NIST recommendations for IoT & ICS security

The US government formed the National Institute of Standards and Technology, or NIST Cybersecurity Framework to protect the nation’s most critical assets, defined by NIST SP 800-30, Rev. 1 “system and assets, whether physical or virtual, are so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Information about systems and components is not only vital to improving efficiency, uptime, and competitiveness, it is also vital to ensuring the overall safety of our industrial control systems, which means safety to our operators, machinists, and society in general.

As industrial control systems (ICS) become interconnected throughout our enterprises, as IT is, we are faced with more and more vectors of potential intrusion affecting these critical systems and assets. Traditional ICS environments, by nature, were left to their own devices as the main culprit to system downtime and intrusion was that of a physical breach and/or human error and sabotage.

Today’s systems are vast networks of interconnected devices surrounded by a circling adversary called the Internet. No longer do we need to encircle our ICS with physical security such as fencing and deadbolts. We are now tasked with ICS threat vectors akin to what our IT counterparts have faced for decades. And with the onslaught of ransomware and nation-state attacks on our critical infrastructure, think electrical grid, oil and gas pipelines, water treatment plants, a revisit of NIST for both IT and ICS systems is warranted.

It is important to note that the NIST Framework is not simply a checklist of ciphers to implement. As every organization’s deployment of systems and components varies, NIST offers a framework to follow, a guide or sherpa, so to speak, on how to assess risk, stressing the importance of cross-functional buy-in across the entire organization to understand its risk posture better and to form an operational culture that addresses the overall cyber risk of the organization’s most critical assets.

The foundation or framework of NIST is centered around three principles:

1. Guidance – How an organization should tackle cyber risks and best practices to do so. Again, not a list of ciphers but a guide to what ‘good’ looks like.

2. Assessment – Where are we today, and what should tomorrow look like. A proper assessment creates a baseline of today’s current state and the gaps between today’s state and tomorrow’s cyber goals.

3. An Improved Posture – Lastly, based on tomorrow’s organizational cyber goals, and the gaps that exist, NIST puts forth a blueprint on actions and activities that will ultimately lead to an improved security posture.

Will a NIST Framework ensure your organization is in the clear? Most assuredly not. But it certainly provides a framework to minimize intrusion, shorten detection and response times, and improve overall recovery if and when bad things happen.