Achieving CIS Controls Maturity in OT Systems
What are the CIS Controls? Read how a major energy company improved their cyber security by achieving maturity across the CIS Top 18 Controls.
Learn MoreWhat are the CIS Controls?
The Center for Internet Security Critical Security Controls (CIS CSC) were created in coordination with U.S. DHS, NSA, SANS and other groups to establish a set of the most critical security controls to ensure cyber security.
Now on Version 8, and known as the Top 18 CIS Controls, they contain 153 sub-controls with specific target levels for compliance. The CIS Controls Top 18 (formerly Top 20) is now one of the leading cyber security standards for IT organizations to secure their networks, assets, and data.
What are the benefits of the CIS Controls?
Aside from its comprehensive set of critical controls, the CIS Controls is unique because of its prescriptive nature of different levels of compliance. Where many cyber security standards provide a framework for the types of controls or procedures to implement, the CIS Controls includes a set of measurable benchmarks for each control to determine if the organization is at a level 1, 2, 3, 4 or 5.
This “prescriptive” nature enables organizations to accelerate the process by reducing the debate on maturity levels to decide which of the pre-defined levels it aspires to. We have seen this type of approach result in significant benefits in comparison to the more general guidance frameworks.
What are the top-level CIS Controls?
| Control | Name | Safeguards | IG1 | IG2 | IG3 |
|---|---|---|---|---|---|
| 1 | Inventory and Control of Enterprise Assets | 5 | 2 | 4 | 5 |
| 2 | Inventory and Control of Software Assets | 7 | 3 | 6 | 7 |
| 3 | Data Protection | 14 | 6 | 12 | 14 |
| 4 | Secure Configuration of Enterprise Assets and Software | 12 | 7 | 11 | 12 |
| 5 | Account Management | 6 | 4 | 6 | 6 |
| 6 | Access Control Management | 8 | 5 | 7 | 8 |
| 7 | Continuous Vulnerability Management | 7 | 4 | 7 | 7 |
| 8 | Audit Log Management | 12 | 3 | 11 | 12 |
| 9 | Email and Web Browser Protections | 7 | 2 | 6 | 7 |
| 10 | Malware Defenses | 7 | 3 | 7 | 7 |
| 11 | Data Recovery | 5 | 4 | 5 | 5 |
| 12 | Network Infrastructure Management | 8 | 1 | 7 | 8 |
| 13 | Network Monitoring and Defense | 11 | 0 | 6 | 11 |
| 14 | Security Awareness and Skills Training | 9 | 8 | 9 | 9 |
| 15 | Service Provider Management | 7 | 1 | 4 | 7 |
| 16 | Application Software Security | 14 | 0 | 11 | 14 |
| 17 | Incident Response Management | 9 | 3 | 8 | 9 |
| 18 | Penetration Testing | 5 | 0 | 3 | 5 |
As seen, these are a comprehensive collection of controls. Version 8 streamlined the number of controls from 20 down to 18 and reduced the number of “sub-controls” in Version 7 – which are now called safeguards in Version 8 – from 172 to 153. This latest update comes three years after the prior update that brought us to Version 7.
Version 8 continues with the practice of identifying Implementation Groups (IG) 1,2, and 3. These are intended to be approached in sequence, achieving compliance with IG 1 before moving to IG 2. In Version 8 however, the concepts of “basic” and “foundational” controls have been eliminated. IGs are now the prioritizing framework for the safeguards. Each Implementation Group contains safeguards across the various controls areas.
As in all cyber security standards, developing a robust asset and network inventory is the base element that enables the rest of security to be effective. This is clear in the CIS Controls Top 18 (just as it is with the NIST CSF).
Controls 1 and 2 require hardware inventory or OS inventory, as well as a comprehensive software inventory on all assets. As one dives deeper into the safeguards of these controls, the power of a deep asset inventory that extends beyond seeing if a hardware device is on the network becomes obvious.
To summarize IG 1 vs. IG 2 and 3, IG 1 focuses on those elements that should be the initial set of safeguards applied. CIS discusses this as something that smaller organizations might seek to achieve. However, in the world of OT security, many organizations are beginning from scratch relative to cybersecurity. IG 1 is a great initial set of controls that provide protection from untargeted attacks, and are something that forms the basis of future maturity advancement.
Many of the IG 1 tasks are focused on what we’d call asset management – accurate inventory, accurate vulnerability picture, ensuring basic network protections, ensuring knowledge of privileged access, ensuring timely backups, etc. These core elements reflet the importance of visibility deep into the environment and the ability to control access, software, recovery, etc.
How are the CIS Controls implemented?
To achieve maturity for CIS (or NIST or IEC62443 or ISO 27001, etc.), it requires more than a passive review of assets. This is particularly challenging in OT and creates challenges that we have addressed with the Verve Security Center.
While originally designed for IT, Verve works with clients to adapt the standard into the OT/ICS environment, enabling a single standard across IT and OT. Verve works closely with industrial organizations to establish CIS 18 programs and build dynamic compliance and security management processes. With the Verve Security Center platform, visibility into measurement, alerting and discovery is enhanced by supporting services.
To bridge these controls from IT into OT, several adjustments need to be made:
- Many controls are not feasible on embedded industrial devices, such as PLCs, controllers drives, etc. These controls include anti-virus or application whitelisting, etc.
- Some controls are feasible but the level of reasonable maturity may differ. These include items such as patching on a bi-weekly or monthly basis which is often not appropriate in operational facilities that cannot be regularly rebooted.
- Procedural requirements may need “OT-customization” such as items like incident response or red-teaming which require different procedures due to the sensitivity of OT processes.
- Specific secure standards often need adjusting. For instance, CIS calls for standard secure configurations for different device types. Those configurations will likely be different for OT devices vs. IT devices.
Even though there are several adjustments required, there are significant benefits to using this common standard across OT and IT. This includes:
- Common reporting and measurement across the organization.
- Shared understanding and vocabulary on security simplifies training and communication.
- The “prescriptive” nature can accelerate time to security.
- Editing a standard has proven much easier than creating from scratch.
The CIS Controls Top 18 really requires what we have come to call OT Systems Management. This practice is similar to ITSM which has been practiced for many years. But in OT, assets are not often actively managed for many of the reasons above. Implementing CIS Controls as a standard drives greater security and a more robust and reliable operations because systems are managed, updated and controlled on a regular basis.
Over the past decade, Verve has worked with clients implementing a range of different security standards from NIST CSF or 800-53 or NERC CIP and ISA 99, etc. We have found that the CIS Controls Top 18 (or Top 20, historically) offers a very good alternative for large organizations that seek consistency between IT and OT.
Related Resources
Case Study
Data Sheet
CIS Controls Mapping to Verve
Grab this chart to see how the CIS Top 20 Controls are applied through Verve's cyber security technology and services.
Learn More Case Study
Achieving NIST CSF Maturity with Verve Security Center
This NIST CSF case study provides one example of a customer’s journey to greater security maturity with the Verve Security Center and VIP Services.
Learn More