The attack surface for organizations with industrial control systems (ICS) is a far cry from the past. Once limited to ICS devices running on an isolated OT network, the attack surface now includes IT devices in OT environments and OT networks interconnected with IT networks. The result: separate and independent IT and OT security controls and processes are unable to protect organizations because they leave gaps and blind spots that adversaries can exploit.
Keeping IT and OT specific constraints and requirements in mind, organizations should adapt and extend common security controls across both IT and OT.
The session will discuss the six information security controls designated by the Center for Internet Security as Basic Controls — the things that you must do to create a strong foundation for your success. The controls are foundational to all leading security frameworks, including the NIST Cybersecurity Framework and NERC CIP. The six basic controls are:
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Continuous vulnerability management
- Controlled use of administrative privileges.
- Secure configurations for hardware and software
- Maintenance, monitoring and analysis of audit logs
Each control’s related sub-controls will be discussed, along with the benefits of adoption. Additionally, considerations for applying the controls to ICS will be highlighted. These considerations will be taken from CIS’ recent publication, “CIS Controls: Implementation Guide for Industrial Control Systems,” to which the presenter was a contributor.
In this session you will gain an understanding of the:
- Need for common controls objectives across IT and OT
- Most important controls to implement first and why
- Considerations for applying foundational controls in OT environments