24 May 2022

Draft of the NIST Guide #800-82 – what has changed

The release of the third version of the Guide to Operational Technology (OT) Security, SP 800-82 Rev. 3, is, without a doubt, a milestone.

For a long time, the first version, released back in 2013, was practically the only source for reading anything at all about ICS security. This first version was obsolete almost immediately and a second version was released in 2015. Even in 2015 there really weren’t many publications about ICS security. This updated version was like a good cookbook: it contained tables of weights and measures, rules for running a good kitchen and recipes, aka, firstly a list of differences between IT and OT, secondly, instructions on how to create and implement security policies and, thirdly, explanations on how to build segmented networks, rules for filtering specific protocols on industrial firewalls and how to block specific attack vectors.

At first, the second version was read, quoted, translated and reused countless times. Over the past three years, however, it had been almost forgotten, and suddenly – we have a third version.

Is the third version as good as the previous ones? What has changed?

It is best to leave a detailed analysis of the third version for when the final is released in a couple of months. But a quick glance is definitely worth it even now.

Immediately, we see that OT (Operational Technology) is now in the title instead of ICS. In fact, this is true for the entire document.

Instead of ICS Operation and Components, we have OT Operation, Architectures and Components and cover the following additional types of systems:

  • Building Automation Systems
  • Physical Access Control Systems
  • Safety Systems
  • Industrial Internet of Things

(keep in mind that in the first version we only had Components, specifically Network Components and Control Components).

Thus, we are seeing both new and different components and the new guide covers many of their aspects. This is totally logical, since the OT cybersecurity sector has grown noticeably in the 7 years since the last version.

On the other hand, the structure of the third version draft is quite similar to the second version. There are still six sections and only Risk Management for OT systems and OT Cybersecurity Program Development have switched places. And the term Security from the second version has been changed to Cybersecurity in the draft, not in the least because the document needs to match the NIST Cybersecurity Framework terminology.

And now we have come to the main updates, which are unlikely to change in the final version. The section on Information Security actions, such as risk management, is now closely integrated with the NIST Cybersecurity Framework, whereas the first version barely mentions this document. There had been references in the second version of 800-82 in the security controls section, which could not have existed without NIST 800-53, which catalogues these controls. And the sixth section was previously named Applying Security Controls to ICS, but in the latest draft it has been renamed Applying the Cybersecurity Framework to OT.

As a result, we see that the main recommendations for implementing organizational and technological measures are now organized according to CSF logic: Identify, Protect, Detect, Respond, and Recover. Functions in CSF are delineated in separate categories and subcategories of actions, and it is recommended to utilize certain controls from NIST 800-53 to fulfill these and/or to follow other NIST guidelines.

This is a clear and significant improvement in the quality and organization of the recommendations in the new guide versus the second version. In earlier versions there were permanent links to a specific version of the NIST 800-53 guide. There is a multitude of security controls described in this guide and inexperienced readers were often confused. Moreover, it was unclear if all controls were accounted for successfully or was NIST 800-53 fully implemented. Worst of all, there was no clarity on which additional sources, such as other NIST publications or other recommendations could and should be used while working on each security control.

NIST, in fact, does have recommendations for administering IT assets, and for developing programs for increasing awareness and cybersecurity training, and for application whitelisting. It is actually difficult to find a category of recommendations that NIST does not cover. In the third revision the required links at least for the US publications are in the same place as the recommended security controls. This will definitely make life easier when collecting recommendations for increasing security as per the CSF functions.

This is great, because it provides a correct choice architecture for analysts, security engineers and security software developers. This prevents more details from slipping through the cracks as well as outright mistakes whilst completing complicated tasks.

In fact, I have this crazy idea that maybe we can add all sorts of data to the lists in the supplemental guidance – lists of international standards, maybe vendor recommendations, national regulations with… filters by source. A global encyclopedia of OT cybersecurity. Why not? ?

All kidding aside, it looks like the third version of NIST 800-82 has every chance of being as great as the first and second ones were.

  • Ekaterina Rudina

    Security Analysis Group Manager, Kaspersky ICS CERT