Posts in this series
- Part 1: IEC62443 overview
- Part 2: IEC62443 system
- Part 3: NIST CSF
- Part 4: NIST SP800
- Part 6: MITRE ATT&CK
The purpose of this series is to explain typical examples of general-purpose guidelines for ICS and OT security and understand the concepts required for security in smart factories. As a subset of NIST SP800-53 which was introduced in Part 4, Part 5 explains the CIS Controls that correspond to practical guides.
What are CIS Controls?
CIS Controls are a framework focusing on fundamental measures that an organization should take first for cyber security. It is considered as a subset of NIST SP800-53 which has been described previously. Originally, they were prepared by the SANS institute (a non-profit organization established for IT security education) in 2008 and called SANS Top 20 Critical Security Controls. After that, they were transferred to the Center for Internet Security (CIS) (a community for providing the best practices in cyber security) in 2013.
The purpose of CIS Controls is to resolve"Fog of More (chaos due to tremendous numbers of choices)" in various security measures, and the controls aim at being a practical guide for achieving maximum effect with minimum measures, regardless of whether an organization is large or small.
Six Basic Controls
As requirements, they consist of 20 Controls (management measures) and 171 Sub-Controls in total. Controls 1 to 6 are Basics, and it is recommended to start with the following six categories.
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
Table 1: List of Management Measures in CIS Controls (CIS Controls v7.1)
Concepts
In addition, CIS Controls have been developed on the basis of five concepts.
- Offense informs defense
- Prioritization
- Measurements and Metrics
- Continuous diagnostics and mitigation
- Automation
The characteristics here are "Prioritizing" and"Automating."
For prioritizing, an"Implementation group" is defined as the organization that uses the controls, and which measures in Sub-Controls can be recommended according to the size (large, middle, and small) of resources in an organization are described.
For example, for automating, specific measures are described in the following,
3.1 Run automated vulnerability scanning tools
5.5 Automated configuration monitoring system
and they are considered as measures for supporting the reliability, extensibility, and consecutive measurement in an organization.
Application to ICS
Furthermore, a guide for application to ICS environments (Implementation Guide for Industrial Control Systems) is provided. In this document, applicability to ICS environments and considerations are described for each Control.
For example, the vulnerability management in #3 describes that automated vulnerability scanning and patch application, which are recommended in Sub-Controls of CIS controls, may not be suitable for ICS environments. There is a note that such processes should be executed only during periodic maintenance and scheduled shutdown, without automating the processes, to eliminate influence on availability.
Key to CIS Controls is the six Basic controls, which are also the same in ICS environments. People who do not have much technical knowledge, less-experienced people, or people who will work on security for the first time are recommended to start with the check of these six items.
*reference:
CIS Controls
CIS Controls ICS Companion Guide
Summary of this series
If the guidelines described from Part 1 to Part 5 in this series are classified, then it can be said that IEC62443 is a comprehensive guideline for the whole industry from the establishment of policies and organizations to the supply chains of systems and devices, and at the same time, it is also said that it is a systematized guideline for preventing the occurrence of incidents as the starting point. On the other hand, the NIST CSF has been developed and revised by separating concepts and practices, on the premise that incidents will occur.
Fig. 1: Position of Each Guideline (Trend Micro)
Guidelines have only been developed as criteria and/or standards. The important thing is to understand the essences of these guidelines, and precisely understand the reality of your organization, and then you will be able to face your real problems.
Trend Micro not only provides solutions for smart factories, but also conducts advanced and realistic research of threats uniquely by focusing on smart factories, and releases research results to the public. We hope that this series will help both security planning and practices in your organization through utilization of such information.
*Related articles:
- Forward-looking security analysis of smart factories <Part 1> Overlooked attack vectors
- Factory Security Problems from an IT Perspective (Part 1): Gap between the objectives of IT and OT
- Fake Company, Real Threats <Part 1> - Building a fake manufacturing system for a sting
- Trend Micro: Smart Factory Security