What is the NIST Cybersecurity Framework?
The NIST Cybersecurity Framework is a US standard for managing & improving cybersecurity, enhancing risk management & resilience. Learn more.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
A key component in any cyber security program, whether enterprise (IT), operational (OT), or a converged version of the pair (IT/OT) is driven by the governance laid out by the organization to manage cyber-related risks.
A successful governance model communicates how an organization identifies threats, prioritizes and manages risks, determines how risks are transferred or budgeted, and lays out the procedures to respond. One such framework to guide this area of management is the National Institute of Standards & Technology (NIST) Cybersecurity Framework (CSF).
Verve uses NIST CSF as a common model when discussing cyber security because it is easily relatable for decision makers and IT security teams.
There is no shortage of competing cyber security frameworks, but the NIST CSF is easily mappable to other standards, and when combined with NIST SP-800-82r2, the industrial cyber security companion, the NIST CSF is perfectly suited for Operational Technology (OT) environments and critical infrastructure.
So, without further ado, let us introduce our two contestants in this framework discussion:
Whether NIST CSF or a different standard is the best is beyond the point, an organization must start somewhere. When the MITRE ATT&CK framework was released, the cyber security industry was ablaze with articles touting its usage, so we waited and tried to see how it would take effect.
In the creators own words: the MITRE ATT&CK framework is an expansive system that provides a common taxonomy of tactics, techniques, and procedures that is applicable to real-world environments, more useful than the cyber kill chain module, and represents how adversaries interact with systems.
It is a matrix of columns that look left to right for each of the phases of an attack, and vertically under each column header – tactics and techniques that befit the vertical. Each element can be picked and chosen as befits the technology, process, or expert. They can be drilled down and provide additional information with a page of reference.
In this way, the tactics represent “why” an attacker may use those techniques, and the techniques, represent that “how” they do so, which is very different in nature from the core concept of governance.
While governance is composed of structures, systems and practices that encompass decision making, strategic direction guidelines, implementations of policy, and reports on performance for improvement and corrective action, ATT&CK groups various techniques into piles for cyber security professionals and tools to communicate defensive coverage, cyber threat intelligence, detection capabilities and incident/red team results.
Most organizations have a governance structure and process that includes how the organization protects itself from cyber threats or utilize technology.
The NIST CSF is made up of five governance areas that comprehensively describe: protect, identify, detect, respond, and recover. These five areas consist of different properties and capabilities, but they do not directly outline how to dissect a cyber security incident or provide analytical markers to test detection technologies for example.
It does, however, give an organization the scaffolding to govern itself, and at a minimum, determine which security capabilities and processes are necessary for a certain level of cyber security maturity.
Therefore, the MITRE ATT&CK matrices (Enterprise and ICS) are still relevant, but have far less value when appropriate cyber security governance is lacking. To bridge those gaps, the NIST CSF describes various components you should have in place, and the ATT&CK framework puts forward the necessary information or use cases that should be captured.
One without the other is not very effective, but when used together, they drive effective cyber security governance for both IT and OT environments.
Imagine the following scenario:
“It is a typical day at X organization, and a variety of alerts are generated from anti-virus and affected system’s logs. A cybersecurity incident is clearly under way.”
Using the above scenario, an analyst would be assigned to investigate the alerts or anomalous conditions, but how would they do so and in what manner? Surely governance is required!
At a minimum, if it were ad hoc and without a repeatable structure, it would be less than ideal, and so many events may not be properly evaluated, or even managed without appropriate frameworks and technology.
This is clearly not in the best interests of teams securing the organization, so a good approach in this scenario would be to:
This is a high-level overview that requires customization for your organization, but it is important to note that you can use the frameworks together in ICS and OT.
On its own, the ATT&CK framework may not be particularly useful for a holistic OT cyber security program, but when combined with the NIST CSF wheel and technology, it becomes a force multiplier and makes your current ICS cyber security investments truly comprehensive when used correctly.
Neither framework fulfills its absolute potential without being executed alongside adequate technology and resources. But when operationalized as part of an organization focused on structured action, Verve becomes an invaluable OT cyber security solution to secure critical infrastructure.
The Verve Security Center goes beyond asset inventory management and vulnerability management to apply a robust OT Systems Management (OTSM) approach.
ATT&CK works best when using a SIEM, which is significant as SIEM functionality for logging and alerts (Signals) is a new feature to the Verve Security Platform. Even more, we support a variety of ATT&CK detection use cases and provide additional resources to enable the use of both frameworks to enhance your organization’s security posture. This includes:
Given the unique ability for Verve to install on commodity systems to communicate natively to a wide catalog of devices, patch, and ingest logs from applicable OT systems, you get a powerful cyber security tool to aids security teams.
The NIST Cybersecurity Framework is a US standard for managing & improving cybersecurity, enhancing risk management & resilience. Learn more.
Learn MoreThis NIST CSF case study provides one example of a customer’s journey to greater security maturity with the Verve Security Center and VIP Services.
Learn MoreWhat is the MITRE ATT&CK framework, how does it relate to NIST CSF, how can they be used together, and how does Verve Industrial assist with MITRE ATT&CK?
Learn More