Understanding OT Cyber Security Standards
In comparison to the IT sector, cybersecurity for operational technology (OT) and industrial control systems (ICS) is considerably weak. The significant reason for this is that the OT systems were not designed for a digitalized world where systems are connected via internet. Yet the advancement towards Industrial IoT (IIoT) demands secure OT systems and protection for manufacturing processes and critical infrastructures such as energy, health, and transportation.
As connectivity expands and individual elements connect to the web—permitting remote monitoring, software updates, better analysis of informational data, and automation from such systems—the attack surface grows immensely. The demand to protect against cyberattacks becomes the need of the hour.
For manufacturing alone, Verizon’s latest Data Breach Investigations Report has documented over 200 espionage-based safety breaches and over 700 financially motivated attacks in the past year. The development and advancement of cyber industry standards play a crucial part in securing such systems.
In April 2021, a ransomware attack closed down the biggest pipeline network in the United States. Colonial Pipeline, which provides almost 50% of the Northeast’s energy requirements, lost about 100 gigabytes of proprietary data. In light of the multi-day shutdown of an adequate fuel distribution network, the NIST Cybersecurity Framework (NIST CSF) is developing renewed interest between energy stakeholders.
Ransomware attacks on the energy industry resume multiplying to date, targeting weak IT systems to obstruct critical energy infrastructure.
Most companies (47.8%) in the critical infrastructure field map their control systems to the NIST CSF. Further popular frameworks comprise the IEC 62443 (32%), NIST 800-53 (31.5%), NIST 800-82 (29.6%), and ISO 27000 Series (29.1%). However, in the previous two years, the MITRE ATT&CK ICS framework has appeared as a powerful multiplier in reacting to cybersecurity threats, especially in the oil & energy field.
This article will discuss the updates in the cybersecurity standards and frameworks that secure the critical infrastructure industry and share an overview of Mitre ATT&CK.
Pipeline cyber security: The new, synergistic collaboration between NISTIR 8374 and API std 1164
On 17th June 2021, NIST released a primary draft of its new Cyber Security Framework Profile for Ransomware Management (NISTIR 8374). A modified draft of the framework was delivered in September.
The NISTIR 8374 delivers an actionable strategy to help companies respond to and decrease their vulnerability to ransomware cyber-attacks. It drafts essential cybersecurity controls and defensive actions summarized to the five components of the NIST Cyber Security Framework: identify, protect, detect, respond, and recover.
The Ransomware Profile is precisely suitable for companies that have already accepted the NIST Cybersecurity Framework and NERC-CIP (Critical Infrastructure Protection) standards.
Meanwhile, to highlight the energy sector’s pledge to ensure the nation’s critical infrastructure assets, the API issued its 3rd Edition of Standard (Std) 1164 on August 18, 2021. According to API Senior Vice President of API Global Industry Services (GIS) Debra Phillips, “The new edition API Std 1164 builds on our industry’s long history of… collaborating with the federal government to protect the nation’s vast network of pipelines and other critical energy infrastructure from cyber-attacks.”
This third edition also goes with the goals of the Justice Department’s newly designed Ransomware and Digital Extortion Task Force.
Together, the latest NISTIR and API STD 1164 updates effectively protect the nation’s critical infrastructure.
How the MITRE ATT&CK ICS framework works within the energy IT/OT security industry
A practical governance blueprint can amplify a company’s response to IT/OT cyber-threats.
This is where the ATT&CK ICS framework arrives. This new framework delivers the base for building a successful defense tactic against cyberpunk approaches and techniques.
Although the NIST Cybersecurity Framework delivers a vast governance structure for recognizing and responding to cyber-attacks, it doesn’t offer a template for predicting ransomware behaviors, noticing stealth surveillance activities, isolating attacks, or executing a post-mortem study of cybersecurity incidents. However, the ATT&CK ICS framework accomplishes this.
Together, the NIST Cybersecurity and ATT&CK ICS frameworks act as a critical base for mitigating the threats of IT/OT convergence in the energy industry.
Standard cybersecurity framework
NIST Cyber Security Framework (CSF): This is a five-function strategy to mitigate a company’s cyber security threats. It’s mostly merged with the following standards:
- NERC CIP: These standards are strived at protecting the national power grid.
- NIS Directive: This legislation aims to strengthen cybersecurity across the EU.
- MITRE ATT&CK ICS Framework: This is a globally available knowledge base of tactics and strategies used by cyber threat actors.
- NISTIR 8374 (Draft): This guide strives to aid organizations in managing their ransomware attacks threats.
- ISA/IEC 62443: This framework relieves present and future security vulnerabilities in industrial automation and control systems.
- NIST 800-53: These security and privacy controls aim to help the federal government and critical infrastructure.
- NIST 800-82: This guide delivers a plan for protecting industrial control systems.
- ISO 27000 Series: These standards concentrate on aiding companies to strengthen their information security practices.
- CIS Critical Security Controls: These are a set of activities that help companies protect their data against cyber attack vectors.
Other frameworks comprise:
- Cybersecurity Maturity Model Certification: An examination program that estimates the maturity of cybersecurity operations for over 300,000 organizations that support the DOD’s Defense Industrial Base.
- NIS Directive, ANSI/AWWA G430-14: This standard determines the minor requirement for a defensive security plan for the nation’s waste and wastewater facilities.
- DESC ICS Security Standard (UAE): DESC delivers a framework for managing cyber threats and supporting government commodities. The standard drives to provide a framework for handling cyber threats to critical risks to Industrial Control Systems (Operational Technology) deployed in Dubai’s critical infrastructure.
- Saudi Arabia ECC Security Standard: The ECC framework was introduced in 2018 by the Saudi Arabia government. The objective was to demonstrate best practices in cyber security at a national level, encircling critical infrastructure, high priority sectors, and government services.
Domain 5 of the ECC framework focuses on Industrial Control Systems/Operational Technology, which will only apply to those organizations with a dependence on manufacturing/production facilities or those in energy generation/distribution.
- Qatar ICS Security Standard: This standard highlights Qatar’s security management for industrial automation systems
- ENISA Guide to Protecting ICS (EU): This manual operates as a policy to mitigate threats on industrial control systems across the EU.
Deploying the proper asset management, threat detection & response tool enables a more secure industrial network
Energy-related organizations must deploy the proper asset management, threat detection, and response tools to adequately comply with the critical OT compliances.
Today, gaining complete asset visibility for discovery and control starts with 100% packet visibility afforded by network TAPs (test access points). Depending on the switch SPAN or mirror ports will not cut it in today’s environment, as they were not designed for continuous monitoring.
Complete visibility is the basis of a robust cybersecurity threat detection and response solution. Cyber risk detection and response are more crucial than ever due to IT/OT convergence in the energy industry. For example, the IoT sensors that let oil & gas companies observe worker safety on offshore rigs remotely depend on internet connectivity, which delivers numerous protection loopholes that threaten OT infrastructure.
Industrial teams turn to Network TAPs to deliver packet visibility, not only because of the apparent benefits over SPAN but because they are easy to utilize, rugged plug-and-play devices that are passive or failsafe and do not affect present configurations. Network TAPs are added to supply full-duplex replicas of network traffic 24/7 that are safe and can give unidirectional and media conversion and traffic aggregation possibilities. All developed to make asset checklist, and risk detection tool deployments seamless, providing compliance and security standards are met.