Cyber Security Best Practices and Recommendations Faisal Nahian Michael Bilheimer PUBLIC 1 These recommendations are non-binding and non-compliance purposes and presented to assist Entities in reducing the risk of cyber-attacks . Users, owners and operators may employ different cyber security solutions as they deem appropriate.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cyber Security Best Practices and Recommendations
Faisal NahianMichael Bilheimer
PUBLIC 1
These recommendations are non-binding and non-compliance purposes and presented to assist Entitiesin reducing the risk of cyber-attacks . Users, owners and operators may employ different cyber securitysolutions as they deem appropriate.
Audience• The intended audiences are subject matter
experts implementing cyber security and executives approving cyber security controls.
PUBLIC 2
The recommendations are combined from CISA/SANS/E-ISAC. Each recommendation indicates the Critical Infrastructure Protection (CIP) requirement(s) that may be related to the recommendation, also provided are best practices, examples or comments on implementing the recommendations and benefits.
Architecture – Network Segmentation• Recommendation – Segment networks from each other and
consider a Zero Trust approach.• Related CIP Requirement – CIP-005-6 Part 1.2 and CIP-003-
8 R2• Best Practice – All high impact or high value operational
systems should be segmented from non-critical and/or business systems. Configure VLAN in a firewall or layer-3 switch to only allow authorized network traffic, at the edge of a network. For example, SCADA should be in its own electronic perimeter with restricted access.
PUBLIC 9
Architecture – Zero Trust• Recommendation – Consider a Zero Trust Architecture• Related CIP Requirement – The CIP Modifications SDT
incorporates zero trust concepts into those proposed updates
• Best Practice – A Zero Trust architecture should be considered when architecting user access, assets, resource controls, and system to system communication. For more information, see the NIST Zero Trust Architecture for implementation strategy.
on devices that support it, including both IT and OT assets. Use a System Information and Event Monitoring (SIEM) tool.
• Related CIP Requirement – CIP-007-6 R4• Best Practice – Logs can be grouped into Security
Events, Operating System and Application categories, and should be organized into a standard format to facilitate automation or manual review.
PUBLIC 11
Architecture - Collecting Data• Recommendation – Ensure that network
architecture is managed and can capture data from the environment to support Passive and Active Defense mechanisms.
• Related CIP Requirement – CIP-005-6 R1 Part 1.2 and Part 1.5
• Best Practice – Deployment of network monitoring tool(s) such as Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
PUBLIC 12
Architecture - Backups• Recommendation – Create backups of critical
software, hardware configurations, and servers.• Related CIP Requirement – CIP-009-6 R1• Best Practice – Follow the 3-2-1 rule of backup to
keep three complete up-to-date copies of critical data: two local copies but on different types of media, and one offsite. Retention of backups should be a minimum of 90 days or greater, if storage is not a factor.
• Recommendation – Patch network devices and address vulnerabilities regularly.
• Related CIP Requirement – CIP-007-6 R2• Best Practice – Implement a patch
management program and a continuous vulnerability assessment/monitoring program.
PUBLIC 14
Architecture – Testing Hardware, Software, and Firmware
• Recommendation – Test new hardware, software, and/or firmware prior to deployment to ensure system stability, functionality, and security.
• Related CIP Requirement – CIP-010 R1• Best Practice – Utilize a test environment to
mirror the production environment.
PUBLIC 15
Architecture – Remote Access• Recommendation – Limit remote connections to only
those systems that are required to perform tasks to limit unauthorized lateral movement.
• Related CIP Requirement – CIP-005-6 R2• Best Practice – Remote connection should be completed
via an intermediate system that does not allow direct interaction with cyber systems. Users should be restricted to the least privilege access to perform required tasks. Utilize Multi-Factor Authentication (MFA) on the remote connections to critical systems. All connections should be logged and monitored.
PUBLIC 16
Architecture - Integration of Services• Recommendation – During the merger of IT or OT by the
“platform of platforms” concept, organizations should consider the security and integrity of the overall infrastructure.
• Related CIP Requirement – CIP-005 R1 and R2• Best Practice – The integrated IT and OT solutions that
perform day to day functions must be investigated and evaluated to confirm external access utilizes mechanisms and techniques that are secure and appropriately limited. Having an oversight of integrations can help minimize the potential damage by different vulnerabilities.
PUBLIC 17
Passive Defense – Application Whitelisting
• Recommendation – Application whitelisting can help limit adversary attack vectors.
• Related CIP Requirement – CIP-007-6 R3 and CIP-010-2 R1
• Best Practice – Identify all applications that are authorized for use in the organization to enforce defined configurations and control the unauthorized execution of processes.
PUBLIC 18
Passive Defense – Firewall• Recommendation – Configure and enable network-based
and/or host-based firewalls to secure the perimeter by allowing only approved connections. Host-based firewalls should be deployed to assure that communications to specific hosts are restricted to only approved ports and services.
• Related CIP Requirement – CIP-005-5 R1• Best Practice – Utilize high availability network-based
firewalls for reliability. Network devices should not bypass network-based firewalls. Additionally, enable firewalls on host or implement third party firewalls (integrated with Anti-Virus or Anti-Malware).
• Related CIP Requirement – CIP-007-6 R5, CIP-004-06 R4
• Best Practice – Utilize Multi-Factor Authentication (MFA) for all access (local and remote) of privileged accounts and perform quarterly reviews of privileged accounts. For more information, see the NIST Special Publication 800-63B for implementation strategy.