cyber security best practices and recommendations
TRANSCRIPT
Cyber Security Best Practices and Recommendations
Faisal NahianMichael Bilheimer
PUBLIC 1
These recommendations are non-binding and non-compliance purposes and presented to assist Entitiesin reducing the risk of cyber-attacks . Users, owners and operators may employ different cyber securitysolutions as they deem appropriate.
Audience• The intended audiences are subject matter
experts implementing cyber security and executives approving cyber security controls.
PUBLIC 2
The recommendations are combined from CISA/SANS/E-ISAC. Each recommendation indicates the Critical Infrastructure Protection (CIP) requirement(s) that may be related to the recommendation, also provided are best practices, examples or comments on implementing the recommendations and benefits.
3Source: 2021 Data Breach Report by IBMPUBLIC
4PUBLIC Source: 2021 Data Breach Report by IBM
PUBLIC 5Source: 2021 Data Breach Report by IBM
Security Controls• The NERC CIP Standards• The Sliding Scale of Cyber Security• Cybersecurity Capability Maturity Model• NIST Cybersecurity Framework• CIS Controls• CSA Cloud Controls Matrix (CCM)
PUBLIC 6
The Sliding Scale of Cyber Security
PUBLIC 7
The Sliding Scale of Cyber Security (Continued)
PUBLIC 8
Architecture – Network Segmentation• Recommendation – Segment networks from each other and
consider a Zero Trust approach.• Related CIP Requirement – CIP-005-6 Part 1.2 and CIP-003-
8 R2• Best Practice – All high impact or high value operational
systems should be segmented from non-critical and/or business systems. Configure VLAN in a firewall or layer-3 switch to only allow authorized network traffic, at the edge of a network. For example, SCADA should be in its own electronic perimeter with restricted access.
PUBLIC 9
Architecture – Zero Trust• Recommendation – Consider a Zero Trust Architecture• Related CIP Requirement – The CIP Modifications SDT
incorporates zero trust concepts into those proposed updates
• Best Practice – A Zero Trust architecture should be considered when architecting user access, assets, resource controls, and system to system communication. For more information, see the NIST Zero Trust Architecture for implementation strategy.
PUBLIC 10
Architecture – Logging & Event Monitoring• Recommendation – Ensure logging is enabled
on devices that support it, including both IT and OT assets. Use a System Information and Event Monitoring (SIEM) tool.
• Related CIP Requirement – CIP-007-6 R4• Best Practice – Logs can be grouped into Security
Events, Operating System and Application categories, and should be organized into a standard format to facilitate automation or manual review.
PUBLIC 11
Architecture - Collecting Data• Recommendation – Ensure that network
architecture is managed and can capture data from the environment to support Passive and Active Defense mechanisms.
• Related CIP Requirement – CIP-005-6 R1 Part 1.2 and Part 1.5
• Best Practice – Deployment of network monitoring tool(s) such as Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
PUBLIC 12
Architecture - Backups• Recommendation – Create backups of critical
software, hardware configurations, and servers.• Related CIP Requirement – CIP-009-6 R1• Best Practice – Follow the 3-2-1 rule of backup to
keep three complete up-to-date copies of critical data: two local copies but on different types of media, and one offsite. Retention of backups should be a minimum of 90 days or greater, if storage is not a factor.
PUBLIC 13
Architecture – Patching & Addressing Vulnerabilities
• Recommendation – Patch network devices and address vulnerabilities regularly.
• Related CIP Requirement – CIP-007-6 R2• Best Practice – Implement a patch
management program and a continuous vulnerability assessment/monitoring program.
PUBLIC 14
Architecture – Testing Hardware, Software, and Firmware
• Recommendation – Test new hardware, software, and/or firmware prior to deployment to ensure system stability, functionality, and security.
• Related CIP Requirement – CIP-010 R1• Best Practice – Utilize a test environment to
mirror the production environment.
PUBLIC 15
Architecture – Remote Access• Recommendation – Limit remote connections to only
those systems that are required to perform tasks to limit unauthorized lateral movement.
• Related CIP Requirement – CIP-005-6 R2• Best Practice – Remote connection should be completed
via an intermediate system that does not allow direct interaction with cyber systems. Users should be restricted to the least privilege access to perform required tasks. Utilize Multi-Factor Authentication (MFA) on the remote connections to critical systems. All connections should be logged and monitored.
PUBLIC 16
Architecture - Integration of Services• Recommendation – During the merger of IT or OT by the
“platform of platforms” concept, organizations should consider the security and integrity of the overall infrastructure.
• Related CIP Requirement – CIP-005 R1 and R2• Best Practice – The integrated IT and OT solutions that
perform day to day functions must be investigated and evaluated to confirm external access utilizes mechanisms and techniques that are secure and appropriately limited. Having an oversight of integrations can help minimize the potential damage by different vulnerabilities.
PUBLIC 17
Passive Defense – Application Whitelisting
• Recommendation – Application whitelisting can help limit adversary attack vectors.
• Related CIP Requirement – CIP-007-6 R3 and CIP-010-2 R1
• Best Practice – Identify all applications that are authorized for use in the organization to enforce defined configurations and control the unauthorized execution of processes.
PUBLIC 18
Passive Defense – Firewall• Recommendation – Configure and enable network-based
and/or host-based firewalls to secure the perimeter by allowing only approved connections. Host-based firewalls should be deployed to assure that communications to specific hosts are restricted to only approved ports and services.
• Related CIP Requirement – CIP-005-5 R1• Best Practice – Utilize high availability network-based
firewalls for reliability. Network devices should not bypass network-based firewalls. Additionally, enable firewalls on host or implement third party firewalls (integrated with Anti-Virus or Anti-Malware).
PUBLIC 19
Passive Defense – Secure Privileged Accounts
• Recommendation – Enforce NIST password standards to secure privileged accounts.
• Related CIP Requirement – CIP-007-6 R5, CIP-004-06 R4
• Best Practice – Utilize Multi-Factor Authentication (MFA) for all access (local and remote) of privileged accounts and perform quarterly reviews of privileged accounts. For more information, see the NIST Special Publication 800-63B for implementation strategy.
PUBLIC 20
Passive Defense – Endpoint Security Management
• Recommendation – Utilize an up-to-date endpoint security management software.
• Related CIP Requirement – CIP-007-6 R3• Best Practice – Employ an endpoint security
management solution to detect, remove and enhance visibility across the entire technology stack eliminating any blind spots.
PUBLIC 21
Active Defense- Incident Response Plans
• Recommendation – Update and test incident response plans annually.
• Related CIP Requirement – CIP-008-6, CIP-010-6• Best Practice – Perform annual tabletops,
penetration tests and red team exercises.
PUBLIC 22
Active Defense - Sandbox• Recommendation – Ensure that personnel
performing application development and maintenance, or IT administrative tasks have access to technologies such as sandboxes.
• Related CIP Requirement – CIP-010-6 R1• Best Practice – A sandbox should be isolated
to specific functions and not shared with multiple personnel.
PUBLIC 23
Passive/Active Defense – SIEM• Recommendation – Establish a Security Information
and Event Management (SIEM) solution to centrally store logs for real-time analysis of security and event alerts.
• Related CIP Requirement – CIP-005-6 R1, CIP-007-6 R4
• Best Practice – Institute a continuous monitoring strategy and set up a security operations center to review and coordinate responses to alerts.
PUBLIC 24
Intelligence• Recommendation – Understand the
organization's Active and Passive Defense, and Security Architecture well enough to truly know and identify the threat.
• Related CIP Requirement – None• Best Practice – Establish a Cyber Threat
Intelligence Program.
PUBLIC 25
Intelligence (Continued)
PUBLIC 26
Intelligence Models• The Cyber Kill Chain• The Diamond Model of Intrusion Analysis• Intelligence Life Cycle• MITRE ATT&CK
PUBLIC 27
Offense• Recommendation – Offensive cyber operations by
organizations, civilian or nation-states must be legal in nature to be deemed an act of cyber security and not an act of an aggressor.
• Related CIP Requirement – None• Best Practice – Civilian organizations should
not participate in offensive cyber operations and remain within the spirit of the law.
PUBLIC 28
Offense (Continued)
PUBLIC 29