When managing cybersecurity, it's best practice to leverage a cybersecurity framework. For OT security teams, there are several options available—some tailored to meet specific industry needs, others designed for different approached, and they are often used in combination. While some frameworks are closely tied to compliance requirements, like NERC CIP, others may not have a direct regulatory component, such as the CIS Controls.
The CIS Controls provide a prioritized foundation of defensive actions that, when implemented together, create a comprehensive security approach to protect systems and networks from the most prevalent cyber attacks. According to the Center for Internet Security, the CIS Controls are a 'concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks.'
The Critical Security Controls align evolving industry standards and frameworks, effectively adding as a guide for both strengthening cybersecurity posture and helping to meet a number of compliance requirements and regulations. As most modern systems are dynamic in nature, CIS Controls are an effective method for supporting your assets' ever-developing needs.
Successful cyber-attacks generally rely upon the exploitation of vulnerabilities and weaknesses such as unpatched software, poor configuration management, and outdated solutions. CIS Security Controls consist of 18 controls, which each require the user to do a single thing, a simplified approach for maintaining cybersecurity hygiene (see: figure 1).
Any business can use the CIS Critical Security Controls (CIS Controls) as a prescriptive, prioritized, and simplified set of best practices to strengthen their cybersecurity posture. Simply put, the CIS Controls are about getting cybersecurity done.
“What I really appreciate about the CIS Controls is that they are a standard and a best practice that helps us with our roadmap. Adopting the CIS Controls also assists us in budget planning and decision making about where we should allocate time and effort towards our security posture,” said the VP/CIO of a midwestern electric utility.
How to Use the CIS Controls is ICS/OT Environments
Although CIS Controls were originally developed by the Center for Internet Security (CIS) to guide enterprise IT cybersecurity and data protection, adoption among critical infrastructure companies is rapidly increasing because of increased cyber threats to industrial control systems (ICS). Considering the unique requirements of OT environments, CIS offers an ICS Companion Guide for implementing security best practices with Industrial Control Systems.
Industrial Control Systems (ICS) are essential to global critical infrastructure. While the core security concerns of enterprise IT systems overlap with those of the OT security team, implementing security controls in OT systems presents unique challenges. These systems control physical equipment or processes directly through specialized software and hardware. Additionally, ICS/OT systems have stringent availability requirements since they are integral to delivering critical services such as electricity, water, fuel, etc.
Often, OT teams will depend upon their vendor technologies, systems, and services, which are often designed with various combinations of open or proprietary technologies. It is not uncommon for these agreements to be considered vital to ICS asset owners due to the additional assurance that they provide of both the systems operational integrity as well as aiding in the cost-recovery of these system downtimes. It’s important to note that many of these agreements ultimately place restrictions on ICS asset owners considering what adjustments they are able to make before voiding their warranty.
The CIS Security Controls are widely implemented across a variety of organizations, from small businesses to major government entities, including many within the executive branch. These controls are recognized for providing a 'reasonable' level of security, adaptable to different sizes and types of organizations.
The CIS18, can be described as “prioritized, easy to understand, and extremely cost-effective for small to mid-size organizations looking to prove they are secure enough to do business in today’s marketplace.” Jim Long, Managing Partner at The Long Law Firm, PLLC
Having the right partner makes all the difference when navigating, implementing and managing complex systems such as CIS Security Controls. Industrial Defender's robust OT asset data collection capabilities not only provide deep visibility into what OT assets you have but also detail system states, configurations, and vulnerabilities. This comprehensive insight allows our solution to easily report on alignment with CIS Controls, ensuring you have the information you need readily available out-of-the-box in our compliance library. With baselining and change detection, Industrial Defender can monitor when drifting away from secure, compliance states.
To learn more about how Industrial Defender can help support your journey to utilizing CIS Security Controls, explore our guide below.
(Figure 1: Summary of CIS Controls)
Control 1: Inventory and Control of Enterprise Assets Control 2: Inventory and Control of Software Assets Control 3: Data Protection
Control 4: Secure Configuration of Enterprise Assets and Software Control 5: Account Management
Control 6: Access Control Management
Control 7: Continuous Vulnerability Management Control 8: Audit Log Management
Control 9: Email and Web Browser Protections Control 10: Malware Defenses
Control 11: Data Recovery
Control 12: Network Infrastructure Management Control
13: Network Monitoring and Defense Control
14: Security Awareness and Skills Training Control
15: Service Provider Management Control
16: Application Software Security Control
17: Incident Response Management Control
18: Penetration Testing
