Chapter 9 – Cybersecurity Frameworks to Protect your OT Environment

Cybersecurity frameworks are industry guidelines, best practices and standards that organizations can adopt to improve their security posture. They are critical to preventing cyberattacks and building operational resilience.

With OT/IT convergence and the rise of the Industrial Internet of Things (IIoT), manufacturers face threats that are escalating in both number and sophistication. Not only has the attack surface expanded, but also industrial control systems (ICS) and operational technology (OT) devices pose unique challenges, as they cannot be protected with traditional security tools.  

By mapping their existing controls to cybersecurity standards, organizations can better structure their operations and close vulnerability gaps. In this article, we focus on the following security frameworks that Armis can help you implement in your organization:  

• NIST Cybersecurity Framework (CSF)
• Center for Internet Security (CIS) Controls
• MITRE ATT&CK^® for ICS
• Zero Trust Security Model

NIST Cybersecurity Framework

Created by the National Institute of Standards and Technology (NIST), this framework provides a set of voluntary guidelines and best practices to manage cybersecurity risk. The security controls in the NIST CSF are broken up into 5 key functions: Identify, Protect, Detect, Respond and Recover. Each of these functions is divided into a few categories, which are groups of outcomes such as asset management, identity management and access control.

This cybersecurity framework is valuable to help organizations align and prioritize security measures based on resources, risk tolerances and business goals. Findings from the SANS 2021 Survey: OT/ICS Cybersecurity indicate that the NIST CSF is the most followed cybersecurity standard in the OT world, leveraged by 47.8% of the respondents.

Source: SANS 2021 Survey: OT/ICS Cybersecurity

Check out our solution brief to discover how Armis provides compliance for NIST CSF controls across the Identify, Protect, Detect and Respond functions.

CIS Critical Security Controls

Managed by the Center for Internet Security (CIS), these controls offer a recommended set of actions to defend your operations from cyberattacks and breaches. According to the SANS 2021 Survey, 26.1% of the respondents indicate that they map their ICS/OT security measures to this framework.   

The CIS Controls are updated periodically by an international community of experts. The current version – no. 8 – provides 18 controls with specific and actionable ways to stop attacks. For example, CIS Control 1 focuses on inventory and control of enterprise assets, such as devices and servers. Within each control, there are three implementation groups (IGs), which help organizations understand which tasks they should prioritize: 

• IG1 represents the basic cyber hygiene practices that CIS considers the minimum for all enterprises. 
• IG2 provides additional safeguards for enterprises that manage departments with different risk profiles. 
• IG3 helps organizations secure data and prevent more sophisticated attacks. 

Armis maps to 12 of the 18 CIS Controls. Download our white paper to discover how to implement these safeguards with us.

MITRE ATT&CK framework for ICS

The MITRE ATT&CK^® for ICS outlines the tactics, techniques and common procedures typically employed in attacks against OT and ICS. For example, this cybersecurity architecture helps organizations understand how adversaries penetrate systems, steal credentials and move laterally in a network to evade defenses. Data from the 2021 SANS survey reveals that 47% of respondents leverage this cybersecurity model in some way to shield their industrial operations from attacks.

MITRE has previously published ATT&CK frameworks focused on enterprises and mobile devices. The ICS version — launched in 2019 — addresses the unique needs and challenges faced by industrial and critical infrastructure organizations. Devices in ICS environments, including PLCs, SCADA systems and robotic arms, are unmanaged and cannot accommodate traditional security agents. 

Armis provides comprehensive coverage for the attacks listed in the MITRE ATT&CK for ICS matrix, helping companies identify, mitigate and prevent threats. That’s possible because our agentless platform discovers every device on your network as well as devices that are transmitting in your airspace. Once each device has been identified, Armis analyzes device behavior to identify risks and detect cyberattack techniques. 
Read our white paper for an in-depth view of how Armis supports the MITRE ATT&CK framework for ICS.

Zero Trust architecture

Created by Forrester, the Zero Trust model is based on the principle to never trust and always verify all users, systems and devices on a network. The Zero Trust approach has gained increased notoriety with the new initiatives adopted by the U.S. administration to improve the nation’s security posture. 

For example, with the new Federal Zero Trust Strategy, government agencies have to achieve certain zero trust milestones by the end of the fiscal year 2024. Typical zero trust measures include asset inventory, strong user identification policies, continuous monitoring, network segmentation and more.

When organizations adopt the Zero Trust security architecture, they typically focus on users and managed devices, leaving gaps for unmanaged IoT devices (such as printers and webcams), OT (manufacturing sensors and machinery, for example) and off-network devices (such as wireless keyboards and headsets). Armis helps organizations to apply this security paradigm to the unmanaged world of OT, ICS and IIoT devices, too.

Watch our webinar to learn how to support Zero Trust principles in industrial environments.

Benefits of cybersecurity standards and best practices

Implementing security frameworks can help industrial organizations better meet business outcomes, minimizing the risk of operational downtime. Benefits include: 

• Reduced risk exposure. These security models have already achieved industry-wide recognition as effective ways to mitigate risk and boost cybersecurity resilience. 
• More efficiency. Established industry standards eliminate guesswork and improve efficiency because they provide structure on what measures to prioritize.
• Strategic alignment. A set of guidelines is important for clarity and accountability, as it makes different stakeholders aware of the company’s direction and what is expected from them.

Legal protection. Being able to demonstrate that the company is taking security seriously can help to minimize liability. Gartner has predicted that, by 2024, 75% of CEOs will be personally liable for cyber-physical attacks.

How to implement cybersecurity frameworks: A roadmap

We’ve listed four steps for a successful cybersecurity framework implementation:

1. Choose an OT security framework that suits your needs

The first step is to understand the importance of cybersecurity guidelines and best practices and review the options to choose one that suits your organization’s unique challenges. In this article, we’ve discussed some of the best know standards in cybersecurity circles that can help you secure ICS and OT systems.

2. Get a complete picture of your network with OT/IT asset discovery and inventory

In order to implement a security framework, you need to have a full picture of your entire environment, so that you can assess your cybersecurity gaps and strengths. IT/OT convergence requires comprehensive visibility into both managed and unmanaged devices. ​​It’s critical to know what each device is, its behavior and vulnerabilities.

3. Map your cybersecurity best practices and measures

Your initial assessment is critical to determine what areas you should prioritize. You can map your security controls to frameworks to identify any gaps. Invest in a security solution that can articulate how they help you comply with well-known cybersecurity models.

4. Take actions to close the security gaps in your IT and OT networks with Armis

OT/ICS security requires an agentless solution like Armis, which can discover all devices on the network — even those that can’t accommodate security agents. Armis analyzes and classifies every device to produce a risk assessment and then passively monitors all network traffic to detect abnormal asset behavior and external threats.

The Armis Platform shields your operations from cyberattacks – helping you meet security standards and best practices along the way. Book a demo now, and we will walk you through our award-winning solution.

Read All of the IT OT Convergence Playbook Chapters :

1. Chapter 1 – Industry 4.0 Challenges on IT/OT Convergence
2. Chapter 2 – Air Gap and Perdue Model
3. Chapter 3 – Ramping Up Infrastructure Protection
4. Chapter 4 – Defending Industrial Environments
5. Chapter 5 – See All Assets on Networks
6. Chapter 6 – The Influence of Passive Security Monitoring in Productivity
7. Chapter 7 – Best Practices to Protect Industrial Assets
8. Chapter 8 – ICS Cybersecurity Risk Assessment
9. Chapter 9 – Cybersecurity Frameworks to Secure OT assets 👈 you are here
10. Chapter 10 – ICS Zero Trust Framework 👉 read next chapter
11. Chapter 11 – Armis CIS Controls
12. Chapter 12 – Comprehensive Coverage for Mitre Att&ck for ICS
13. Chapter 13 – Was 2021 the Year of Ransomware Attacks?
14. Chapter 14 – Cybersecurity Best Practices for IT/OT Convergence