3
Standards, Policy, and Guidance

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY INDUSTRIAL CONTROL SYSTEM STANDARDS

Michael Powell, cybersecurity engineer at the National Cybersecurity Center of Excellence (NCCoE) at NIST, said NIST established NCCoE in 2012 as an applied cybersecurity laboratory. He reminded everyone that NIST is a non-regulatory agency whose guidance is voluntary. That said, NCCoE developed security guidance for both IT and OT and approximately 300 commercially available technologies for a variety of industry sectors, including public safety, financial services, health care, and manufacturing. NCCoE also partners with the Manufacturing Extension Partnership to help small manufacturers without the resources or money to fund high-end cybersecurity technologies. In that role, NCCoE produces white papers providing information on inexpensive and effective ways to improve small manufacturers’ cybersecurity posture.

NCCoE, said Powell, uses commercially available technologies to build modular demonstrations that business can apply to the real-world challenges they may face every day. This is a three-step process that starts with defining the scope of work with industry to solve a pressing cybersecurity challenge. NCCoE first attends meetings and talks to as many vendors and academics as possible to identify the big challenges that industry faces. Next, NCCoE assembles teams from industry, government, and academic institutions to address all aspects of the cybersecurity challenge. Powell said that one challenge he is considering tackling for his next project is zero trust, a problem for industry with its legacy equipment. The final step is to build a practical, usable, and repeatable demonstration that addresses the challenge. These demonstrations are available to the public. In fact, NCCoE submits a Federal Register Notice for anyone to participate in these projects on a first-come, first-served basis, which he said gives small manufacturers a chance to be part of a demonstration and get their product tested and known.

NIST’s Cybersecurity Framework (CSF) 2.0, said Powell, helps organizations of all sizes and from all sectors reduce their cybersecurity risks and is recognized widely as foundational to securing organizations and technology. NIST CSF 2.0 is a comprehensive list of cybersecurity outcomes to reduce cybersecurity risks to an organization—the “what,” not the “how” or “who,” said Powell. It is useful regardless of the maturity level and technical sophistication of an organization’s cybersecurity programs, and it is based on and maps to international standards and resources. An organization can use CSF resources to understand, assess, and prioritize action that aligns with the organization’s mission, communicates cybersecurity risk, and assesses progress toward addressing any identified cybersecurity gaps. It provides a common language for communicating inside and outside of the organization about cybersecurity risks, capabilities, needs, and expectations (NIST 2024).

An important core function of CSF 2.0 addresses governing, which focuses on an organization’s cybersecurity risk management strategy and establishes, communicates, and monitors policy expectations (Table 3-1). Other core functions include identifying and understanding an organization’s cybersecurity

TABLE 3-1 Cybersecurity Framework 2.0 Core Function and Category Names and Identifiers

SOURCE: Michael Powell, National Institute of Standards and Technology, presentation to the workshop on July 9, 2024.

risks; protecting and managing an organization’s cybersecurity risks; detecting possible cybersecurity action and compromises and analyzing who is on a network; responding to a cybersecurity incident; and recovering assets and operations affected by a cybersecurity incident. Powell said keeping track of all actions is key to learning from an incident and preventing it from reoccurring.

Powell explained that NIST SP 800-82 provides a comprehensive cybersecurity approach for securing industrial OT and CS while addressing unique performance, reliability, and safety requirements (Stouffer et al. 2023). NIST updated SP 800-82 in September 2023 to incorporate lessons learned over the past several years, align with other relevant NIST guidance, align with other relevant CS cybersecurity standards and recommended practices, and address changes in the threat landscape. The updates, said Powell, include an expanded scope from industrial control systems to CS and OT; application of new cybersecurity capabilities in CS and OT environments; updates to CS and OT threats, vulnerabilities,

standards, and recommended practices; and new guidance tailored to NIST SP 800-53, which provides standards for security and privacy controls for information systems and organizations (Joint Task Force 2020).

The final document Powell discussed was NIST IR 8183, which provides cybersecurity framework implementation details for the manufacturing environment (Stouffer et al. 2017). He explained that it can be a roadmap aligned with manufacturing sector goals and industry best practices for reducing cybersecurity risks for manufacturers. NIST IR 8183 provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. It is meant to enhance but not replace current cybersecurity standards and industry guidelines that the manufacturer is embracing. He noted that many small and medium-sized manufacturers have encountered challenges in implementing a cybersecurity program. The document’s goal is to be an implementation guide that enables manufacturers to select and deploy cybersecurity tools and techniques that best fit their needs while addressing demanding system operational performance, reliability, and safety requirements (NIST 2017).

NIST IR 8183 includes two use cases, one for process-based manufacturing and the other for discrete-based manufacturing. The results of the two proof-of-concept implementations include 44 cybersecurity tool and technique implementations; more than 80 network, device, and operational performance impact measurements per implementation, with a potential to affect the manufacturing system; more than 125 gigabytes of measurement data available to the public; and 12 examples of cybersecurity policy and procedure documents (NIST 2017).

After showing a picture of NCCoE’s manufacturing testbed (Figure 3-1), Powell listed three projects the laboratory has completed or is completing. The Behavioral Anomaly Detection project, which recruited four vendors, involved going through different use cases to show manufacturers how they can help detect any anomaly. The System and Data Integrity project demonstrated different ways for manufacturers to detect if someone is on their network and what to do if there are intruders. The ongoing project Respond and Recovery has vendors in the NCCoE laboratory running through use cases using cloud-based storage.

RISK MANAGEMENT FRAMEWORK FOR CONTROL SYSTEM DESIGN AND CONSTRUCTION

Joe Bush, control team lead for the Building Energy Systems Team in the Engineer Research Development Center’s Construction Engineering Research Laboratory at the U.S. Army Corps of Engineers, said that DoD has a standards and criteria program established and dictated by a military standard. The process starts with industry standards and then builds a bridge to military-specific functions and military-specific procedures (Figure 3-2). For example, while many organizations have heating, ventilation, and air conditioning (HVAC) controls, the military wants open-source code to enable interoperability between systems from different vendors. The end products of this process are the UFC, which Bush said is DoD’s building code of mandatory, enforceable standards for DoD construction, and Unified Facility Guide Specifications (UFGSs), which are examples or template implementations of the UFC. “This is our way of expressing the code as a specification or standard, and they are almost always optional,” said Bush. An exception would be certain control specifications noted as mandatory in the UFC. “For the most part, they are examples or templates that will be revised, updated, and then issued for a specific project.” Bush estimated there are approximately 160 UFCs and 800 UFGSs.

Bush said there is a tri-Service standards and criteria program in which the Army, Navy, and Air Force participate, and he is a member of the control system discipline working group. That group develops specifications relevant to CS and CS cybersecurity. Other working groups focus on mechanical, electrical, fire protection, and other systems.

Years ago, said Bush, DoD developed a risk management framework, based on the NIST risk management framework, that would inform cybersecurity systems in every DoD building. That approach did not work, however, because the design and construction people in the field had no idea how to take these IT cybersecurity processes and turn them into anything meaningful in building CS. There were two main issues. The first was that the NIST risk management framework is designed for computers, not CS. For example, the framework calls for using 14-character passwords, but a thermostat wants a four-character PIN. What was needed, said Bush, was to interpret and translate the framework for use in constructing a building.

The second major issue is that much of cybersecurity and the framework is about how a system is used, and building something differs from using it. At the same time, it is necessary to build something to use it. Given the number of requirements in the framework, the challenge is to decide which ones pertain to constructing a facility and which are for the owner to handle when they use the facility. “Ultimately, these are just design requirements and constraints,” said Bush. “You identify the requirements and incorporate them. Philosophically, there is nothing special about cybersecurity. I have requirements to meet, and I have to design a system to meet them.” This realization led to the development of the UFCs and UFGSs that those working in the field can use, he explained.

The idea behind the UFCs and risk reduction is to take simple steps, not to add more functionality than needed, not to depend on a network any more than necessary, and to design for what Bush called graceful failure. For example, when the power goes off, the cooling valves for HVAC systems in facilities in Texas remain open fully to make sure the building stays cool. In contrast, the same valves in a building in Fairbanks, Alaska, close when the power fails to avoid the building getting too cold. These distinctions are not black and white, however. For instance, many buildings need cooling in the winter because of the heat that people, computers, and equipment generate. “You need to understand the building,” said Bush.

The UFC for cybersecurity of facility-related CS also stresses leaving IT functions to the IT experts, said Bush. If, for example, a CS needs a VPN, get the IT department to install it. It also tells contractors to change passwords from the default to something more secure—including step-by-step directions on how to do that and how long the new password should be—and to then use an encrypted submittal to let the IT department know what the new password is. In that vein, many items in the risk management framework call for documenting what goes into a design, including the make, model, and firmware version of every piece of equipment and a list of every other piece of equipment with which it communicates. The framework also calls for disabling all wireless capabilities in CS, even when doing so requires physically removing the wireless radio from a device.

Bush said specifications and processes are only as good as enforcement, and that is something with which the U.S. building industry, and not just DoD, struggles. “We are always trying to strengthen our requirements, but there also has to be this coordination to make sure that we are all pushing them in the same direction,” said Bush. “We tell designers to focus on what you can control. Do not worry about the things that are not your responsibility but do worry about the things that are,” he explained.

Bush said creating specific criteria and specifications for the cybersecurity of CS makes cybersecurity like any other design problem. Identifying the security controls that a designer can address bounds the problem and allows them to focus on what they control. Providing a template implementation in the UFGS eases the burden on the designer so they need not figure it all out, he added. What this means in practice, said Bush, is that instead of worrying about 900 items that a designer would need to worry about for a low-impact system, that list is now down to approximately 150. In his opinion, the challenge going forward is to start fortifying requirements with policy rather than specifications to address the other 750 items.

Responding to a question from a workshop participant, Bush predicted that industry would drive DoD to accept wireless CS and OT. The key will be for DoD’s specifications to get close to those industry has established so that industry can make small changes to meet the DoD specifications. Bush acknowledged that DoD is more risk aversive regarding wireless technology than industry is, and there will be times when DoD will pay more for non-wireless solutions over a less expensive wireless solution.

ENABLING PRACTICAL APPLICATION OF CYBERSECURITY AND CYBERSECURITY SUPPLY CHAIN RISK MANAGEMENT IN FEDERAL PROCUREMENT

Tom Smith, services center director for IT in the Office of Supply Chain Management at the General Services Administration (GSA), explained that his office is responsible for delivering IT solutions to the federal government, including DoD, from a whole-of-government perspective. GSA, he added, is not in the facility construction business. Rather, GSA’s role is to work with CISA, NIST, and OMB to develop policies and standards for acquisition vehicles that the government can leverage in support of the mission of a facility. In that regard, GSA is represented on the Federal Acquisition Regulation Council and Federal Acquisition Security Council.

Over the past few years, several activities have highlighted the cybersecurity challenges facing critical infrastructure (Figure 3-3). These include a December 2020 GAO report calling for federal agencies to take urgent action to manage supply chain risks (GAO 2020), a January 2024 House Select Committee on Strategic Competition Between the United States and Chinese Communist Party hearing (U.S. House 2024), and an April 2024 “National Security Memorandum on Critical Infrastructure Security and Resilience” (White House 2024), for which GSA is working with CISA to provide the right resources and tools to realize their zero trust programs. The GAO report, said Smith, noted that 14 of 23 federal agencies had no supply chain risk management practices in place, and while agencies have made

strides by meeting the requirements of the Federal Information Security Modernization Act of 2014 (P.L. 113-283) and Federal Information Technology Acquisition Reform Act (P.L. 113-291), there is still more work to do.

Smith said there are 12 new federal acquisition regulations for cybersecurity supply chain risk management, with two more imminent. One of the forthcoming regulations will require vendors to report intrusions or malicious activities in the network space and respond to GSA to ensure that they address them appropriately. He explained the Federal Acquisition Supply Chain Security Act of 2018 (Title II of P.L. 115-390) prompted the Federal Acquisition Security Council to create lists prohibiting the use of certain products or contracting with specific companies, many based in China.

Many commercial tools can identify cybersecurity risks in the supply chain and create vendor risk assessment reports, said Smith. He noted that GSA is pre-screening products to identify those that agencies should not purchase. He also said agencies have multiple ways to build cybersecurity supply chain risk management, either by building specific processes and approaches tailored to their agency or by looking for partnership opportunities across the federal government that help simplify the cybersecurity supply chain risk management process. Regardless of which path an agency takes, GSA has the resources to support it on its journey. For agencies doing this themselves, GSA offers playbooks and resources subject-matter experts have developed, as well as a zero trust architecture handbook and cybersecurity supply chain risk management tool guidebook.

For agencies taking the partnership approach, GSA offers acquisition vehicles with built-in cybersecurity supply chain risk management requirements, blanket purchase agreements for second-generation IT solutions, and highly adaptive cybersecurity services that will help agencies test high-priority IT systems, quickly order and implement services from technically evaluated and vetted vendors, and rapidly address potential vulnerabilities. GSA is planning to release a blanket purchase agreement for a cybersecurity supply chain risk management illumination tool. Smith added that GSA’s IT contracting vehicles and purchasing programs will help agencies meet all requirements and mandates regarding cybersecurity services, cloud and software offerings, hardware, telecommunications and satellite offerings, and identity, credential, and access management services (GSA 2024).

Smith explained that when vetting products, services, and vendors, GSA holds them to NIST’s cybersecurity standards to remove those products that do not meet those standards, as well as their vendors, affiliates, and resellers, from approved lists. GSA is working with small business partners, training them on the front end to ensure they are meeting incident reporting and sharing requirements. He noted that small businesses are a central focus from a threat standpoint. “Over half of them say they are aware [of those requirements], but less than 20 percent are prepared [to meet them],” said Smith.

QUESTION AND ANSWER SESSION

An online participant asked if there are any DoD efforts under way to develop DoD common controls for cybersecurity supply chain risk management that multiple systems or programs could implement. Sandy Kline, who spoke in the previous session, said DoD is doing supply chain work within the defense industrial base, but the work the individual services are doing regarding the vendors delivering products that go into DoD’s buildings is not standardized. She said partnering with GSA would help address this, given that it works with many of the same vendors. “Maybe there is some partnering that we can do in that specific area so that we are not coming to industry with variations on a theme but coming to them with a consistent set of supply chain questions, pre-award and post-award,” said Kline. Another workshop participant said the Army has a deliberate effort under way to incorporate the new families of controls into its risk management framework

A workshop participant asked if there are legal resources available through which an agency can remove and exclude products or vendors that its cybersecurity supply chain risk management analysis identifies but that are not yet on the federal exclusion list. Smith replied that agencies do have some

authority to do so, with DoD having more latitude to do so through language in the NDAA. He added that CISA is providing those authorities through the Federal Acquisition Supply Chain Security Act.

Powell explained what low-, medium-, and high-impact systems are according to the NIST CSF. Low-impact systems are those where the loss of integrity, availability, and competence could have a limited adverse effect on manufacturing operations. Medium- or moderate-impact systems are those in which a loss of integrity, availability, and competence could have a serious adverse effect on manufacturing operations and manufactured products. High-impact systems are those in which a loss of integrity, availability, and competence would be expected to have a catastrophic effect on manufacturing operations, manufactured products, brand, image, finances, and other characteristics. Bush said DoD has modified those definitions to replace manufacturing operations with missions.

Chuck Weissenborn, public-sector chief technology officer at Dragos, who would speak in the next session, asked if there is an intelligence-driven approach that uses what is known about what an adversary is doing and what their attack patterns, tactics, techniques, and procedures are to help prioritize approved OT controls. Bush replied that the approach the U.S. Army Corps of Engineers has taken is to break down requirements for low-impact, moderate-impact, and high-impact systems and do everything possible from an engineering perspective to meet the requirements as written. If that is impossible, it will add mitigating requirements for high-impact systems. Otherwise, it will document the existing limitations, such as there is no product available that meets all the requirements. The exception to this is for high-impact systems, where the guidance is to get professional help. “All we can do is try to remind the owners of these facilities that when you change the use of a facility, you have to actually make sure that what you are doing makes sense,” he said.

Responding to a question about guidance for installing technologies that protect human safety, in addition to cybersecurity, Bush said it has always been a premise in CS design to protect people. Where cybersecurity comes in is that it opens a few avenues of failure that need to be considered. Weissenborn responded there is no standard of care yet for cyber-related CS and that there is a need to look at what should be required for a cyber safety standard of care that is mandatory and goes beyond cybersecurity. Such a standard of care is needed because while a control system should be designed to be safe, a nefarious actor could manipulate any control system to create an unsafe condition for the people in a facility, such as by locking open a steam valve. Bush agreed that this needs to be addressed, and Powell said he would look at this.

Weissenborn noted that there was a time when fire protection became important, and now buildings have sprinkler systems that do not add value to the building but are safety systems that one hopes will never be needed. Today, there are fire protection engineers involved in every project, and the same needs to happen with cybersecurity. Bush mostly agreed but said that what is needed is a CS engineer on every project, but not a cybersecurity engineer, because cybersecurity should be part of designing and implementing the CS.