Following a cybersecurity framework can provide critical infrastructure organizations with a comprehensive approach for managing their cybersecurity risks. Typically, cybersecurity is centered on industry best practices, standards, and guidelines, and provides organizations with a set of proven methods for securing their cyber-physical systems (CPS) — including operational technology (OT) assets, building management systems (BMS), connected medical devices, and other critical assets. The common language and proven measures established by a cybersecurity framework are key in promoting consistency and interoperability amongst stakeholders. By facilitating collaboration and communication organizations can benefit from the sharing of cybersecurity-related information both internally and with external partners.
Fostering trust, aligning with best practices, meeting regulatory requirements, and ensuring both cyber and operational resilience are essential steps cybersecurity frameworks provide when building a strong and effective security program. In this blog, we will discuss the most widely recognized and adopted cybersecurity framework in the United States, and how alignment can help your organization stay protected in an evolving digital landscape.
Developed by the National Institute of Standards and Technology (NIST), their Cybersecurity Framework (CSF) provides organizations with guidelines, best practices, and standards for a flexible and risk-based approach to managing and improving their cybersecurity posture. NIST CSF was created in response to an Executive Order, titled "Improving Critical Infrastructure Cybersecurity", from the U.S. government and provides a starting point for any private-sector organization in the U.S. to implement information security and cybersecurity risk management. While the adoption of NIST CSF is only mandatory for U.S. government agencies and any organization doing business with the U.S. government, it is one of the most widely adopted security frameworks across all U.S. industries, and serves as a structured approach to cybersecurity that can enhance any organization’s ability to protect their critical infrastructure across the extended internet of things (XIoT) and effectively respond to rapidly evolving cybersecurity threats.
NIST CSF guidelines are mandatory for U.S. government agencies and any organization doing business with the U.S. government. They are also often referenced by regulators and compliance bodies in their own cybersecurity requirements and frameworks. Examples include regulatory frameworks such as the Health Insurance Portability and Accountability Act (HIPAA) and the Federal Information Security Modernization Act (FISMA). Additionally, supply chain partners may also require their suppliers, vendors, and business partners to adopt and comply with NIST CSF to ensure a consistent level of cybersecurity across the supply chain. Due to its broad impact and benefits to such a wide range of stakeholders, NIST CSF should ultimately be adopted by all organizations — both public and private — concerned about their cybersecurity posture.
The core structure of the NIST Framework is broken down into five functions which give a general overview of security protocols and best practices. According to the NIST Framework, functions are intended to be performed “concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk”, and are not intended to be procedural steps. The framework also includes categories and subcategories which provide a more concrete action plan for specific departments or processes within an organization. The five NIST functions and categories include the following:
Identify: This function entails gaining comprehensive visibility into all critical assets across the XIoT. You can’t protect what you can’t see — that’s why cybersecurity teams need a complete understanding of what their most important assets are and how they communicate. The identify function includes categories such as asset management, business environment, governance, risk assessment, risk management strategy, and supply chain risk management.
Protect: The second function, protect, focuses on safeguards that ensure the delivery of critical services and the protection of sensitive information. Once critical assets and functions are identified, organizations can prioritize their cybersecurity efforts accordingly. The categories included in the protect function are identity management and access control, awareness and training, data security, information protection processes and procedures, maintenance, and protective technology.
Detect: The detect function outlines the relevant measures organizations need in place to continuously monitor and identify cyber events when they arise. Categories in this function include anomaly detection, security monitoring, and incident response planning.
Respond: The respond function ensures that organizations are taking proper action in response to a detected cybersecurity incident. Specific categories in this function include incident response planning, communications, analysis, mitigation, and improvements.
Recover: The final function includes the recovery activities which are implemented to ensure cyber resilience and business continuity in the event of a cyber incident. Recovery function categories include recovery planning, improvements, and lessons learned.
The five functions of the NIST CSF provide a common language and structured methodology for organizations to assess and manage their cybersecurity risk. However, getting started on your own may seem overwhelming. To help align with this framework, organizations should evaluate a CPS security vendor, with an extensive range of security controls, who can assist in protecting and reducing risk in their OT environment. The Claroty platform includes Continuous Threat Detection (CTD) — an on-premise solution —, xDome — a SaaS solution —, and xDome Secure Access, a solution which helps protect OT environments with the controls recommended by each of the five functions of the NIST CSF. Claroty solutions align with the NIST CSF functions in the following ways:
The Claroty Platform supports the following Identify controls:
Asset Management: CTD or xDome provides discovery and inventory of CPS assets, and integrates with common asset databases to help enrich existing asset inventories. In addition, xDome provides device auto-actions, enabling users to automatically design workflows around specific asset attributes or changes.
Governance: CTD, xDome, and SRA each provide key components of a broader risk monitoring process that informs cybersecurity and risk governance.
Risk Assessment: CTD or xDome continuously assesses risk in OT environments at multiple levels: device, network segments and subnets, communications, observed threats, vulnerabilities, and overall risk and security hygiene.
Risk Management Strategy: CTD or xDome provides a high-level understanding of risk in the OT environment, which drives the strategic discussion around risk management.
Supply Chain Risk Management: CTD or xDome identifies all third-party activity, components, processes, and corresponding risks. SRA provides visibility into third-party remote access as part of supply chain risk management, enables auditing of third-party activity, and supports recovery procedures for emergency situations.
The Claroty Platform supports the following Protect controls:
Identity Management and Access Control: SRA manages and tightly controls OT remote access by enforcing granular role- and policy- based administrative controls in accordance with Least Privilege and Zero Trust security principles. CTD or xDome support segmentation through communication audits and virtual segmentation for flat networks.
Data Security: CTD or xDome strengthens data security through segmentation and network flow mapping, as well as with change notifications for asset configurations and other OT processes.
Information Protection Processes and Procedures: CTD or xDome support this with features such as change monitoring and virtual segmentation. SRA contributes to the establishment of change control processes by managing administrative access.
Maintenance: CTD or xDome monitor and audit maintenance activity of industrial systems, while SRA provides multiple controls for system maintenance activities.
Protective Technology: CTD or xDome support this through monitoring, risk and vulnerability management, and policy zones. CTD also combines with SRA to create logging of configuration alterations on industrial systems.
The Claroty Platform supports the following Detect controls:
Anomalies and Events: CTD or xDome establish baselines and identify deviations for network operations, data flows, and configuration and firmware changes, among others.
Security Continuous Monitoring: CTD, xDome, and SRA monitor activity and remote access to each industrial system, flagging anomalous communication and unauthorized activity. To speed response, CTD or xDome’s continuous risk scoring helps teams to set priorities effectively.
Detection Processes: CTD or xDome support this by detecting events, which they then consolidate, contextualize, and communicate via the user interface, syslog, and API for ease of maintenance.
The Claroty Platform supports the following Respond controls:
Response Planning: CTD or xDome inform more-efficient response planning with detailed alert insights that map the MITRE ATT&CK for ICS framework in order to help investigators understand mitigations for common tactics and techniques.
Communications: Backed by CTD or xDome’s open API and event feeds, the Claroty Cloud provides a mechanism for securely sharing OT threat intelligence.
Analysis: CTD or xDome provide full forensic information and insights related to all events and associated assets in OT environments in order to facilitate analysis.
Mitigation: SRA limits potential damage from compromised third-party assets. CTD or xDome provide complete documentation of OT common vulnerabilities and exposures (CVEs) from which risk-based decisions can be made, and their firewall integrations support the dynamic insertion of rules to limit compromise.
Improvements: Event forensics, process values, and baseline exceptions from CTD or event forensics and baselines expectations from xDome can inform specific adjustments to recovery and strategy planning. In addition, The Claroty Platform's threat signature library, external data sets, and proprietary research are continually updated as new vulnerabilities are uncovered.
The Claroty Platform supports the following Recover controls:
Recovery Planning: CTD or xDome’s change information on critical systems provides the ability to assess whether affected systems can be put back into production.
Improvements: CTD or XDome support this through its analysis of network segmentation, critical system vulnerabilities, and attack vectors.
Communications: The Claroty Cloud enables information sharing via CTD or xDome for secure and efficient distribution of information critical to recovery.
Claroty solutions are purpose-built to help organizations of all critical infrastructure sectors to not only comply with the NIST Cybersecurity Framework, but to adhere to regulatory requirements, industry guidelines, and other security standards. By seeking out a CPS solution provider to help your organization align with NIST CSF, you will reap the benefits of a strengthened cybersecurity posture, improvement of risk management strategies, and the proper guidance when it comes to industry best practices. Ultimately, NIST CSF will ensure the protection of your critical assets and your ability to respond to cyber threats in a rapidly evolving threat landscape.
How to Incorporate NIST Cybersecurity Framework 2.0 Into Your Cybersecurity Strategy
Examining NIST’s Latest Revision to SP 800-82r3
Water Sector Recognized for NIST Framework Implementation Progress
Interested in learning about Claroty's Cybersecurity Solutions?