Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

How to Jumpstart Your NIST CSF for OT Environments: Identify Function

Brian Proctor, Principal OT Strategist – Americas | February 13, 2020

The NIST Cybersecurity Framework (CSF) provides critical infrastructure organizations with parameters for assessing and improving their ability to prevent, detect and respond to cyber incidents. According to the 2019 SANS State of OT/ICS Cybersecurity Survey, the NIST CSF is the most popular framework in use by critical infrastructure organizations today. For those of you planning to implement or expand your NIST CSF best practices, we’ve put together a five-part blog series with real use cases from industry leaders to help jumpstart your NIST CSF maturity.

Our first part of this series will focus on the Identify function. To effectively manage cybersecurity risk to systems, assets, data and capabilities, organizations need to fully understand their operational environment. The Identify function is all about gaining visibility into both digital and physical assets, their interconnections, and defined roles and responsibilities to then enable security teams to put policies and procedures into place to manage those risks.

Here are some top use cases from industry leaders who are implementing the Identify function in their operational technology (OT) environments with the help of Forescout:

1. Triangulating physical device locations

Many organizations already know the IP and MAC addresses for devices on their network, but industry leaders are taking it one step further and are actually figuring out where each device is physically located in their environment. This translates into understanding what physical switch and port numbers it’s connected to. This data helps them perform important tasks faster, like upgrading firmware or physically locating the device for maintenance. To actually triangulate device locations, industry leaders are using tools that can leverage their existing network infrastructure devices to pull data like ARP and CAM tables to understand exactly where these assets are physically connected.

2. Crowdsourcing asset classification data for improved accuracy

By leveraging tools that collect asset data from the industry as a whole, including IoT and OT devices, industry leaders are using crowdsourced device data to improve the speed and accuracy of their own asset classification. To achieve this, many of our customers are harnessing the power of our Device Cloud, a crowdsourced repository of 11M+ device classification signatures from 500+ global deployments.

3. Expediting and automating risk assessments

Every organization has their own way of classifying and defining risk, and many asset owners are looking for ways to expedite and automate this process, while also tailoring it to the way they define risk. They want to understand what the riskiest devices are, from both a security and operational standpoint. Rather than spending the money and resources on sending a team out to a site to do a physical risk assessment, industry leaders are implementing OT network monitoring tools that have impact-based, configurable and customizable security and operational risk scoring calculations and notification workflows built-in.

4. Maintaining up-to-date asset inventory and baseline for serial assets

Serial devices aren’t going away anytime soon. Although they can be difficult to identify and classify, it’s very important to keep a close eye on them. To do this, industry leaders are implementing hybrid solutions that can both passively and actively obtain data from assets that are serially connected, including vulnerability, threat and health information.

For more helpful advice on how to jumpstart your NIST CSF maturity, check out the short video below or: