What Is NIST’s Cybersecurity Framework Manufacturing Profile?

Image

Executive Order 13636, “Improving Critical Infrastructure Cybersecurity," directed the development of the voluntary Cybersecurity Framework that provides a prioritized, flexible, repeatable, performance-based and cost-effective approach to manage cybersecurity risk for those processes, information and systems directly involved in the delivery of critical infrastructure services. To address the sector specific cybersecurity challenges of the manufacturing industry, NIST has developed the NISTIR 8183 “Cybersecurity Framework Manufacturing Profile," which defines specific cybersecurity activities and outcomes for the protection of the manufacturing system, its components, facility and environment.

Building the Case for the Manufacturing Profile

Manufacturing is a large and diverse industrial sector. Manufacturing industries can be categorized as either process-based, discrete-based or a combination of both. Process-based manufacturing industries typically utilize two main process types:

• Continuous Manufacturing Processes. These processes run continuously, often with phases to make different grades of a product. Typical continuous manufacturing processes include fuel or steam flow in a power plant, petroleum in a refinery and distillation in a chemical plant.
• Batch Manufacturing Processes. These processes have distinct processing steps conducted on a quantity of material. There is a distinct start and end to a batch process. Typical batch manufacturing processes include food, beverage and biotech manufacturing.

Discrete-based manufacturing industries typically conduct a series of operations on a product to create the distinct end-product. Electronic and mechanical parts assembly are typical examples of this type of industry. Both process-based and discrete-based industries utilize similar types of control systems, sensors and networks. Some facilities are a hybrid of discrete and process-based manufacturing. The manufacturing sector of the critical infrastructure community includes public and private owners and operators that are supported by industrial control systems (ICS) and by IT.

This reliance on technology as well as the interconnectivity of ICS and IT has changed and expanded the potential vulnerabilities and increased potential risk to manufacturing system operations. Unlike the healthcare and financial sectors, the manufacturing industry is still adapting to cybersecurity and only have a few regulated compliance standards such as the ISA/IEC 62443 Standards. The manufacturing industry is one of the most targeted industries when it comes to cyberattacks. In 2016, an independent study recognized the manufacturing industry as the second most attacked industry.

While the healthcare sector is still the most frequently attacked, attacks on manufacturing come as no surprise since it's an expansive industry that includes the automotive, textile, electronic and other subgroups that manufacture a multitude of different products. Threat actors are seeking to steal intelligence on any new product, process or technology that a manufacturer creates, which can be anything from obtaining blueprints of confidential designs, secret formulas or unique assembly processes. This information can then be used by adversaries to sell products at a lower price and cut both competitive advantages and margins.

Intellectual property theft is not the only motivation of malicious actors. In August 2019, IBM's X-Force IRIS incident response team published new research based on recent cyberattacks, and the main trend witnessed was the rise of destructive malware in the manufacturing sector. These forms of malicious code, such as Industroyer, NotPetya or Stuxnet, are designed to cause damage rather than covert surveillance or data theft. “Historically, destructive malware such as Stuxnet, Shamoon, and Dark Seoul was primarily used by nation-state actors,” says the IBM report.

“However, especially since late 2018, cybercriminals have been incorporating wiper elements into their attacks, such as with new strains of ransomware like LockerGoga and MegaCortex.” The most common initial infection vectors are phishing emails, theft of credentials required to enter an internal network, watering hole attacks,and the successful compromise of third parties with a connection to the true target. Some hackers will lurk in corporate systems for months before launching a malicious attack, whilst others will wreak havoc upon their entry. It is estimated that when an enterprise company is hit by a successful, destructive cyberattack, on average, over 12,000 workstations will be damaged in some way and it can take more than 512 hours to restore the status of critical systems.

For example, Pilz, one of the world's largest producers of automation tools, had been down for more than 10 days after suffering a ransomware infection. “Since Sunday, October 13, 2019, all servers and PC workstations, including the company's communication, have been affected worldwide,” the Germany-based company wrote on its website.

It took Pilz staff three days to regain access to its email service and another three days to restore email service for its international locations. Access to the product orders and delivery system was restored only on 21 October. With so much at stake, it is no wonder the cost of a security incident can be high for the largest companies, with the average estimated cost reaching $239 million.

It is evident that cybersecurity is not only a challenge for a manufacturer’s IT department but for the operations and leadership teams, too.

The NIST “Cybersecurity Framework Manufacturing Profile”

The NISTIR 8183 publication provides the Cybersecurity Framework implementation details developed for the manufacturing environment. The “Manufacturing Profile” of the Cybersecurity Framework can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. The Profile provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Profile gives manufacturers:

• A method to identify opportunities for improving the current cybersecurity posture of the manufacturing system
• An evaluation of their ability to operate the control environment at their acceptable risk level
• A standardized approach to preparing the cybersecurity plan for ongoing assurance of the manufacturing system’s security

The document represents a “Target” Profile that focuses on the desired cybersecurity outcomes and provides an approach to the desired state of cybersecurity posture of the manufacturing system. A comparison of the current and target profiles may reveal gaps to be addressed to meet cybersecurity risk management objectives. Prioritization of gap mitigation is driven by the organization’s business needs and risk management processes. This risk-based approach enables an organization to gauge resource estimates to achieve cybersecurity goals in a cost-effective, prioritized manner.

Therefore, the Manufacturing Profile provides a prioritization of security activities to meet specific business/mission goals. To meet its purpose, the Profile defines specific practices to address the Framework Core. The Framework Core is a set of cybersecurity activities and desired outcomes determined to be essential across critical infrastructure sectors.

The Core presents industry standards, guidelines and practices in a manner that allows for communication of cybersecurity activities and outcomes across the organization from the executive to the operations level. The Framework Core consists of five concurrent and continuous Functions—Identify, Protect, Detect, Respond and Recover.

When considered together, these Functions provide a high-level, strategic view of the organization’s management of cybersecurity risk. The five Framework Functions can be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk. The Framework Core then identifies underlying key Categories and Subcategories for each Function, it and matches them with existing standards as well as guidelines such as NIST SP 800-82 “Guide to Industrial Control Systems Security” and ISA/IEC 62443 Standards.

The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing.

How Tripwire Helps

Applying the controls suggested by NIST’s “Cybersecurity Framework Manufacturing Profile” can be an overwhelming task. Tripwire’s ICS Security Suite can help you meet the foundational requirements defined in the standard. Our cyber resiliency suite integrates with the plant network equipment and factory automation systems you already own to help you find, fix and monitor security to prevent and detect cyber incidents.