Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Beyond the NIST Cybersecurity Framework

In the wake of new compliance guidelines, now is the time for critical infrastructure organizations to upgrade their industrial security posture.

National security for any nation depends on the reliability and continuous operations of its critical infrastructure. Increased complexity and connectivity of critical infrastructure systems are exposing them to cybersecurity threats which put their safety and reliability at risk.

Why was the NIST cybersecurity framework created?

The National Institute of Standards and Technology (NIST) Framework was created through a collaboration between the U.S. federal government and the private sector, in response to presidential executive order 13636, “Improving Critical Infrastructure Cybersecurity.” This voluntary framework consists of standards, guidelines and best practices to manage cybersecurity-related risk. The cybersecurity framework’s prioritized, flexible, and cost-effective approach helps to promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security.

In the most recent NIST report from the National Cybersecurity Center of Excellence (NNCoE), researchers investigated the use of behavioral anomaly detection (BAD) capabilities in industrial control systems (ICS). NIST is a strong proponent of anomaly detection for finding behaviors and potential attacks that do not yet have a signature associated with it. Typically, these types of attacks are targeted strikes not seen widely enough to develop a signature, or attacks involving zero-day exploits.

NIST endeavors to provide guidance based on the threat landscape at that point in time, while also trying to not make it overly complicated or cumbersome for operators to follow the guidelines. To that end, this paper does an important service, namely to promote anomaly detection as an essential tool in cybersecurity. At the same time, and due to the shifting landscape in ICS security, many organizations are looking to go beyond what NIST suggests, stressing that anomaly detection is clearly not enough. As a result, organizations are proactively deploying additional ICS security to keep their systems current and more secure from the next threat that is coming their way.

Beyond NIST: Protecting critical infrastructure from cyber threats

In looking beyond NIST, there are some significant steps you can consider that will: (a) increase your visibility across the entire organization; (b) improve your security stance both now and into the future; and (c) put you in control by identifying and mitigating threats and unacceptable risk. These include:

Deep threat detection
Deep threat detection uniquely combines network anomaly detection with policy-based detection. By leveraging both statistical network behavior analysis and policy rules, deep threat detection technology finds more threats and risks, faster, and with fewer false positives. Anomaly detection identifies stealthy deviations in network behavior from the statistical baseline. This capability should be complemented by a policy detection engine, which strictly enforces deterministic rules based on security policy. This holistic approach safeguards networks from known ICS threats, as well as protecting against the next malware incident that has yet to be released in the wild.

Active device mapping
Network traffic monitoring only provides half of what's needed to secure ICS environments; the other half has to provide additional asset-related data. Indeed, the NCCoE report advocates for an agent-based approach to be considered for securing workstations, but obviously it cannot be used for industrial controllers simply because it cannot be loaded on them.

Furthermore, while some attacks traverse networks, many more can occur on devices. For example, PLC operators may physically connect to (and infect) an operational technology (OT) environment when performing maintenance. Other devices may remain dormant and never send traffic over the network. In both instances, network-only monitoring will not detect the threat.

Active threat hunting is an integral part of a comprehensive hybrid threat detection engine and should work in conjunction with passive network monitoring. Using the devices’ native communication protocols, OT-specific security solutions can discover, classify and query all ICS assets for their configuration – even those that are not communicating in the network.

Automated vulnerability and inventory management
With new ICS vulnerabilities regularly being published, it is essential to identify devices at risk and quickly address the vulnerability before it is exploited. Industrial organizations require detailed and up-to-date asset inventories to determine which devices are affected by known vulnerabilities. By automating inventory management, you’ll gain an understanding of each device's function and its exact classification within the ICS network. Device analysis should consider firmware and OS versions, open port list, default passwords and the device's role. This creates an actionable and prioritized risk analysis that allows you to quickly address new vulnerabilities when they are announced.

Staying ahead of the curve

The old adage has never held truer: “the only thing that is constant is change.” With the quantum shifts occurring in critical infrastructure and other industrial environments, NCCoE’s papers as well as NIST guidelines are essential to the ICS security ecosystem, and their recommendations continue to evolve.

Looking beyond NIST to secure your industrial environment not only ensures that you are employing best security practices but also positioning your organization to be forward-compatible to future threats that are just on the horizon.

For more information on upgrading your ICS security, check out the Tenable.ot guide to “Adhering to the NIST Framework,” which details ways to improve visibility and reduce risk across your critical infrastructure.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Get FREE Advanced Support

with purchase of Nessus Professional

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.