E BOOK

The CIS Controls for

Industrial Control Systems
(ICS) Cybersecurity
Implementation Guide

READ NOW

1 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 IT’S ABOUT “WHAT WORKS” USI NG T HI S GUI D E

Although the CIS Controls were originally developed by the Center for Internet Assess
Security (CIS) to guide enterprise IT cybersecurity and data protection, escalating which best practices are not fully
cyber threats to critical infrastructure operations are driving adoption by industrial implemented in your environment.
control system (ICS) operators. These controls focus on prioritizing “What Works”,
Prioritize
with a strong emphasis on security functions that have demonstrated real world implementation based on your
effectiveness against the latest advanced targeted threats. Standardization and organization’s business drivers.
automation is another top priority, to gain operational efficiencies while also
improving effectiveness. Evaluate
solutions against the controls
This CIS Controls implementation guide is a combination of security best practices you will implement when vetting
adapted for the unique needs of industrial control systems, along with tips from vendor(s).
ICS experts who have real-world experience using these controls in OT systems.

Some of the business benefits that implementing the CIS Controls can provide
include:

Operational Improved Cyber risk Resource relief Audit success

uptime and situational mitigation and scalability
efficiancey awareness of tools

2 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 You can’t secure what you don’t know you have.
Asset management is the foundation of a sound ICS security program. Threat intelligence and AI are
no replacement for asset management controls. If you can’t act on threat intel due to a lack of timely
data reporting, then you won’t get the full value of your investment. If your environment is already out
of compliance or bases its assumptions on partial views, AI benchmarking will only learn and continue
to allow bad habits or provide partial coverage. No one method is the key. Any asset management
software needs to be able support multiple methods and be part of the ecosystem. The goal is to
establish a consistent, accurate and timely view of the data so you can direct actions when needed.
Otherwise, it’s just noise.

Controls Goal How to Apply It in ICS Expert Tip

1 Reduce the ability • A secure database of all devices in your Traditional IT active scanners should never be
Inventory and of attackers to environment used in ICS, as some systems cannot deal with
Control find and exploit • Automated asset detection unexpected traffic and may cause denial of
of Hardware unauthorized, • Approval process for new configuration versions service.
Assets unprotected • The ability to capture and store secure
Instead, use a mixture of agent, agentless, native
systems. configuration data
ICS protocol polling and passive monitoring to
• The ability to report against a standard
create a realtime inventory safely.
• Ability to onboard assets to include useful
metadata such as location, owner and their
contact information
2 Mitigate or • Collection of asset software information, including Any patches on ICS systems should be approved
Inventory and root out attacks operating system, software and patch application, by the ICS providers and tested on a QA
Control by identifying and versions from the associated hardware assets environment before going live.
of Software vulnerable or in the inventory database
Make sure your inventory captures aren’t
Assets malicious software • Enforcement of an approval process to control
just standard Microsoft and Linux managed
- protect the good changes to the configuration of the assets
packages, but also the actual functional code
stuff. • Ability to create policies to alert on changes to a
repositories for the control system itself. File
system’s reference baseline
Integrity Management is a useful tool here.

3 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 Configuration changes are risky.
Unknown configuration changes to industrial systems and endpoints create vulnerabilities
that open the door for exploits and increase risk. Using a rigorous configuration and change
management process can reduce the risk of misconfigured devices being exploited.

Controls Goal How to Apply It in ICS Expert Tip

3 Stop unauthorized • Confidentiality is less important for most Use File Integrity Monitoring for the controller
Data Protection transfer of sensitive data ICS data than in IT for most data programming files, i.e., “the crown jewels” of
through network attacks • Define your “crown jewels” and protect the system.
and physical theft. them at the local level and the network
Also watching for removable media events
level.
is critical in an OT environment. There just
• Watch for file transfers with removable
isn’t much of a need outside of maintenance
media and network shares around your
activities.
engineer servers and workstations, as
they often contain the most sensitive
data.

4 To prevent routine • Comprehensive data collection Identifying and following a set of standards
Secure Configuration of misconfigurations from capabilities to monitor configuration is one way to mature a security program.
Enterprise Assets and providing an attack settings However, ICS systems need a lot of flexibility,
Software surface that can be • Ability to set policy (corporate standards) as the devices can have many technical
exploited or otherwise and baselines (actual approved device exceptions. Finding a solution that can be
cause operational configurations) firm enough to matter, but flexible enough to
downtime. • Alerts, dashboards and workflow tools live with is a key requirement for long term
to manage all the pieces success.
• Flexible permission model to allow for
alignment with your business processes
• Pre-built policies aligned with CIS Top
20 controls

4 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 Your industry is unique.
Control room users need specialized policies and access management.

Controls Goal How to Apply It in ICS Expert Tip

5 Use processes and • Account management with centralized Access in control systems is a touchy subject
Account Management tools to assign and viewing and reporting of user accounts for any long-term veterans. The use of shared
manage authorization and associated user activities accounts, processes running as domain users,
to credentials for user • Customizable dashboards to provide protocols sharing passwords in clear text, etc.
accounts, including account information, including new has been a problem for decades.
administrator accounts, or modified user accounts, and user
Having a system that monitors account
as well as service metrics such as failed login attempts
changes, access events, and then shares that
accounts, to enterprise
with real IAMs and SIEMs is critical to getting
assets and software.
a handle on this topic.

6 Prevent attackers from • Centralized logging of access events Running process as user accounts with Domain
Access Control gaining access to highly • The ability to generate alerts based on Administrator privileges is bad enough. Make
Management sensitive data. consolidation and aggregation of access sure your engineers and operators aren’t doing
events this.
• The ability to generate reports on access
events

5 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 Don’t overlook vulnerabilities.
They create easy weaknesses for hackers to exploit. A vulnerability-first approach
and centralized account management for OT systems reduce the risk of a hacker
successfully gaining access to the network.

Controls Goal How to Apply It in ICS Expert Tip

7 Develop processes and • A vulnerability-first approach is required. Active vulnerability scans should never be run
Continuous technical controls to Not all vulnerabilities have a patch, against an ICS system in production. Even in
Vulnerability identify, classify, securely especially in ICS environments, and it replica systems, caution must be used with such
Management handle, retain, and can often be impractical to patch these techniques, as it may permanently corrupt a
dispose of data. systems on demand. device and void a manufacturer’s warranty.
• This information is only as good your
Finding a tool that does controls 1-3 in with
first two layers.
a single view is a bonus to your operators and
• Ability to passively find vulnerabilities,
firewall administrators.
and in ways that follow sound
architecture principles, such as high
security zone to low security zone, and
not cloud to ICS.

8 Log events that can help • Ability to absorb different event formats Using a system that can aggregate logs from
Audit Log Management you detect, understand from different IT and ICS devices and all ICS devices to filter and create a common
and recover from an normalize to a common specification format before forwarding to your SIEM will save
attack. • Ability to filter and highlight the most you time and money. Bonus points of it can
important events connect asset data with events data in a single
• Ability to forward to different channels, system.
e.g., IT SIEM in the SOC and HMI event
list for ICS operators and email to SMS
relay for the most critical of events

6 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 Perimeter security must compliment other controls.
Unique protocols and low bandwidth networks mean ICS perimeter security must
complement other controls.

Controls Goal How to Apply It in ICS Expert Tip

9 Protect the control • Completely separate web and email Do not let older ICS devices dictate staying
Email and Web Browser system from an traffic from the ICS network with older browsers, java versions and
Protections important attack vector. • Operators should not use same encryption schemes for your operators and
workstation for control and assigned engineers. Give your users the latest versions
work duties and leverage virtualization to access devices
• Should use intermediaries between the requiring older versions.
control system and any web related
services
• Should use internal DNS resolvers with
tight restrictions on forward resolution

10 Block malicious • Protect your borders with the latest in ICS vendors are very wary of active blocking of
Malware Defenses code from adversely antimalware technologies malware in their systems. Any misidentification
affecting reliability and • Leverage a scanning station with access could lead to major consequences. Use more
performance standards, to multiple scanning engines to scan detective methods such as file integrity
tampering with system removable media management and change detection engines to
settings or capturing • Leverage industrial protocol aware provide indicators of compromise instead of
sensitive data. networkbased solutions inside the ICS more active measures.
network

7 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 ICS incidents are often the result of innocent mistakes.
Human error accounts for more incidents than malicious attacks. It’s imperative that
you’re prepared to quickly recover from a misstep with a stored backup to recover a
known, secure configuration.

Controls Goal How to Apply It in ICS Expert Tip

11 Minimize the damage • Archive and backup devices with text- Redundancy has mistakenly replaced backup
Data Recovery from an attack. based configuration files that can be and recovery in many ICS operations. Many
Backup and recovery used for restoration purposes. facility operators have learned this the hard
process are essential • Automatic backup for assets, including way over the last few years. Redundancy
to the prevention of OS, applications and data. is for resiliency in operations for a short
unscheduled downtime. • Ensure backups are verified and tested period of time. Recovery is for restoration
and the data files are encrypted at rest from catastrophic events like ransomware or
and in transmission. physical damage.

12 Prevent attackers from • Management of change information Control system devices are normally
Network Infrastructure exploiting vulnerable for software, patches, user accounts, preconfigured by vendors. The preconfigured
Management network services and firewall rules and configurations of state may lack robust security configurations
access points. network devices, including routers, and settings.
switches, firewalls, IDS and IPS systems
Relying only on Netflow to tell you about
• The ability to archive and backup most
open ports and services can leave you with
devices with text-based configuration
blind spots. A combination of Netflow mixed
files that can be used for restoration
with device inspection will give a much more
• Automated collection of information on
complete picture.
ports, protocols and services for assets
in the control network

8 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 Network segmentation is a must-have for ICS security.
To ensure the integrity of your segmentation strategy, ensure you have a rigorous
configuration and change management process in place.

Controls Goal How to Apply It in ICS Expert Tip

13 Control the flow of • Layers of defense for the flow of traffic Constant monitoring is needed here. Firewall
Network Monitoring traffic through network between networks rule changes or commissioning friendly rule
and Defense borders and monitor for • The ability to monitor devices and sets are one of the biggest attack vectors. Also,
attacks and evidence of detect anomalous activity, perform outgoing rules for protocols like DNP are just
compromised machines. log management for events that are as important as incoming rules. Do not allow
collected from network monitoring machines to connect to just DNS server.
devices, and analyze network traffic
• A NIDS and UTM will provide ingress
and egress filtering, secure network
virtual connections, and network traffic
analysis to identify unauthorized access
and signs of malicious activity

14 Identify skill gaps and • Have an information repository Industrial organizations with the strongest
Security Awareness and design exercises and containing information on target assets safety cultures spend a lot of time training
Skills Training training to remediate. that can be used for training purposes employees on not only what to do, but why
• Asset management to automatically you should.
keep the database updated
The same rigor should apply to your
• A unified view of device security
cybersecurity as well, since cybersecurity can
for better understanding and
bleed over into physical events.
communication of security information

9 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 Define cybersecurity requirements for suppliers.
You should include these in your contracts and also conduct regular assessments to
verify that third parties are meeting the requirements.

Controls Goal How to Apply It in ICS Expert Tip

15 Evaluate service • Create a centralized asset inventory to Make sure you define cybersecurity
Service Provider providers who hold understand and manage potential risks requirements for suppliers and include them
Management sensitive data, or are from the supply chain in your contracts. You should also conduct
responsible for an • Put a risk assessment system in place regular assessments to verify that third parties
enterprise’s critical IT for evaluating vendors and other third are meeting the requirements.
platforms or processes, parties
to ensure these providers • Have a backup plan so that you can
are protecting those remove a vendor from your system in
platforms and data the event they are breached
appropriately.

16 Manage the security of • An automated asset inventory designed You know it as HMI appliance version 1.4, and
Application Software in-house and 3rd party to track at the individual software it’s never been updated in 5 years. It is really
Security software to prevent, library level for better vulnerability an integration of a database, a webserver, a
detect and correct management protocol server, a Linux core and many other
security weaknesses. • Ability to identify custom executables, software components, all with their own
scripts and portable exe and track file configurations.
integrity
Know what you really have and map those to
a policy for the CIS Top 20 Controls with real
time reporting of exceptions.

10 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 One piece of advice - plan for the worst.
Sage counsel from critical infrastructure providers that have suffered a significant
incident. Be sure you have a robust backup plan and a tested recovery procedure.

Controls Goal How to Apply It in ICS Expert Tip

17 Protect the organization’s • An asset inventory report can be used Document, practice, repeat. Waiting for real
Incident Response reputation, as well as its for defining and describing protected life to catch up is a career limiting move.
Management information. assets
Your IR plan is only as good as the last time it
• Capture and backup known secure
was tested and updated.
configurations for rapid recovery from
an incident

18 Use of simulated • Continuously update dashboards Strong rules of engagement are a must.
Penetration Tests attacks will improve and reports of assets and asset Replicas are a good alternative to work in
organizational readiness, configurations to be used in penetration but are only good if they in fact replicate real
identify vulnerabilities testing life. Restoring from backups into a virtual
within an organization, • Reference baselines that can be environment can be a low cost alternative to
improve training for generated from the asset inventory being as close to real life as possible.
defensive practitioners • Produce reports on differences in assets
and inspect current after the penetration testing
performance levels. • Use log management to consolidate and
aggregate events during the pen testing
in order to simplify subsequent analysis.

11 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021

 So how do you make these controls work for you? NE XT ST E PS

Assess
Tackling these controls must be an ongoing program, not a one-time project. Assess
what you already have in place, prioritize controls you’d like to implement and evaluate
what you already have in place.
solutions against the business needs of your organization. Many cybersecurity
Prioritize
controls can be automated to reduce cost and improve operational efficiency. These
controls you’d like to improve
recommendations for implementing the CIS Controls outlined in this guide will help your
and/or implement based on your
organization better manage cyber risk for all the technologies in your ICS environment.
organization’s business drivers.
Industrial Defender has deep OT domain experience and a long history of supporting the
unique needs industrial companies from the control room to the boardroom, ensuring Evaluate
KPIs are being met every step of the way. solutions that can help you
manage it.
Schedule a demo with us below to see how we can help you build a solid foundation to
apply these controls effectively.

THE INDUSTRIAL DEFENDER DIFFERENCE

Since 2006, Industrial Defender has been solving the challenge of safely collecting, monitoring, and managing OT asset
data at scale, while providing cross-functional teams with a unified view of security. Their specialized solution is tailored to
complex industrial control system environments by engineers with decades of hands-on OT experience. Easy integrations
into the broader security and enterprise ecosystem empower IT teams with the same visibility, access, and situational
awareness that they’re accustomed to on corporate networks. They secure some of the largest critical control system
deployments with vendors such as GE, Honeywell, ABB, Siemens, Schneider Electric, Yokogawa and others to protect the
availability and safety of these systems, simplify standards and regulatory requirements, and unite OT and IT teams.

Planning an OT Security Project?

SCHEDULE A DEMO

FOR MORE INFORMATION

1 (877) 943-3363 • (617) 675-4206 • info@industrialdefender.com
225 Foxborough Blvd, Foxborough, MA 02035
industrialdefender.com

© Industrial Defender 2021. All Rights Reserved.

12 | IMPLEMENTATION GUIDE EBOOK IndustrialDefender ©2021