Implementation Guide for Industrial Control Systems

  • Introduction: “Understanding and solving the asset inventory and device visibility problem is critical in managing a business’s security program. This is especially challenging in ICS where network segmentation, dual-homing, and isolation are common themes. Mixtures of old and new devices from multiple vendors, lack of up-to-date diagrams, unique industry and application-specific protocols, some of which are not IP-based, and the difficulty in conducting physical inventories in dispersed or hostile environments compound these challenges.”
  • Applicability: “The conventional approach of using ping responses, TCP SYN or ACK scans can also be problematic in ICS due to device sensitivity since even seemingly benign scanning employed in IT environments can disrupt communications, or in some cases even impact device operations. Methods that are more passive to locate connected assets are preferred, as they are less likely to impact system availability or interact with vendor systems in a manner that could cause warranty issues.”
  • Considerations: “Ensure that all equipment acquisitions and system modifications follow and approval process and the technical drawings (if applicable, automated inventory systems) are updated at the time of the change.”

Resources: Securing converged IT/OT systems

Need a prioritized, common control framework to secure converged IT/OT systems or a common language to facilitate communication? Join me on July 18 for the “Six Common Controls Unite and Strengthen OT/IT Security” webinar.

Also, in case you missed our announcement last year, we’ve partnered with Siemens and released Industrial Security, an on-premises security solution purpose-built for OT. It addresses the guide’s recommendation to passively and safely monitor OT networks to deliver asset discovery. Industrial Security also passively assesses vulnerabilities. For a demo or evaluation of Industrial Security, contact your authorized Tenable representative.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training