By Grant Geyer | May 2, 2022

NIST recently updated Special Publication 800-82 to Rev. 3, renaming it: “Guide to Operational Technology (OT) Security.” The name change reflects a newly expanded scope beyond industrial control systems (ICS) to also include building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. 

A comment period on the revision has begun and will be available until July 1. NIST 800-82 is the de facto cybersecurity framework for industrial environments and has been downloaded more than three million times. 

“The document provides an overview of OT and typical system topologies, identifies typical threats and vulnerabilities for these systems, and recommends security countermeasures to mitigate the associated risks,” NIST wrote, adding that it took into consideration not only cybersecurity challenges, but also performance, reliability, and safety requirements unique to OT environments. 

The update is an acknowledgment of rapid movement toward integrated cyber-physical systems, and the current level of exposure faced by connected devices across industrial, healthcare, and commercial markets. While connected assets improve efficiency and produce data that can enhance innovation for businesses and critical infrastructure operators, that same connectivity means that assets once isolated from the network may be reachable by a remote attacker. 

This is a new dynamic for OT, which has been shielded by self-contained, air-gapped networks that largely protected the logic executing on field devices. The possibility of remote tampering with this type of programming may impact physical safety or interrupt the delivery of critical services. 

NIST’s new guidance echoes many OT cybersecurity best practices already shared in other NIST frameworks, and by vendors and experienced practitioners. Some of those include network segmentation that restricts logical access to the OT network and systems, prompt software and firmware patching, updates, and mitigation implementations, the use of network monitoring and detection solutions, and measures that ensure the resilience of critical components that ensure quick recovery and restoration in the event of an incident. 

In SP 800-82r3, NIST provides updates on OT threats and vulnerabilities and explores recommended risk management practices and secure architectures, as well as security capabilities and tools. Furthermore, it also explores alignment with the NIST Cybersecurity Framework

Let’s look at some of these updates in more detail: 

OT Risk Management

NIST’s updated OT guidance offers information security risk management as a complement to existing safety and engineering safeguards familiar in most OT environments, especially at the system level.  

Fundamentally, OT operators and OT environments have a culture of risk management adverse to frequent changes. Few industrial environments, for example, have a tolerance for extended downtime for software patching and firmware updates, meaning that mitigations take on an elevated priority. 

SP 800-82r3 outlines guidance for framing, assessing, responding to, and monitoring risk in an OT environment. System level risk management, which is most applicable to OT processes, involves much more granular assessments of threats and mitigation implementations. 

NIST’s approach with this revision reinforces the need to ensure business continuity through any risk management activities, including system-level updates and patching in order to avoid costly device and process shutdowns. 

Zero Trust 

The NIST revision acknowledges organizations are starting their journey toward Zero Trust architectures. Zero Trust assumes that by default, you shouldn’t trust devices, users, or any attempt to access a location or resource. It ensures users are who they claim to be, and limits what systems users have access to according to policy-based access controls, for employees and partners, including third-party vendors and contractors. 

Within OT, the biggest zero trust challenge lies in that some Level 1 or 2 devices such as HMIs, controllers, or PLCs may not support either the protocols or tools required to satisfy the goals of a zero trust implementation, calling into question whether it’s practical, the document notes. 

“Instead, organizations should consider applying ZTA on compatible devices such as those typically found at the functionally higher levels of the OT architecture (e.g., Purdue Model Levels 3, 4, 5, and the OT DMZ),” NIST wrote. “Organizations may also want to consider the impact on operations and safety functions. For example, would any adverse impacts occur if the ZTA solution increases the latency to respond to resource requests or if one or more ZTA components become unavailable? Based on this analysis, organizations should consider adjusting the ZTA implementations to minimize latency and ensure adequate redundancy to minimize risks to OT and safety operations.”

Vulnerability Management 

Software patching and firmware updates are crucial to successful risk management efforts. Vendors and independent researchers are turning their attention to ICS and OT as they attempt to uncover exploitable vulnerabilities before attackers. Claroty’s Biannual ICS Risk & Vulnerability Report encapsulates a number of these trends around new disclosures, what types of products are most vulnerable, and how security issues are being mitigated. 

In this section of the NIST revision, patch management guidance is standard fare: Ensure sandbox testing of software updates in order to understand how a patch might impact production; updating operating systems and apply compensating controls to keep an environment safe from known vulnerabilities and exploits. Also, organizations are advised to consider application whitelist (allowlists) given the overall static nature of many OT environments to prevent unauthorized applications from executing. 

The document also provides specific guidance for application hardening and overall configuration management, that includes access controls and encryption of data flows between systems and data at rest. 

Conclusion

Digital transformation creating interconnected systems is here to stay, creating new efficiencies and innovation for industrial enterprises. The NIST framework is considered the standard for risk management across industries and can be used to manage risk across sectors and technologies ranging from information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), and the Extended Internet of Things (XIoT). It is, however, not a one-size-fits-all approach to managing cybersecurity risk because each space has unique threats, vulnerabilities, and risk tolerances. Each will vary in how they customize practices, but having an overarching strategy goes a long way toward safe and efficient operations.