CIS Critical Security Controls v8.1 Industrial Control Systems (ICS) Guide

The CIS Critical Security Controls^® (CIS Controls^®) are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. They are developed by a community of Information Technology (IT) experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. The experts who develop the CIS Controls come from a wide range of sectors including retail, manufacturing, healthcare, education, government, defense, and others. While the CIS Controls address the general practices that most enterprises should take to secure their systems, some operational environments may present unique requirements not addressed by the CIS Controls. CIS has expanded its efforts to include experts from the engineering Industrial Control Systems (ICS) and Operating Technology (OT) fields to provide the CIS Controls ICS Guide.

Cybersecurity in ICS Environments

ICS help run much of the world’s critical infrastructure. ICS or some type of industrial automation is used and implemented in ways suited to the processes that are running or monitoring. Operational technology primarily interacts with the physical world using hardware and software to control industrial equipment. OT teams maintain critical infrastructure and industrial environments. OT teams often rely heavily on vendor technologies, products, systems, and services. Many industrial control system vendor systems are designed and deployed using combinations of open and proprietary technologies, and it is not uncommon for an ICS, once installed, to be accompanied with warranties and guarantees of that system’s reliability and performance. These types of agreements are sometimes deemed critical by ICS asset owners since they help provide added assurance of the system’s operational integrity, while they can also aid in cost-recovery associated with system downtime. ICS vendors often provide such agreements as a way to assume or offset aspects of risk as an automation and control system supplier to an asset owner. Such agreements are offered because the vendors conduct extensive engineering, testing, and validation of software and hardware combinations in these systems to help rule out potential compatibility and interoperability issues that may impact ICS operation. However, such agreements often place restrictions on ICS asset owners for what adjustments they can make to an ICS without voiding such a warranty. In some cases, even the addition of a simple security control to an ICS or a minor configuration change, can void a warranty. Therefore, these agreements must be considered when determining how to best implement critical security controls to an ICS.

ICS environments may also have many embedded Internet Protocol (IP) connected devices. These devices often lack the capability to support traditional IT-grade security control technologies since many run specialized firmware and Real-Time Operating Systems (RTOS); utilize proprietary protocols such as Profibus, Connection Oriented Transport Protocol (COTP), ThroughPacket (TPKT) Modbus, and EtherNet/IP; or do not have the capability to support contemporary endpoint or supplicant software that is commonly used in IT systems. Additionally, for ICS, the primary security focus tends towards ensuring operational integrity in the systems rather than data protection and privacy. Therefore, availability is a primary concern when developing a security program to address an enterprise’s risk associated with its OT systems.

Consisting of a combination of routable and non-routable communication paths, ICS network architectures often differ from traditional IT environments. The overriding themes for applying security for ICS are segmentation and boundary control between the IT and OT domains, and best practice being segmentation within levels of ICS networks as well, with careful controls around local and remote connectivity to reduce attack vectors that threat actors can utilize to gain access to ICS networks.

Enterprises may look at each control as needing its own solution. However, one well-resourced solution may be able to account for multiple controls. Next Gen Firewalls are an example. In some cases, adding a software module license may be cheaper or more effective than implementing a separate solution to meet the same goal. It should be understood that traditional firewalls, Next Gen included, can be less effective if not ruggedized for some hostile ICS environments and must be ICS protocol aware. That is, have the intelligence to fully dissect ICS specific protocols that are in use.

This Version of the Controls

CIS Controls version 8.1 (v8.1) is an iterative update to version 8.0. As part of our process to evolve the CIS Controls, we establish “design principles” that guide us through any minor or major updates to the document. Our design principles for this revision are context, clarity, and consistency. Context enhances the scope and practical applicability of Safeguards by incorporating specific examples and additional explanations. Clarity aligns with other major security frameworks to the extent practical, while preserving the unique features of the CIS Controls. Consistency maintains continuity for existing CIS Controls users, ensuring little to no change due to this update.

Download our guide for guidance on how to apply the security best practices found in CIS Controls v8.1 to ICS environments.