News

RSVP Now

 

Over the past several months, the National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) has been working on a cybersecurity project involving asset management to help energy utilities and the oil the gas industry develop an automated solution to better manage their industrial control system (ICS) assets.

The NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. The NCCoE has just released draft practice guide NIST Special Publication 1800-23, Energy Sector Asset Management. 

This project explores methods for managing, monitoring, and baselining assets and includes information to help identify threats to these OT assets. Both standards and best practices were used to develop reference designs leveraging commercially available technologies. The guide also maps capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework.

TDi’s flagship product, ConsoleWorks Cybersecurity & Operations Platform, is one of the solutions along with others in the NIST cybersecurity framework for this project.

To complete this guide, the NCCoE collaborated with other technology vendors, including Dragos, Forescout, FoxGuard Solutions, KORE Wireless Group, Splunk, and Tripwire. The NCCoE believes the guide helps meet a critical cybersecurity and economic need, but we want to hear from you. Please share your thoughts on this step-by-step guide to enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on November 25, 2019.

FAQ’s related to ESAM

Below are a set of FAQs specific to NIST SP 1800-23, Energy Sector Asset Management (ESAM) Practice Guide. Please share this information with your communications/public relations departments as they may use them as a basis for personalized talking points. If significant changes will be made to better appeal to your primary audience, please send to Lauren Acierto (lacierto@mitre.org) for review, allowing for a five-business-day turnaround.

Why did the National Cybersecurity Center of Excellence (NCCoE) create this guide?

Industrial control system assets provide command and control information as well as key functions on OT networks. These assets are primary targets of cyber attacks and any vulnerabilities in these assets can present opportunities for malicious actors to disrupt both the electric grid and oil and natural gas infrastructure. Such disruptions can result in economic loss and interruption of critical services to millions of people. This guide was created to provide a reference architecture and an example solution for managing, monitoring, and baselining assets, and includes information to help identify threats to these OT assets.

What is this practice guide about?

This guide describes methods for managing, monitoring, and baselining assets and also includes information to help identify threats to these OT assets. The guide includes a reference design and uses commercially available technologies in an example solution that will help energy organizations address the security challenges of OT asset management.

What is energy sector asset management?

Asset management is defined in the NIST Cybersecurity Framework as the identification and management of data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes, consistent with their relative importance to business objectives and the organization’s risk strategy. In this guide we are addressing the following characteristics of asset management in the energy sector:

• Asset Discovery: establishment of a full baseline of physical and logical locations of assets
• Asset Identification: capture of asset attributes, such as manufacturer, model, operating system (OS), Internet Protocol (IP) addresses, media access control (MAC) addresses, protocols, patch-level information, and firmware versions
• Asset Visibility: continuous identification of newly connected or disconnected devices, and IP (routable and non-routable) and serial connections to other devices
• Asset Disposition: the level of criticality (high, medium, or low) of a particular asset, its relation to other assets within the OT network, and its communication (to include serial) with other devices
• Alerting Capabilities: detection of a deviation from the expected operation of assets

Will energy sector executives find value in this practice guide?

Yes! The NCCoE’s Energy Sector Asset Management Practice Guide can help an organization:

• Reduce cybersecurity risk and potentially reduce impact to safety and operational risk such as power disruption.
• Develop and executing a strategy that provides continuous OT asset management and monitoring.
• Enable faster responses to security alerts through automated cybersecurity event/attack capabilities.
• Implement current cybersecurity standards and best practices while maintaining the performance of energy infrastructures

Will energy sector technology (IT) professionals find value in this practice guide?

Yes! This guide assumes that IT professionals have experience implementing security products within the enterprise. The practice guide builds on this knowledge, so that IT professionals who opt to implement ESAM in their organizations will find practical and actionable information throughout the entire guide. Here’s why:

• Clear instructions — The how-to portion of the guide, Volume C, replicates the example implementations created in the NCCoE’s lab and provides specific product installation, configuration, and integration instructions. Rather than recreating the product manufacturers’ documentation, which is generally widely available, we show how to integrate the products to recreate the example implementations.
• The technology is commercially available and adaptable — A suite of commercial products was used to build the example implementations (this guide does not endorse these products) in our lab. An organization can replicate the example implementation(s) in its online environment or can use this guide as a starting point for tailoring and implementing parts of the e-commerce fraud-reducing capabilities demonstrated. An organization’s security experts should identify the products that will best integrate with its existing tools and IT system infrastructure.
• The guide maps to both cybersecurity standards and best practices — IT professionals can use our step-by-step guide to inform and develop a strategy by selecting from several different asset management capabilities that best meet their organization’s needs. For example, Volume B, Section 1.2.1, lists the standards and guidance that influenced development of the example implementations. Section 3.5 in Volume B lists the products and technology used in this project and the NIST Cybersecurity Framework security control(s) subcategory that the product addresses in the example implementation. Finally, work roles are mapped to the NICE Cybersecurity Framework to assist IT managers with understanding what skills are needed to execute and manage ESAM example implementations.
• Expert-vetted architecture and reference designs — The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the energy sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing utilities, gas & oil industries, and other enterprises with the detailed information they need to replicate ESAM example implementations.

*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.

Advancements in medical imaging technology are helping patients get diagnosed and treated more quickly and effectively. But unsecured systems can open the door to breaches of patient data and could potentially risk patient safety. Our Securing Picture Archiving and Communication System guidance shows how healthcare delivery organization can take advantage of these technologies while also ensuring patient data is protected.
Jennifer Cawthra, NIST NCCoE Healthcare Sector Lead

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and Technology (NIST) is proud to release a new practice guide – NIST Special Publication 1800-24, Securing Picture Archiving and Communication System (PACS) – to help healthcare delivery organizations (HDOs) protect patient images and other pertinent medical data. The NCCoE is a collaborative hub where industry organizations, government agencies, and academic institutions work together to address businesses’ most pressing cybersecurity challenges. This practice guide represents the NCCoE’s dedication to the public interest and the critical cybersecurity matters within the healthcare sector.

The guide can be used by any organization that is deploying PACS and medical imaging systems, and that is willing to perform its own risk assessment and implement controls based on its risk posture. Both standards and best practices were used to develop two reference designs leveraging commercially available technologies. The guide also maps capabilities to NIST guidance and control families, including the NIST Cybersecurity Framework.

TDi’s flagship product, ConsoleWorks Cybersecurity & Operations Platform, is one of the solutions along with others in the NIST cybersecurity framework for this project.

To complete this guide, the NCCoE collaborated with other technology vendors, including Cisco, Clearwater Compliance, Digicert, Forescout, Hyland, Philips, Symantec, Tempered Networks, Tripwire, Virta Labs, and Zingbox.

The NCCoE believes the guide helps meet critical cybersecurity and economic need, but we want to hear from you. Please share your thoughts on this step-by-step guide to enhance it. Download the draft guide and provide your feedback on the NCCoE comment page. The public comment period closes on November 18, 2019.

FAQ’s related to PACS

Why did the National Cybersecurity Center of Excellence (NCCoE) create this guide?

Healthcare is a part of the nation’s critical infrastructure and vulnerabilities within this sector have the potential to result in breaches inpatient data or risks to patient safety. These vulnerabilities could also expose an HDO to risks of significant data loss, malware and ransomware attacks, and unauthorized access to other parts of an HDO enterprise network. The NCCoE’s mission is to accelerate the adoption of secure technologies to address critical cybersecurity challenges in key industry sectors. To learn more about the NCCoE’s cybersecurity efforts in healthcare, visit nccoe.nist.gov/healthcare.

What is this practice guide about?

This guide provides practical, real-world guidance to healthcare providers interested in implementing an example solution to securely configure and deploy PACS ecosystem. The guide also contains several risk-based scenarios detailing the approach with risk assessment and analysis; logical design; example build development, functional test and evaluation; and security control mapping.

What is the scope of this project?

The NCCoE project focused on securing the environment of the PACS ecosystem, but not on reengineering medical devices or altering medical imaging processes themselves. This project has led to a standards-based practice guide that is applicable to the wider healthcare ecosystem. This practice guide has been derived from the implementation of a secure PACS in a laboratory environment at the NCCoE that seeks to replicate parts of a typical HDO environment. The project considers PACS users internal to the HDO as well as external users and partners needing access to certain components of the HDO environment.

Will healthcare executives find value in this practice guide?

Yes! The NCCoE’s Securing Picture Archiving and Communication System (PACS) Practice Guide can help an organization:

• Improve resilience in its network infrastructure, including limiting a threat actor’s ability to leverage components as pivot points to attack other parts of the HDO’s environment.
• Limit unauthorized movement within the HDO environment by authorized system users to address the “insider threat” as well as unauthorized actors once they gain network access.
• Analyze behavior and detect malware throughout the ecosystem to enable HDOs to determine when components have been compromised and enable those organizations to limit the effects of a potential advanced persistent threat such as ransomware.
• Secure sensitive data (e.g., personally identifiable information or protected health information) at rest and in transit, limiting adversarial ability to exfiltrate or expose that data.
• Consider and address risks that may be identified as HDOs examine cloud solutions as part of managing their medical imaging infrastructure.

Will healthcare information technology (IT) professionals find value in this practice guide?

• Clear instructions—The how-to portion of the guide, Volume C, replicates the example implementations created in the NCCoE’s lab and provides specific product installation, configuration, and integration instructions. Rather than re-creating the product manufacturers’ documentation, which is generally widely available, we show how to integrate the products to re-create the example implementations.
• The technology is commercially available and adaptable—A suite of commercial products was used to build the example implementations (this guide does not endorse these products) in our lab. An organization can replicate the example implementation(s) in its environment or can use this guide as a starting point for tailoring and implementing parts NCCoE’s risk assessment and the deployment of a defense-in-depth strategy. An organization’s security experts should identify the products that will best integrate with its existing tools and IT system infrastructure.
• The guide maps to both NIST cybersecurity and industry standards—IT professionals can use our step-by-step guide to implement the example solution. Volume B, Section 3, lists the standards and guidance that influenced the development of the example implementation. Section 3.6 in Volume B lists the products and technology used in this project and the Cybersecurity Framework security control(s) Subcategory that the product provides for the example implementations.
• Expert-vetted architecture and reference designs—The guide leverages expertise from NIST and industry IT thought leaders in collaboration with leaders from the healthcare sector to review the architecture and vet the standards-based reference designs. The reference designs are modular and can be deployed in whole or in part—providing healthcare delivery organizations and other enterprises with the detailed information they need to replicate securing PACS example implementations.

*While the example implementation uses certain products, NIST and the NCCoE do not endorse these products. The guide presents the characteristics and capabilities of those products, which an organization’s security experts can use to identify similar standards-based products that will fit within with their organization’s existing tools and infrastructure.