Adapting NIST SP 1800-10 to provide information, system integrity in ICS environments at manufacturing sites

The National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) recently aligned with nine vendors to provide the manufacturing sector with developed data-driven insights. The approaches in the NCCoE’s NIST SP 1800-10 document deliver a myriad of ways in which manufacturers can strengthen operational technology (OT) systems to mitigate ICS (industrial control systems) integrity risks while also safeguarding the data that these systems process.

As manufacturing environments move towards modernizing systems, boosting productivity, and raising overall operational efficiency, the progression is leading to these infrastructures becoming more interconnected and integrated with other IT systems and introducing automated methods to strengthen their overall OT asset management capabilities. However, these enhancements come at the price of having to bolster their cyber defenses to protect their people, data, and operations.  

The NIST SP 1800-10 guide analyzes common attack scenarios and provides examples of practical solutions that the manufacturing sector can deploy and safeguard ICS from destructive malware, loss of historical data, unauthorized software, unauthorized remote access, insider threats, anomalous network traffic, loss of historical data, and unauthorized system modifications. In addition, the NIST SP 1800-10 document also offers an approach that delivers crucial validation of industrial cybersecurity tooling without every business having to individually conduct research and testing independently.

Industrial Cyber reached out to experts in the field to analyze how the focus of the NIST SP 1800-10 document helps protect information and system integrity in ICS environments to bring about greater cybersecurity for the manufacturing sector. 

Chalking out the ideal manner in which the manufacturing industry can integrate key aspects of the NIST 1800-10 guide to strengthen cybersecurity posture, John Livingston, CEO of Verve Industrial, told Industrial Cyber that the document “highlights the capabilities of example tools on the markets and shows that the challenge is not a lack of available technology, but a lack of management of that technology and accelerated deployment of protection mechanisms.”

“The project assumed that the tools were deployed, maintained, configured appropriately, and integrated in some fashion,” according to Livingston. “If these assumptions are true, then these attacks are prevented. The challenge, however, is that in many cases tools are not well deployed, not hardened, and not maintained. For instance, how many people know if they have carbon black on all of their endpoints, what the approved files in the whitelist are, and whether the tool is in ‘lockdown’ or ‘prevent’ mode,” he added. 

“All of these tools…and others such as patching, configuration hardening, network segmentation, user and access control, etc. are incredibly valuable…but only if the organization has a way to centrally manage them, tune them to prioritize alerts, and conduct what we would call ‘OT Systems Management’ to ensure the tools are working as intended,” Livingston added.

“There are several, starting first with network segmentation. Probably one of the largest mistakes made by manufacturers is the lack of segmentation between their enterprise (or business) networks and their operational networks,” Bob Radvanovsky, a critical infrastructure and cybersecurity researcher, told Industrial Cyber. “There have been too many incidents, both attack as well as non-attack related, that have allowed severe disruptions to plant operations,” he added.

“Secondly, is allowing remote OT or ICS manufacturers to have full and complete access – unadulterated access – to their ‘crown jewels’ without any dispositioned security controls applied,” according to Radvanovsky. “Third (and this is a big one), is safeguarding configurations to critical plant equipment.  If this means storing a USB drive in a safe – so be it.  But, manufacturers are, just now, beginning to save off and check regularly (checksums) if configuration files have been tampered with.  Without those files, production could be impacted,” he added.

“I can’t judge the robotics part, not my area of expertise,” Sinclair Koelemij, an ICS security professional, told Industrial Cyber. “But for the PCS part I think the document doesn’t contribute that much for several reasons – there was no input from the OT vendors, and this is very much shown in some of the conclusions. The document primarily promotes application white listing and anomaly detection, as if those two controls are a silver bullet to stop every attack. This is not true,” he added. 

“The document bypasses several issues in practical life. Like the many directory excludes vendors enforce, EDDL manipulation is not covered by AAL, AAL monitors the FDT program, but several solutions miss the DTM running within the FDT. Besides, the Logiic research of several years ago showed other gaps in AAL,” according to Koelemij.

An FDT (Field Device Tool) is an open framework for field device tools, which defines the data exchange interface between field devices and each of the control systems, engineering tools and asset management system tools. A DTM (Device Type Manager) is a software component that works on the framework and facilitates operation through a graphical interface. In addition, the AAL (application allow listing) is a list of applications and application components authorized for use in an organization. They help control which applications are permitted to execute on a host and stop the execution of malware, unlicensed software, and other unauthorized software.

Given the prevailing disparate approaches to IT and OT environments, and assessing if the NIST SP 1800-10 guide could provide a platform that seamlessly provides and secures IT-OT convergence for manufacturing companies, Livingston said that he does not think “the intent was as much about seamless platforms. Most of these are OT-specific platforms..Dragos, Dispel, etc.”

“One major thing that is missing from this analysis is any of the key protection elements (other than whitelisting) on an endpoint…patching, configuration hardening, user and account control, software control, etc.,” according to Livingston. “These elements are core to IT security. So to have true IT security in OT, these will also be required,” he added.

“Seamless? No – there is no such thing,” Radvanovsky said. “But, to begin with, an initiative that may provide key-specific points for protecting a manufacturing plant, I think that NIST has gotten off to a good start. I would expect more documents to come out later, particularly related to specific functions within a plant,” he added.

Koelemij also said that he did not expect so. “Reasons are – apart from the network segmentation – I don’t see so much OT-specific information, the focus is primarily servers, stations, network equipment … that part is very similar to IT.” 

“The OT parts are not addressed, OT vendors often have very specific network architectures, protocols within their network for redundancy and prioritizing traffic,” according to Koelemij. “Important issues around interfacing systems are not addressed. It is for 80% an IT document with small parts of OT,” he added.

To secure an OT system, knowledge is required from process and safety engineers, process automation engineers, risk analysts, network engineers, computer platform engineers, and security engineers, Koelemij said. “This IT / OT convergence only plays a small role in technical risk but is not a problem for teams that specialize in OT security and have a solid process automation background. Securing OT is a team effort, convergence is an illusion. There will not be an engineer that covers all disciplines,” he added.

Moving over to the guiding role that the NIST SP 1800-10 document plays, and looking into what are those elements that the manufacturing sector could potentially overlook, and which could subsequently be exploited by adversaries, Livingston said that “this effort was primarily about stopping a threat with detection elements…whitelisting, BAD, etc. But as mentioned, the thing that is overlooked is that for many of these, such as the BAD, you have to actually see the alert in a sea of alerts to act,” he added. 

BAD (behavior anomaly detection) involves the continuous monitoring of systems for unusual events or trends. The use of these capabilities enables manufacturers to detect anomalous conditions in their operating environments to mitigate malware attacks and other threats to the integrity of critical operational data. 

“The biggest thing that’s missing would be the actual protections on the assets that do not require a great analyst to detect…but instead focus on ensuring ‘protection’ …patching, hardening, etc.,” according to Livingston. “Whitelisting can be a great protection element…but it must be managed tightly and placed in lockdown mode to be effective,” he added.

“Personally I find the content of the document disappointing, so I don’t see how it contributes,” Koelemij said. “The content is not addressing the complexities that the industry faces. It focuses very much on small environments and forgets the many interdependencies that exist in systems because it addresses the OT system as a bunch of components, not from the functional side,” he added. 

“The document seems to promote some of the controls of the participators not addressing the weaknesses of these controls, they are almost treated as a silver bullet”, Koelemij added. 

“The document doesn’t represent today’s solutions offered by multiple OT vendors,” Koelemij said. “If I just take three large OT vendors, Yokogawa, Emerson, Siemens, and Honeywell, their architectures are not correctly covered by the ‘builds.’ Though these OT vendors dominate a large part of the petro-chemical/refining/and oil & gas systems. The builds might represent one vendor, but the differences between vendor architectures and configuration rules they support are significant. The absence of OT vendor representation in the creation of this document is very noticeable,” he highlighted.

Radvanovsky pointed toward “unsegmented networking, remote access, ‘lightly configured’ devices (a term I’ve developed for ‘default settings’), unnecessary administrative privileges, and same passwords for same or similar accounts,” as those elements that the manufacturing sector could potentially overlook, which could subsequently be exploited by adversaries.

“From the results discovered from ‘Project SHINE’, the amount of ‘lightly configured’ devices was scary – to the point of tens of thousands – not just in the U.S., but worldwide,” according to Radvanovsky. “The U.S. has a much better grasp on securing control systems than other countries.  Also, having a bit of a paranoid attitude doesn’t hurt, either,” he added.

Assessing the capacity of smaller and midsize manufacturing firms — with a minimal budget, time, and human capital to spend — to derive value from the NIST SP 1800-10 document to subsequently adapt into their environments, Livingston said that “I think some of this may be overkill for a smaller firm. In many cases, these firms haven’t even instituted firewalls or any form of access controls. The notion of secure remote access hasn’t reached them,” he added. 

“So deploying advanced anomaly detection is likely not in the first set of initiatives they should deploy,” according to Livingston. “Basics: ensure network protection, ensure whitelisting is deployed and in lockdown, ensure that core systems are patched and critical vulnerabilities are removed. These are things that a small business could accomplish that would make a dramatic improvement in their security before some of these other more advanced practices are introduced,” he added.

“AAL is relatively low cost, but an implementation without the support of the OT vendor can be difficult and costly,” according to Koelemij. “Anomaly detection is more costly, but wouldn’t be very effective for smaller installations. Anomaly detection is a good solution, but the flaws are incident response and the increasing support for micro-segmentation using encryption. Additionally, threat actors increasingly hide their traffic within ‘approved/normal’ traffic.” he added.

“Overall, I am sorry but don’t think this document is very good, the 800-82 was a far better product. Incomplete, but useful,” Koelemij said. “The idea is good to have some reference architectures with attack and security scenarios. But the implementation is far too simple, not addressing the actual architectural issues the industry faces with interfacing different functions,” he added. 

“The approach is a technical security approach, however technical security covers only a small part of the OT security challenge,” Koelemij added.

“Many of the topics of discussion within this document are plausible for small-to-medium-sized manufacturers,” Radvanovsky said. “The key is to set aside some funds for safeguarding their plants regularly. This would be no different than setting aside funds for servicing or maintenance of plant equipment – how difficult would it be to do something similar? Critical maintenance of plant equipment is on par with cybersecurity efforts, especially if devices are network-capable,” he added.

“It doesn’t have to be costly if security efforts were split into smaller tasks,” according to Radvanovsky. “The sting of expending huge amounts of money would disappear based on a company’s prioritization matched against the condition of each of their operations within a plant,” he concluded.