NIST SP 1800-23, Energy Sector Asset Management: Securing Industrial Control Systems

Image

Industrial organizations face a growing list of digital threats these days. Back in April 2019, for instance, FireEye revealed that it had observed an additional intrusion by the threat group behind the destructive TRITON malware at another critical infrastructure. This discovery came less than two years after the security firm discovered an attack in which the threat actor leveraged their TRITON attack framework to manipulate safety systems and cause a shutdown at a critical infrastructure organization. TRITON isn’t the only threat that’s recently preyed on organizations, either. In June 2019, for example, researchers at Dragos uncovered new threat activity from the XENOTIME group where attackers expanded their targeting beyond oil and gas companies to electric utilities. It was a short time thereafter that the industrial security company spotted another actor called “HEXANE” going after oil and gas companies in the Middle East as well as telcom providers in the Middle East, Central Asia and Africa. Fortunately, these and other incidents failed to go unnoticed by the broader industrial security community. Many in the industrial security space carefully tracked these stories and shared IoCs/other threat intel with industrial organizations to help them stay safe. Some decided to do even more. Among them was the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST),  a collaborative hub where industry organizations, government agencies and academic institutions work together to address businesses’ most pressing cybersecurity challenges. NCCoE began working on developing a cybersecurity project involving asset management a short time ago. The purpose of the project was to help energy utilities and the oil the gas industry develop an automated solution to better manage their industrial control system (ICS) assets. Towards that end, the NCCoE released a draft practice guide NIST Special Publication 1800-23, Energy Sector Asset Management. This practice guide explores methods for managing, monitoring and baselining assets and includes information to help identify threats to these OT assets. In these efforts, researchers drew upon both standards and best practices to develop reference designs leveraging commercially available technologies. They also mapped capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework. “Collaborating with key stakeholders in the energy sector, technology providers, and integrators to produce viable cybersecurity solutions is key to the NCCoE’s success. The Energy Sector Asset Management Practice Guide is another example of how stakeholders engage with the NCCoE to produce solutions to real-world problems.” said Jim McCarthy, NCCoE senior security engineer. For its guide, how commercially available solutions can be integrated with existing tools to monitor activity in industrial control environments and detect anomalies. This effort thereby marked the second instance where the NCCoE and Tripwire came together to support security measures. The first partnership took shape back in 2017; for that project, the NCCoE and Tripwire together drafted a cybersecurity practice guide on data integrity. Tim Erlin, vice president of product management and strategy, notes that the strength of its industrial solutions put Tripwire in an excellent position to contribute to the NCCoE’s guide:

Tripwire provides industrial organizations visibility into cyber events that could affect the safety, productivity and quality of their operations. Our anomaly detection capabilities deliver deep, granular visibility into industrial devices and network activity to provide a baseline of normal operations and alert to any changes, without disrupting operational processes.

The NCCoE believes that its recently released guide helps meet a critical cybersecurity and economic need. But we want to make sure it covers everything of concern for industrial organizations, so we want to hear from you. Please share your thoughts on this step-by-step guide to enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on November 25, 2019.

*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.