Beyond the NIST Cybersecurity Framework

In the wake of new compliance guidelines, now is the time for critical infrastructure organizations to upgrade their industrial security posture.

National security for any nation depends on the reliability and continuous operations of its critical infrastructure. Increased complexity and connectivity of critical infrastructure systems are exposing them to cybersecurity threats which put their safety and reliability at risk.

Why was the NIST cybersecurity framework created?

The National Institute of Standards and Technology (NIST) Framework was created through a collaboration between the U.S. federal government and the private sector, in response to presidential executive order 13636, “Improving Critical Infrastructure Cybersecurity.” This voluntary framework consists of standards, guidelines and best practices to manage cybersecurity-related risk. The cybersecurity framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

In the most recent NIST report from the National Cybersecurity Center of Excellence (NNCoE), researchers investigated the use of behavioral anomaly detection (BAD) capabilities in industrial control systems (ICS). NIST is a strong proponent of anomaly detection for finding behaviors and potential attacks that do not yet have a signature associated with it. Typically, these types of attacks are targeted strikes not seen widely enough to develop a signature, or attacks involving zero-day exploits.

NIST endeavors to provide guidance based on the threat landscape at that point in time, while also trying to not make it overly complicated or cumbersome for operators to follow the guidelines. To that end, this paper does an important service, namely to promote anomaly detection as an essential tool in cybersecurity. At the same time, and due to the shifting landscape in ICS security, many organizations are looking to go beyond what NIST suggests, stressing that anomaly detection is clearly not enough. As a result, organizations are proactively deploying additional ICS security to keep their systems current and more secure from the next threat that is coming their way.

Beyond NIST: Protecting critical infrastructure from cyber threats

In looking beyond NIST, there are some significant steps you can consider that will: (a) increase your visibility across the entire organization; (b) improve your security stance both now and into the future; and (c) put you in control by identifying and mitigating threats and unacceptable risk. These include:

Deep threat detection
Deep threat detection uniquely combines network anomaly detection with policy-based detection. By leveraging both statistical network behavior analysis and policy rules, deep threat detection technology finds more threats and risks, faster, and with fewer false positives. Anomaly detection identifies stealthy deviations in network behavior from the statistical baseline. This capability should be complemented by a policy detection engine, which strictly enforces deterministic rules based on security policy. This holistic approach safeguards networks from known ICS threats, as well as protecting against the next malware incident that has yet to be released in the wild.

Active device mapping
Network traffic monitoring only provides half of what's needed to secure ICS environments; the other half has to provide additional asset-related data. Indeed, the NCCoE report advocates for an agent-based approach to be considered for securing workstations, but obviously it cannot be used for industrial controllers simply because it cannot be loaded on them.

Furthermore, while some attacks traverse networks, many more can occur on devices. For example, PLC operators may physically connect to (and infect) an operational technology (OT) environment when performing maintenance. Other devices may remain dormant and never send traffic over the network. In both instances, network-only monitoring will not detect the threat.

Active threat hunting is an integral part of a comprehensive hybrid threat detection engine and should work in conjunction with passive network monitoring. Using the devices’ native communication protocols, OT-specific security solutions can discover, classify and query all ICS assets for their configuration – even those that are not communicating in the network.

Automated vulnerability and inventory management
With new ICS vulnerabilities regularly being published, it is essential to identify devices at risk and quickly address the vulnerability before it is exploited. Industrial organizations require detailed and up-to-date asset inventories to determine which devices are affected by known vulnerabilities. By automating inventory management, you’ll gain an understanding of each device's function and its exact classification within the ICS network. Device analysis should consider firmware and OS versions, open port list, default passwords and the device's role. This creates an actionable and prioritized risk analysis that allows you to quickly address new vulnerabilities when they are announced.

Staying ahead of the curve

The old adage has never held truer: “the only thing that is constant is change.” With the quantum shifts occurring in critical infrastructure and other industrial environments, NCCoE’s papers as well as NIST guidelines are essential to the ICS security ecosystem, and their recommendations continue to evolve.

Looking beyond NIST to secure your industrial environment not only ensures that you are employing best security practices but also positioning your organization to be forward-compatible to future threats that are just on the horizon.

For more information on upgrading your ICS security, check out the Tenable.ot guide to “Adhering to the NIST Framework,” which details ways to improve visibility and reduce risk across your critical infrastructure.