We all know that compliance does not equal security. This is especially true in the world of industrial control systems, where owners and operators are often up against the most sophisticated of threat actors. That being said, compliance with tailored security controls can be an effective way of building a strong foundation and maturing your operational technology (OT) security program.
We've witnessed the constructive role that compliance can play in security in North America's electric utility market, for example. The North American Electric Reliability Corporation's (NERC) Critical Infrastructure Protection (CIP) rules have guided electric utilities for decades. These mandatory requirements not only compel best practices, but also incentivize voluntary measures to harden an increasingly vulnerable industry.
Later this year, NERC will implement its updated CIP regulations, which require additional cybersecurity controls for perimeter security, configuration change management, vulnerability assessments, and supply-chain risk management. Let's explore these new rules in more detail:
When it comes to perimeter security, remote access is front and center these days. The Coronavirus pandemic has brought new meaning to this risk, but it is hardly new to the regulated utilities sector. NERC CIP-005-6 will require owners and operators to differentiate between employee and third-party sessions. Given recent vulnerabilities around VPN solutions, it's crucial that critical infrastructure owners and operators have a specialized system to manage remote connections—one that can not only control and monitor remote connections in real-time, but also retroactively audit these sessions for compliance or forensic purposes.
NERC will also be doubling-down on configuration change management, because with OT systems, even the slightest unauthorized change can result in downtime or disruption. Last July, Claroty released a whitepaper highlighting some of the most important CIP rules and mapping their requirements to Claroty's Continuous Threat Detection (CTD) features. Among them was NERC CIP 010-3, which requires entities to document baseline configurations for in-scope assets. The new rules will require owners and operators to implement these configuration change management controls, which includes identifying and verifying operating systems, firmware, installed software and patches, and open ports.
NERC CIP 010-3 also requires entities to perform vulnerability assessments of their assets. There are a variety of safe and efficient techniques for doing so, including both passive and active monitoring. Regardless of the technique, it's important to proactively identify and fix configuration and hygiene issues that can leave ICS assets susceptible to attack. Pairing an up-to-date and data enriched asset inventory with comprehensive and sanitized Common Vulnerabilities and Exposures (CVE) databases presents the owners and operators with a comprehensive view of their vulnerabilities. From here, they can prioritize vulnerability management based on a risk and criticality criterion.
Last but not least is supply-chain risk management. NERC CIP 013-1 is a new section of the rules that is getting a lot of attention from industry and government alike. Indeed, the supply chain is a growing threat vector for OT networks. The rules rightly focus on putting policies and processes in place to manage the risks posed by third parties, requiring documentation and notification from vendors about their security practices and significant events such as breaches. This new requirement once against brings into focus the critical importance of security controls for remote access.
These new rules are officially scheduled to take effect in July, but NERC filed a motion last week to delay the implementation of these rules until October due to the COVID-19 crisis. If this deferment is approved, which is likely, owners and operators will have some much needed relief during these stressful circumstances with extra time to implement these important standards.
Interested in learning about Claroty's Cybersecurity Solutions?