Exclusive Webinar:

Join us Oct. 6 as Rockwell Automation & Dragos CEOs reshape the way you approach cybersecurity in manufacturing.

Skip to main content
The Dragos Blog

11.22.22 | 3 min read

Mapping Cross-Sector Cybersecurity Performance Goals (CPGs) to 5 Critical Controls for ICS/OT Cybersecurity

CISA and NIST recently partnered to create Cross-Sector Cybersecurity Performance Goals (CPG) as part of the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems initiatives released in July 2021. These CPGs are baseline cybersecurity practices that are voluntary to help small to medium-sized organizations begin their cybersecurity journey.

The CPGs combine fundamental IT and OT cybersecurity practices and are prioritized to provide meaningful guidance to critical infrastructure owners and operators. This subset of practices is intended to aid in highlighting the essential areas on which owners and operators should focus.

The CPGs emphasize desired, measurable outcomes rather than prescriptive processes, techniques, or procedures. This approach leads to defined results without specific directions regarding how those results will be obtained. It empowers asset owners and operators with the flexibility to implement the technologies and practices that work best with their company or facility.

Existing cybersecurity frameworks and guidance informed the goals of the CPGs. Each practice in the CPGs aligns with and is mapped to NIST Cyber Security Framework (CSF). However, it should be noted that the CPGs do not fully address each NIST CSF subcategory. The CPGs are a great resource and can be used as a first step towards implementing the complete NIST CSF, especially for those that have had challenges implementing the CSF due to resource or budget constraints or its complexity.

The CPGs were informed by real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA, the government, and industry partners. The 5 Critical Controls for ICS/OT Cybersecurity identified by the SANS Institute uses scenarios based on real-world TTPs to design and improve cybersecurity defense and response. The five critical controls puts a strong emphasis on practices that facilitate an active defense as opposed to the traditional prevention-focused approach seen in many current regulations and control frameworks.

The CPGs and five critical controls provide small and medium asset owners a path into a world-class OT cybersecurity program while being meaningful for larger or more mature asset owners. Dragos has been on a global mission to safeguard civilization from day one. Per this mission, Dragos offers free resources to small and medium businesses through the Dragos Operational Technology – Cyber Emergency Readiness Team (OT-CERT) to help them create or enhance their OT cybersecurity program.

The Dragos OT-CERT can offer practical cybersecurity guidance to the greater community by cooperating with small and medium businesses and various partners to provide workshops and tabletop exercises. This enables participants to learn from each other and allows OT-CERT to maintain a growing list of recommended practices for OT security that address common security challenges.

The following table maps the CPGs to the five critical controls for ICS/OT cybersecurity.

CPG FamilyCPGCPG TitleCritical Control
Account Security1.1Detection of Unsuccessful (Automated) Login Attempts#3 ICS Network Visibility & Monitoring
1.2Changing Default Passwords#2 Defensible Architecture
1.3Multi-Factor Authentication (MFA)#4 Secure Remote Access
1.4Minimum Password Strength #2 Defensible Architecture
1.5Separating User and Privileged Accounts #2 Defensible Architecture
1.6Unique Credentials #2 Defensible Architecture
1.7Revoking Credentials for Departing Employees#2 Defensible Architecture
Device Security2.1Hardware and Software Approval Process#2 Defensible Architecture
2.2Disable Macros by Default#2 Defensible Architecture
2.3Asset Inventory#2 Defensible Architecture
2.4Prohibit Connection of Unauthorized Devices#2 Defensible Architecture
2.5Document Device Configurations#2 Defensible Architecture
Data Security3.1Log Collection#3 ICS Network Visibility & Monitoring
3.2Secure Log Storage#3 ICS Network Visibility & Monitoring
3.3Strong and Agile Encryption#2 Defensible Architecture
3.4Secure Sensitive Data#2 Defensible Architecture
Governance and Training4.1Organizational Cybersecurity Leadership #1 ICS Incident Response
4.2OT Cybersecurity Leadership#1 ICS Incident Response
4.3Basic Cybersecurity Training#1 ICS Incident Response
4.4OT Cybersecurity Training#1 ICS Incident Response
4.5Improving IT and OT Cybersecurity Relationships#1 ICS Incident Response
Vulnerability Management5.1Mitigating Known Vulnerabilities
#5 Risk-Based Vulnerability Management
5.2Vulnerability Disclosure / Reporting#5 Risk-Based Vulnerability Management
5.3Deploy Security.txt Files#5 Risk-Based Vulnerability Management
5.4No Exploitable Services on the Internet#2 Defensible Architecture
5.5Limit OT Connections to Public Internet#2 Defensible Architecture
5.6Third-Party Validation of Cybersecurity Control Effectiveness#1 ICS Incident Response

#2 Defensible Architecture
Supply Chain Third Party6.1Vendor/Supplier Cybersecurity Requirements #2 Defensible Architecture
6.2Supply Chain Incident Reporting #1 ICS Incident Response
6.3Supply Chain Vulnerability Disclosure#1 ICS Incident Response
Response and Recovery7.1Incident Reporting
#1 ICS Incident Response
7.2Incident Response (IR) Plans #1 ICS Incident Response
7.3System Back Ups #2 Defensible Architecture
7.4Document Network Topology#2 Defensible Architecture

#3 ICS Network Visibility & Monitoring
Other8.1Network Segmentation #2 Defensible Architecture
8.2Detection Relevant Threats and TTPs #3 ICS Network Visibility & Monitoring
8.3Email Security #2 Defensible Architecture

Both CPGs and five critical controls offer a path for small and medium businesses to reduce the complexity often encountered in a comprehensive cybersecurity program. Both objectives complement each other and can help reduce the resources required to implement sound security practices [against the most pressing cybersecurity threats]. At the same time, indirect collaboration amongst small and medium businesses through lessons learned, tabletop exercises, and knowledge sharing strengthens the entire community and provides a framework to improve and bolster cybersecurity defenses continuously.

Join Dragos OT-CERT Today

Dragos provides additional resources to resource-challenged organizations with OT environments that lack in-house security expertise through the Dragos OT-CERT membership. This membership is free and open to all OT asset owners and operators. Members can access a growing library of resources such as reports, webinars, training, recommended practice blogs, assessment toolkits, tabletop exercises, and more.

Build a world-class OT cybersecurity program
Register for the SANS webinar on December 19 to learn how to apply the 5 critical controls with CISA’s performance goals to improve your ICS/OT cyber defense.

Related Posts

Ready to put your insights into action?

Take the next steps and contact our team today.