Building a Zero Trust OT Network using the NIST Cybersecurity Framework 2.0

The NIST Cybersecurity Framework gives network administrators guidelines and a checklist for securing their network to the best of their abilities against external threats. NIST has been at the forefront of guiding risk reduction and introduced an initial Cybersecurity Framework in 2017. In 2023, NIST updated its Cybersecurity Framework in response to years of lessons learned from the initial version. The cybersecurity market has come a long way since 2017, and the threat environment has changed significantly. The updated NIST CSF gives organizations a model for managing risk, and this paper will apply the principles of the CSF to Operational Technology (OT) rather than Information Technology (IT) network deployments, with a specific focus on the Protection Function.

The NIST Cybersecurity Framework does an excellent job of outlining the desired outcome for each function. Governance communicates and monitors the strategies and tactics for the remaining five functions, each a crucial component of a comprehensive cybersecurity strategy.

NIST illustrates the CSF Functions as a wheel because all of the Functions are required and work together to build a comprehensive cybersecurity strategy. For example, an organization will categorize assets under IDENTIFY and take steps to secure those assets under PROTECT. Investments in planning and testing in the GOVERN and IDENTIFY Functions will support the timely detection of unexpected events in the DETECT Function and enable incident response and recovery actions for cybersecurity incidents in the RESPOND and RECOVER Functions. GOVERN is at the center of the wheel because it informs how an organization will implement the other five functions.

‍

Organizations must implement a cybersecurity framework that covers all functions in the CSF. The CSF states that the functions apply to both IT and OT. However, it is vital to acknowledge the difference between IT and OT because they have some crucial differences, especially regarding protection and the desired outcomes.

For BlastWave’s purposes, we want to focus on the protection aspect because if the right protection is in place, all the rest of the functions in the CSF will be easier to maintain. We analyzed the requirements of the CSF and aligned it with the MITRE ICS Att&CK Matrix to determine what was needed for OT protection.

Protection for OT Networks Using the CSF as a Guide

Using the CSF as a guide, what should a cybersecurity framework look like that establishes the desired outcomes for an OT network?

1. The OT cybersecurity protection solution network must prevent external intrusion or internal attacks from affecting OT network operations.
2. Remote Access must be tightly controlled to the OT network because almost all access is remote access for OT and there is a much higher preponderance of 3rd party vendor remote access in OT than IT - what is a like-to-have in IT is a must-have for OT.
3. The OT domain must be separated from the IT domain to prevent spillover attacks and drastically reduce risk from highly vulnerable IT systems and remote access.
4. The OT network must be microsegmented to reduce the risk of lateral movement by insider or physical access threats.
5. Deploying protection must be minimally disruptive or intrusive into data flows and operational processes to reduce

If you are interested in reading the details on what the protection requirements are, please download our whitepaper on OT Zero Trust Protection at https://www.blastwave.com/proactively-eliminate-entire-classes-of-risk