NIST SP 1800-23 Guides Identification of Threats to OT Assets

June 8, 2020

In September 2019, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) announced the release of a draft practice guide entitled, “NIST Special Publication (SP) 1800-23: Energy Sector Asset Management.” The NCCoE spent the next two months collecting comments from the public to improve their guide. They then used this feedback to improve upon their initial draft.But the wait is finally over. On May 20, the NCCoE released the final version of NIST SP 1800-23. This post will provide an overview of the guide’s purpose and explain how organizations can use it to strengthen their digital security.The Purpose Behind NIST SP 1800-23NIST SP 1800-23 is a response to the growing digital security challenges confronting organizations with operational technology (OT) assets. The issue for those types of entities is that many of their industrial control systems (ICS) are becoming increasingly interconnected. This development presents an opportunity for attackers insofar as they can abuse those connections to attack an ICS. Depending on the nature of the attack, malicious actors could undermine the functionality of an organization’s assets, systems and networks. Such damages could subsequently produce broader negative effects for society, especially if that organization plays a part in managing their respective host country’s critical energy infrastructure.The NCCoE asserts that organizations can minimize the risks discussed above by maintaining an updated OT asset inventory. But that’s a challenge in itself. Energy organizations might not be able to discover all their assets using manual discovery alone, which could leave them exposed to digital security risks. These entities therefore need a better way of discovering and managing their OT assets.How to Use NIST SP 1800-23The key to effectively using the NCCoE Special Publication is to understand that asset management consists of multiple capabilities working together. They are:Asset Discovery: Create a baseline of assets’ physical and logical locations.Asset Identification: Capture asset attributes such as manufacturer, model, operating system (OS) and Internet Protocol (IP) addresses.Asset Visibility: Continuously monitor for changes in OT assets. Those alterations could include connections for new devices and disconnections from approved devices.Asset Disposition: Identify the criticality of an asset, the relationships it holds with other OT assets and the communication channels it maintains with other devices.Alerting Capabilities: Detect and issue alerts for deviations in assets behavior.Using these capabilities together, organizations can build their architecture in a way that enables them to effectively manage their OT assets. The guide provides an illustration of a high-level architecture design towards that end.

Illustration of High-Level Architecture for Effective OT Asset Management

Illustration of High-Level Architecture for Effective OT Asset Management (Source: NIST Special Publication (SP) 1800-23: Energy Sector Asset Management, page 24.)The illustration begins with the remote site control systems (R1), assets to which ICS-based data appear in their raw form. This information, along with structured data collected by current control systems management assets (R2), makes its way to the remote site data services (R3). Comprised of passive sensors and passive ICS asset discovery tools, these solutions use a VPN tunnel to send its data in structured form to servers at the enterprise location. There, the enterprise’s asset management processes (E2) consume the data to evaluate the network’s overall health. It then sends this information to the events dashboard (E1), a tool which displays its information in an easily digestible form to the asset management analyst. If the analyst decides that the configurations of certain remote site assets need to be adjusted, they can use the same VPN tunnel to send remote site management instructions to R3 without needing to establish a direct connection with either R1 or R2.The guide ultimately builds upon this high-level architecture, which is deployable for organizations with multiple remote sites, by providing a reference design and detailed topologies. These items provide more granular insight into how the high-level architecture could work in different industrial environments with different types of OT assets.On the Utility of Using NIST SP 1800-23Energy organizations stand to benefit a great deal from using the NCCoE’s new guide. For instance, energy sector executives can leverage the document to reduce digital security risks confronting their organizations, develop a strategy for managing their OT assets, improve their response time to security alerts and implement digital security best practices. Simultaneously, IT professionals in the energy sector can use the clear instructions, guide maps and technology recommendations to take the necessary actions to strengthen their organizations’ security.These benefits arise from the NCCoE engaging with industry partners. Jim McCarthy, NCCoE senior security engineer, couldn’t agree more. As quoted in a previous blog post on The State of Security:Collaborating with key stakeholders in the energy sector, technology providers, and integrators to produce viable cybersecurity solutions is key to the NCCoE’s success. The Energy Sector Asset Management Practice Guide is another example of how stakeholders engage with the NCCoE to produce solutions to real-world problems.As an example, NIST SP 1800-23 marks just the latest instance in which Tripwire and NCCoE worked together to support security solutions and this newest collaboration emphasizes how organizations can use Tripwire Industrial Visibility to manage their OT assets.Learn how Tripwire’s solutions can provide visibility into your industrial assets. Read the original article and additional information at Cyware Social