As manufacturers increasingly turn to industrial control systems (ICS) and digital ecosystems to reap the benefits of Manufacturing 4.0, the role of cybersecurity in factory resilience has moved to the forefront. Most manufacturing stakeholders, whether executives, program managers, or facility engineers, understand this implicitly. At this point, we’ve heard from the President on down—industry associations, security communities, so on—about the importance of securing critical infrastructure.
The problem is understanding what that explicitly looks like at a facility level—particularly for smaller and midsize manufacturing firms that may have minimal budget, time, and human capital to spend.
Figuring out how to get the best possible results from incremental cyber investments can be highly tricky without impartial third-party guidance. This is the need that the government and a consortium of manufacturing and security community partners seek to fill with a new piece of guidance from the National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards and Technology (NIST).
Dragos was among nine vendors who collaborated with NCCoE and MITRE to pull together this guide, NIST Special Publication (SP) 1800-10, Protecting Information and System Integrity in Industrial Control System Environments. The document offers vetted information and guidance on ways manufacturers can strengthen operational technology (OT) systems to mitigate ICS integrity risks and protect the data these systems process.
The Process Behind the NIST Guide to Manufacturing
Improving cybersecurity at manufacturing firms is kind of like healthy eating. Most people understand they should live a healthy lifestyle, eat right, and incorporate some level of exercise. But it can be hard to transform that awareness into a workable daily plan for what to eat, how much to exercise, and how to take small steps to improve every day.
And just like with health and fitness, there are lots of unscrupulous vendors out there ready to sell someone on a magic pill that will solve all their industrial cyber security challenges. However, history has shown that there is no magic pill—just a series of steps and measures manufacturers can take to gradually move the needle on the cyber resilience of their systems.
The collaborative team led by NCCoE developed data-driven insights into some of the best steps to take and distilled them into this guide. The guidance is based on lab-tested analysis of several essential manufacturing system testbeds. The testing examined how certain categories of security controls could be used to protect them against cyber threats most relevant to manufacturers.
The team built the test benches to mimic real-world manufacturing environments. The scenarios focused on known cyber challenges driven from the MITRE ATT&CK(r) for ICS database. All parties involved helped contribute to the design and possible testing of two distinct lab settings: a discrete manufacturing work cell, which represented an assembly line production, and a continuous process control system, which represented chemical manufacturing industries.
The systematic approach gives the manufacturing community some crucial validation of industrial cybersecurity tooling without every business conducting research and testing independently. Organizations that don’t have the time or wherewithal to verify and validate industrial cybersecurity technology categories for their use cases will find the output paramount. At the same time, the fact that a government agency led the effort impartiality means that the documents will not have any extreme vendor slant. The goal was not to pick product winners and losers but instead to help organizations simply understand the types of technology available and how to deploy/integrate them for an improved return on investment.
How to use the NIST Guide
The beauty of this guide is its written style, allowing for a broad range of manufacturing stakeholders but broken into digestible chunks that would be relevant to some core constituencies.
The first section, Volume A, is the Executive Summary, which provides an overview of the major pain points and business justifications for why an organization needs to take the next steps in maturing manufacturing cybersecurity. This is ideal for those at the highest levels who need a broader look at the challenges. The following sections get progressively more technical in nature.
Volume B is the Approach, Architecture, and Security Characteristics section. It’s primarily written for program managers and middle management decision-makers considering which technologies to use to solve which problems their OT-driven manufacturing facilities will face. This part of the guide discusses categories, the trade-offs of different approaches, and various risk considerations.
Meanwhile, Volume C presents the How-To Guides. This is where the true nuts-and-bolts are provided to the technical staff deploying security tooling in the field, with lots of information on how to navigate systems or platforms and where those different pieces of technology fit together. This last section is crucially important to those involved with the solution deployment process. It provides a comprehensive understanding of how they can obtain maximum value from the investments by providing specific technical implementation details.
The Dragos team was proud to contribute to another successful NCCoE project. We believe it offers easily digestible guidance to the manufacturing community to improve cybersecurity posture, no matter where they are in the journey. Just like there will never be a magic pill or a singular approach to achieving the appropriate BMI for your body type, manufacturing companies have many ways to accomplish the cyber risk posture they think is suitable for their business. This guide seeks to cover many of those approaches and present some food for thought to develop a tailor-made cybersecurity program that works for each organization.
We look forward to participating in future collaboration opportunities with the NCCoE team to offer guidance on mitigating risks within industrial control system environments, such as the upcoming Responding to and Recovering from a Cyber Attack: Cybersecurity for the Manufacturing Sector project.
Ready to put your insights into action?
Take the next steps and contact our team today.