NIST Cybersecurity Framework: Reducing OT Security Risk with Claroty
July 9, 2020
We often describe The Claroty Platform as a complete OT security solution. What we mean by that is our platform provides the extensive range of security controls our customers need in order to protect and reduce risk in their OT environments.
This range is so extensive, in fact, that it also helps our customers comply with regulatory requirements, industry guidelines, and other security standards—including those forth by arguably the most comprehensive and revered security framework: the National Institute of Standards and Technology Cybersecurity Framework, or NIST CSF.
Created in response to Improving Critical Infrastructure Cybersecurity, a 2013 U.S. federal executive order, the NIST CSF is a thorough set of guidelines around security controls to help critical infrastructure owners and operators manage and reduce cybersecurity risk. Although the framework is voluntary, its flexibility, common lexicon, and emphasis on business drivers have fueled its adoption and recognition as a true requirement across industries globally.
Here’s a glimpse at how The Claroty Platform—which includes our Continuous Threat Detection (CTD) and Secure Remote Access (SRA) solutions—helps our customers protect their OT environments with the controls recommended by each of the five functions of the NIST CSF:
Function 1: Identify
The Identify function is about understanding your organization and the risks it faces so that you can prioritize cybersecurity initiatives and align them with existing risk management and business objectives. The Claroty Platform supports the following Identify controls:
Asset Management: CTD provides discovery and inventory of physical and virtual OT assets, as well as full visibility of communications flows within the OT environment.
Governance: CTD and SRA each provide key components of a broader risk monitoring process that informs cybersecurity and risk governance.
Risk Assessment: CTD continuously assesses risk in OT environments at multiple levels: device, network segments and subnets, communications, observed threats, vulnerabilities, and overall risk and security hygiene.
Risk Management Strategy: CTD and SRA provides a high-level understanding of risk in the OT environment, which drives the strategic discussion around risk management.
Supply Chain Risk Management: CTD identifies all third-party activity, components, processes, and corresponding risks. SRA provides visibility into third-party remote access as part of supply chain risk management, enables auditing of third-party activity, and supports recovery procedures for emergency situations.
Function 2: Protect
The Protect function entails implementing appropriate safeguards in your OT environment to ensure the delivery of critical services, as well as to mitigate the impact of a potential cybersecurity event. The Claroty Platform supports the following Protect controls:
Identity Management and Access Control: SRA manages and tightly controls OT remote access by enforcing granular role- and policy- based administrative controls in accordance with Least Privilege and Zero Trust security principles. CTD supports segmentation through communication audits and virtual segmentation for flat networks.
Data Security: CTD strengthens data security through segmentation and network flow mapping, as well as with change notifications for OT components and processes.
Information Protection Processes and Procedures: CTD supports this with features such as change monitoring and virtual segmentation. SRA contributes to the establishment of change control processes by managing administrative access.
Maintenance: CTD monitors and audits maintenance activity of industrial systems, while SRA provides multiple controls for system maintenance activities.
Protective Technology: CTD supports this through monitoring, risk and vulnerability management, and policy zones. CTD also combines with SRA to create logging of configuration alterations on industrial systems.
Function 3: Detect
The Detect function encompasses controls and corresponding activities that enable you to quickly and accurately discover cybersecurity events in your OT environment. The Claroty Platform supports the following Detect controls:
Anomalies and Events: CTD establishes baselines and identifies deviations for network operations, data flows, and configuration and firmware changes, among others.
Security Continuous Monitoring: CTD and SRA monitor activity and remote access to each industrial system, flagging anomalous communication and unauthorized activity. To speed response, CTD’s continuous risk scoring helps teams to set priorities effectively.
Detection Processes: CTD supports this by detecting events, which it then consolidates, contextualizes, and communicates via the user interface, syslog, and API for ease of maintenance.
Function 4: Respond
The Respond function facilitates the effective and efficient response to a cybersecurity incident in your OT environment. The Claroty Platform supports the following Respond controls:
Response Planning: CTD informs more-efficient response planning with insights such as communications monitoring and Attack Vector Mapping.
Communications: Backed by CTD’s open API and event feeds, the Claroty Cloud provides a mechanism for securely sharing OT threat intelligence.
Analysis: CTD provides full forensic information and insights related to all events and associated assets in OT environments in order to facilitate analysis.
Mitigation: SRA limits potential damage from compromised third-party assets. CTD provides complete documentation of OT common vulnerabilities and exposures (CVEs) from which risk-based decisions can be made, and CTD’s firewall integrations support the dynamic insertion of rules to limit compromise.
Improvements: Event forensics, process values, and baseline exceptions from CTD can inform specific adjustments to recovery and strategy planning. In addition, The Claroty Platform’s OT protocol support is continually updated as new vulnerabilities are uncovered.
Function 5: Recover
The Recover function is about having proper plans and mechanisms in place to reduce the impact of a cybersecurity incident on your OT environment and enable the timely return to normal operations. The Claroty Platform supports the following Recover controls:
Recovery Planning: CTD’s change information on critical systems provides the ability to assess whether affected systems can be put back into production.
Improvements: CTD supports this through its analysis of network segmentation, critical system vulnerabilities, and attack vectors.
Communications: The Claroty Cloud enables information sharing via CTD for secure and efficient distribution of information critical to recovery.