Introduction
The NIST CSF 2.0 is an updated version of the initial framework, which was introduced to provide a standardized approach to managing cyber risk in broader sectors. This framework, developed by the National Institute of Standards and Technology (NIST), has become a benchmark for cybersecurity best practices across various sectors. According to NIST, version 2.0 is set to be released in early 2024, and any comments or feedback must be provided to NIST before November 2023. Organizations can determine their own schedules to update configurations or maturity assessments that were developed with the previous versions of the reference framework.
Key Updates in NIST CSF 2.0
This section will briefly outline the latest changes in the CSF 2.0 draft document, breaking them down into six parts, including: changes in the scope of application, emphasizing the importance of governance, integration with OT/ICS-related standards, updates to the CSF 2.0 implementation guide, updates to cybersecurity supply chain risk management, and cybersecurity metrics and evaluation.
1. Expanding the Scope of CSF 2.0
In the new version of the Cybersecurity Framework (CSF 2.0), modifications to the title and text aim to broaden its scope and enhance the framework’s applicability. CSF 2.0 will adopt a more generic and widely accepted name, “Cybersecurity Framework”, replacing the original “Framework for Improving Critical Infrastructure Cybersecurity”. This change is not intended to diminish relevance to critical infrastructure organizations but rather to foster a wider range of usage. Moreover, since the release of CSF 1.1, the U.S. Congress has asked NIST to consider the cybersecurity needs of small businesses and higher education institutions within the CSF, allowing organizations of different sizes and types a higher level of applicability. The update to CSF 2.0 also emphasizes the importance of international collaboration and participation. Since the initiation of the CSF in 2013, several countries and organizations have demonstrated that CSF successfully enhances the efficiency and effectiveness of their cybersecurity efforts. Some countries even mandate its use in both public and private sectors. Therefore, NIST plans to position the CSF as an international resource through in-depth exchanges with foreign governments and industries. NIST will also actively participate in the development and revision of international cybersecurity risk management standards and guidelines, further strengthening the link between CSF and international efforts.
2. Emphasizing the Importance of Governance
In CSF 1.1, the core consisted of five functions: “Identify”, “Protect”, “Detect”, “Respond”, and “Recover”. In CSF 2.0, a “Govern” function has been added. This new governance function, positioned more like a central feature of the framework, differs from the previous five functions. The “Govern” function involves understanding the organization’s setting, creating a cybersecurity strategy, and managing supply chain risks, defining roles and responsibilities, setting up policies and procedures, and overseeing the cybersecurity strategy. In other words, it informs how an organization will implement the other five functions.
3. Integrating OT/ICS Standards into the Framework
NIST plans to collaborate with the community to promote and encourage the creation of mappings that support CSF 2.0. By using these reference materials, CSF can be matched with specific resources to provide additional guidance, such as with the “Internet of Things (IoT) Cybersecurity Capabilities Baseline”, the “Guide to Operational Technology (OT) Security” (SP 800-82 Rev. 3 Draft). This will also substantiate the link between CSF 2.0 and the principles of Zero Trust Architecture (NIST SP 800-207). These functional and category-level mappings will increase the compatibility of CSF 2.0 with other resources, enhancing its practicality and applicability.
4. Adding Implementation Guidance to CSF 2.0
A key focus of the CSF 2.0 update includes incorporating action-oriented samples to bring about the results represented in each category/sub-category of the CSF core. The purpose of this update is to provide templates for creating organizational action plans, making it more feasible for organizations to promote and apply the framework. The introduction of this approach aims to extend the applicability of CSF from critical infrastructure to all types of organizations. The specific implementation examples included in CSF 2.0 are both concise and action-oriented, aimed at helping organizations achieve specific results of CSF subcategories. These conceptual cases have been successfully applied in other NIST documents, such as the “Secure Software Development Framework” (SP 800-218) and the draft of the “Artificial Intelligence Risk Management Framework Action Manual” (AI 100-1). By adding these practical examples, the implementation guidelines of CSF have been expanded and improved, not only clarifying the meaning and purpose of each subcategory but also providing specific implementation approaches for those who are less familiar with the details of cybersecurity standards.
5. Cybersecurity Supply Chain Risk Management
Feedback received by NIST in past updates to the CSF framework commonly highlighted supply chain and third-party cybersecurity risks as one of the main hurdles faced by organizations. With the “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028), CSF 1.1 added a “Supply Chain Risk Management” (ID.SC) category and new content regarding procurement decisions, emphasizing the use of the CSF framework to understand risks associated with existing products and services, and integrating the Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (SP 800-161r1) standard into the CSF framework. However, with globalization, there has been an increase in the use of outsourcing and technological services like cloud computing. The new CSF 2.0 emphasizes the importance of organizations identifying, assessing, and managing supplier and third-party collaborator risks in a more explicit manner. CSF 2.0 explains that there are various ways to accomplish this management, such as: incorporating supply chain management into the Govern function as a core requirement; creating new functions specifically focusing on preliminary investigations, continuous monitoring, and cybersecurity outcome assessments of suppliers; and following the newly developed Secure Software Development Framework that NIST updated in accordance with the “Executive Order on Improving the Nation’s Cybersecurity” (EO 14028). These changes reflect NIST’s emphasis on supplier and third-party collaborator risks in the CSF framework and the ongoing updates and improvements to these risk management measures.
6. Cybersecurity Metrics and Evaluation
The main goal of cybersecurity metrics and evaluation is to determine the extent to which organizations manage cyber risks and to keep track of their continuous progress. CSF 2.0 enables organizations to adopt a unified classification and terminology to measure and evaluate their cybersecurity maturity. CSF 2.0 provides examples of using CSF for measurement and evaluation, reflecting that each organization’s risks, priorities, and systems are unique. The CISA has issued voluntary cross-sector cybersecurity performance goals (CPG) aligned with Cybersecurity Framework 2.0 functions. These goals assist owners of IT and OT in critical infrastructure sectors by providing a recommended practices portfolio, which includes prioritized security practices and standards for basic cybersecurity. These benchmark goals could help improve industrial cybersecurity posture while prioritizing decisions, expenditures, and catalysts. Simultaneously, NIST is updating its “Guide for Performance Measurement of Information Security” (SP 800-55r2) to provide guidance in helping organizations improve cybersecurity plans or decision-making, performance, and accountability in information systems. This guide is applicable for measuring various cybersecurity program activities, and the basic principles of cybersecurity measurement and implementation are included in NIST SP 800-55.
How to Implement NIST CSF 2.0 in an IT/OT Converged Environment
In fact, the CISA CPG (Cybersecurity Performance Goals) offers an effective method for implementing the NIST Cybersecurity Framework (CSF). This approach enables owners of critical infrastructure and manufacturers to measure and enhance their cybersecurity maturity, while providing a standardized assessment of organizational activities. Each topic outlined in the CPG addresses the risks involved, recommended security practices, operations, scope, and desired outcomes to reduce the likelihood and impact of known risks and adversary techniques. Furthermore, the CISA CPG aids organizations in assessing actual threats and tactics, techniques, and procedures (TTPs) of malicious actors, offering corresponding measures for mitigation strategies. Below, we provide some specific actions to explain how owners of critical infrastructure or manufacturers can apply the NIST CSF 2.0 in an OT environment:
Table 1. | |||
NIST CSF Function | Security Practice | Recommended Action | TXOne Networks Assistance |
Govern (GV) | Third Party Validation of Cybersecurity Control Effectiveness | Cyber risk assessment for OT/ICS assets must be conducted periodically. This should encompass evaluating risks tied to contracts with third-party OT/ICS organizations and adjusting for changes in regulatory requirements as integral components of the assessment. |
|
Govern (GV) | Supply Chain Vulnerability Disclosure | Procurement documents and contracts, including Service Level Agreements (SLAs), mandate that vendors and service providers inform their customers about confirmed security vulnerabilities in their products according to the timeframe denoted in the customer's risk assessment. |
|
Identify (ID) | Asset Inventory | Organizations need to regularly update their inventory of all IP-addressable assets, including IPv6 and OT systems for both IT and OT on a monthly basis at minimum. |
|
Identify (ID) | Mitigating Known Vulnerabilities | In line with CISA's Known Exploited Vulnerabilities Catalog, vulnerabilities in internet-facing systems should be patched or mitigated promptly, focusing on the most critical assets first. For OT assets where traditional patching isn't viable or jeopardizes operational safety, alternatives like network segmentation and monitoring should be employed and documented. These controls aim to prevent public internet access and reduce the risk of exploitation. |
|
Protect (PR) | Network Segmentation | OT network access should be tightly controlled, allowing only necessary connections such as specified IP addresses and ports. Inter-network communications between IT and OT must use intermediaries like firewalls, bastion hosts, 'jump boxes,' or DMZs, which should be rigorously monitored and logged, allowing only approved assets. |
|
Protect (PR) | Detection of Unsuccessful (Automated) Login Attempts | Organizations should track all failed login attempts, alerting their respective security teams if multiple unsuccessful attempts occur quickly, such as five within two minutes. These alerts should be logged for future analysis. |
|
Protect (PR) | Mitigating Known Vulnerabilities | In line with CISA's Known Exploited Vulnerabilities Catalog, vulnerabilities in internet-facing systems should be patched or mitigated promptly, focusing on the most critical assets first. For OT assets where traditional patching isn't viable or jeopardizes operational safety, alternatives like network segmentation and monitoring should be employed and documented. These controls aim to prevent public internet access and reduce the risk of exploitation. |
|
Protect (PR) | Strong and Agile Encryption | Organizations should employ properly configured and updated SSL/TLS protocols in order to safeguard data during transit whenever technically possible. They are also advised to detect and replace any outdated or weak encryption methods with stronger algorithms, while preparing for the eventual transition to post-quantum cryptography. In the OT context, to reduce latency and maintain availability, encryption needs to be applied where feasible, particularly for OT communications that involve remote or external assets. |
|
Protect (PR) | Disable Macros by Default | The default system policy deactivates unnecessary features, like Microsoft Office macros or similar embedded code, across all devices. If there's a need to enable certain services under specific conditions, a distinct policy should be in place. This would allow authorized users to request the activation of these services on specified assets. |
|
Protect (PR) | Document Device Configurations | Organizations should maintain current and comprehensive records of all critical IT and OT assets' configurations, aiding in effective vulnerability management, response, and recovery. These documents shall be regularly reviewed, updated, and monitored. |
|
Protect (PR) | Document Network Topology | Organizations should keep precise documentation of their updated network topology and related information for both IT and OT networks. This documentation shall be regularly reviewed, updated, and tracked to ensure accuracy and relevancy. |
|
Protect (PR) | Hardware and Software Approval Process | Establish an administrative policy or an automated procedure mandating approval prior to the installation or deployment of any new hardware, firmware, or software/versions. Organizations should maintain a risk-assessed allowlist of sanctioned hardware, firmware, and software, specifying approved versions where possible. For OT assets, it's crucial that these processes align with established change control and testing activities. |
|
Protect (PR) | Incident Response (IR) Plans | Organizations should develop and regularly update IT and OT cybersecurity incident response plans, tailored to both common and specific threats and tactics. Drills, conducted at least annually and as realistically as possible, shall inform updates to these plans based on lessons learned. |
|
Protect (PR) | Log Collection | Logs focusing on access and security, such as those from intrusion detection/prevention systems, firewalls, data loss prevention systems, and VPNs, should be gathered and preserved for detection and incident response purposes, including forensics. If a critical log source like Windows Event Logging is disabled, security teams shall immediately be alerted. In the case of OT assets with non-standard or unavailable logs, network traffic and communications between these assets and others shall be monitored and recorded. |
|
Protect (PR) | Secure Log Storage | Logs should be stored in a central system, such as a security information and event management tool or central database and ought to be accessible or modifiable only by authorized and authenticated users. Logs shall be stored for the duration of time determined by risk or pertinent regulatory guidelines. |
|
Protect (PR) | Prohibit Connection of Unauthorized Devices | Organizations should implement policies and procedures to prevent the connection of unauthorized media and hardware to their IT and OT assets. This includes restricting the use of USB devices and removable media, as well as disabling features like AutoRun. For OT assets, when possible, steps should be taken to remove, disable, or secure physical ports to block unauthorized device connections. Alternatively, procedures should be established to allow access through sanctioned exceptions. |
|
Protect (PR) | No Exploitable Services on the Internet | Assets accessible via the public internet should not offer any services vulnerable to exploitation, like the remote desktop protocol. If such services need to be accessible, suitable countermeasures ought to be put in place to deter abuse and exploitation. Additionally, on internet-facing assets, all non-essential operating system applications and network protocols should be deactivated. |
|
Protect (PR) | Limit OT Connections to Public Internet | OT assets shouldn’t be connected to the public internet, except when absolutely necessary for operational purposes. Any exceptions to this rule must be properly justified and documented, and these assets should have extra security measures in place to prevent and identify exploitation efforts. Such measures include logging, multi-factor authentication (MFA), and mandatory access through a proxy or another intermediary. |
|
Detect (DE) | Detecting Relevant Threats and TTPs | Organizations should create and maintain a documented list of threats and cyber actor tactics, techniques, and procedures (TTPs) pertinent to their specific context, such as their industry or sector. They should also ensure they have the capability, through methods like rule-setting, alert systems, or commercial prevention and detection systems, to identify occurrences of these primary threats. |
|
Respond (RS) | Incident Reporting | Organizations should have developed policies for reporting confirmed cybersecurity incidents, specifying which entities are to be notified, such as state or federal regulatory bodies and Information Sharing and Analysis Centers/Organizations (ISAC/ISAOs). Incidents must be reported within designated timeframes or as promptly as possible. This reporting protocol will be reevaluated following the implementation of the United States' Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). |
|
Respond (RS) | Vulnerability Disclosure/Reporting | Organizations should maintain a public and easily discoverable method for security researchers to report vulnerabilities to the organization’s security team, such as through an email address or a web form, regarding assets that are vulnerable, misconfigured, or otherwise exploitable. Considering the integrity and complexity of vulnerabilities, effective submissions should receive prompt acknowledgment and response. Verified and exploitable vulnerabilities ought to be mitigated according to their severity. |
|
Recover (RC) | Incident Planning and Preparedness | Develop, maintain, and execute plans to recover and restore business- or mission-critical assets that might be impacted by a cybersecurity incident to service. |
|
Note: This table, referencing CISA's CPGs, is not exhaustive. It lists key practices aligned with NIST CSF 2.0, known for reducing risks, and widely applicable across sectors, but doesn't cover all cybersecurity measures for national, economic, and public health security. |
Conclusion
The NIST CSF 2.0 is an invaluable tool for OT security managers. It provides a structured and comprehensive approach to managing cyber risks, ensuring the protection and resilience of critical infrastructure. By adopting and effectively implementing the CSF 2.0, OT security managers can significantly enhance their cybersecurity posture, safeguard operations, and contribute to the overall security and reliability of critical infrastructure. TXOne Networks is always ready to provide the necessary guidance for critical infrastructure operators and manufacturers to meet the enhanced requirements of NIST CSF 2.0. TXOne Networks’ OT Zero Trust defense approach has unique advantages, offering strengthened protection across endpoints and networks, and can be scaled to any machine, personnel, data, and workflow, thereby enhancing cyber resilience.
Are you experiencing information overload? We’re here to help!
The challenges of production are constantly evolving. This is a great deal of information, and our team is ready and happy to help you and your vendors find the OT cyber defenses that are best for you. Contact us to learn how TXOne solutions can keep your system safe, compliant, and operational.