title

Intro to NIST SP 800-82 Revision 3

In September 2023, the National Institute of Standards and Technology (NIST) released an updated version of its Special Publication 800-82 (NIST SP 800-82r3), also known as "Guide to Operational Technology (OT) Security". Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. These systems are integral to critical infrastructure sectors, including manufacturing, chemical production, energy, food, healthcare, and transportation. 

Fig 1. Basic operation of a typical OT system (Source NIST)

NIST SP 800-82r3 was expanded in scope from prior iterations to include security guidance for the broader category of OT, rather than just industrial control systems (a subset of OT).  Importantly, Revision 3 has a significantly increased focus on the cybersecurity dimension of OT security, acknowledging the increasing pace of integration between OT networks and broader connected networks.  These include critical engineering, management, and data systems on the IT and industrial control network (ICN) side of key manufacturing and other industrial enterprises in the U.S. economy.  

Of course, NIST SP 800-82r3 addresses non-cyber security measures as well, such as physical and personnel security, supply chain security, and environmental security.  This blog post, however, is intended to provide the reader with a brief primer of some of the key OT cybersecurity concepts detailed in the 300-plus page publication.  

Key Points of NIST 800-82

1. Purpose and Scope:

   • The guide addresses the unique cybersecurity challenges associated with ICS, which differ from traditional IT systems. ICS typically requires high availability, real-time processing, and deterministic responses, making their security needs distinct from general IT systems.

2. ICS Environment:

   • NIST 800-82 discusses the ICS environment, emphasizing the importance of understanding the specific operational requirements, including the physical processes being controlled, the operational constraints, and the safety implications.

3. Risk Management Framework (RMF):

   • The guide integrates with NIST's broader Risk Management Framework (RMF), which involves categorizing information systems, selecting and implementing security controls, and continuously monitoring the effectiveness of those controls. For ICS, this includes specialized controls that address the unique aspects of these systems.

4. Threat Landscape:

   • NIST 800-82 provides a detailed overview of the threats and vulnerabilities specific to ICS. This includes cyber-attacks targeting critical infrastructure, insider threats, and the risks posed by interconnections between ICS and enterprise IT systems.

5. Security Controls:

   • The document offers a comprehensive list of security controls tailored for ICS environments. These controls are categorized under families such as Access Control, Audit and Accountability, System and Communications Protection, and Incident Response.

6. ICS-Specific Considerations:

   • Given the critical nature of ICS, the guide emphasizes considerations like system resilience, incident response planning specific to ICS, and the need for physical security measures in addition to cybersecurity.

7. Defense-in-Depth Strategy:

   • NIST 800-82 advocates for a defense-in-depth strategy, which involves implementing multiple layers of security controls throughout the ICS environment. This approach helps mitigate the risk of a single point of failure.

8. Compliance and Standards:

   • The guide aligns with various industry standards and regulations, including those from CISA and the Department of Defense (DoD) around Zero Trust, the International Society of Automation (ISA), the International Electrotechnical Commission (IEC), and the Department of Homeland Security (DHS).

9. Emerging Technologies and Trends: NIST 800-82 also addresses the impact of emerging technologies on ICS security, such as the integration of Internet of Things (IoT) devices, cloud computing, and the increased use of wireless communication.

      Learn more about how Corsha takes an Identity-first approach to OT cybersecurity 

An OT Overlay for NIST SP 800-53r5 

SP 800-82r3 offers tailored OT guidance for the controls in NIST SP 800-53r5 publication (“Security and Privacy Controls for Information Systems and Organizations”).  NIST SP 800-53 includes coverage of 18 security control families divided into Low, Moderate, and High classes based on impact level.  These control families offer a complete set of cyber and non-cyber security considerations.  The key cybersecurity related control families include the following:  

• Access Control: 18 Controls with 31 Control Enhancements
• Audit and Accountability: 12 Controls with 13 Control Enhancements
• Configuration Management: 12 Controls with 22 Control Enhancements
• Identification and Authentication: 10 Controls with 19 Control Enhancements
• Incident Response: 8 Controls with 10 Control Enhancements
• Media Protection: 7 Controls with 3 Control Enhancements
• System and Communications Protection: 25 Controls with 14 Control Enhancements
• System and Information Integrity: 15 Controls with 16 Control Enhancements

Each control family is further divided into individual controls (and control enhancements). SP 800-82r3 offers tailored OT guidance for each:

• OT Cybersecurity Architecture design and implementation, including defense-in-depth strategies with sector-specific models, network/hardware/software security measures, Purdue Model considerations for various levels, and remote access for distributed systems.
• Application of the Cybersecurity Framework to OT systems around identity management and access control, data security (at rest and in transit) and cryptography, wireless communications and remote access, user and machine authentication (including multi-factor authentication), and intrusion prevention and detection, among others.
• Network security practices and technologies that include segmentation and isolation, perimeter defense, network monitoring, anomaly and malware detection, scanning and event logging, data back-up and protection, and use of OT digital twins. 

NIST SP 800-82r3 also offers important guidance on OT security policy development, risk assessment and management planning, program governance, and application of the NIST Risk Management and Cybersecurity Frameworks to OT systems.  It discusses the application of Zero Trust design and tools (covered in NIST SP 800-207, “Zero Trust Architecture”) into OT security architectures.

Conclusion: A Comprehensive Resource for OT Cybersecurity

NIST SP 800-82r3 is a substantial enhancement to prior iterations of the publication and offers tailored context for OT systems in an expanding landscape of connectivity and access.   It brings together concepts from other important NIST publications, such as the Security and Privacy Controls for Information Systems and Organizations, Risk Management Framework, Cybersecurity Framework, and Zero Trust Architecture, among others.  

NIST 800-82 is critical for organizations that rely on ICS for their operations, particularly in sectors that are part of the national critical infrastructure. By following the guidance in this document, organizations can better protect their ICS from cybersecurity threats, ensuring the safety, reliability, and availability of their industrial processes.

About Scott Hopkins

Scott serves as Corsha's Chief Operating Officer. He has over 38 years of professional experience, including 18 years of business management and operations experience with technology development companies and high-tech start-ups. At Corsha, Scott is responsible for overseeing all aspects of the company’s day-to-day business operations, and supporting strategic business planning, budget development and execution, oversight of functional operations, and business and proposal development.

About Corsha

Corsha is an Identity Provider for Machines that allows OT enterprises to securely connect, move data, and automate with confidence from anywhere to anywhere. Corsha uses Zero Trust principles to build secure identity and access to diverse OT equipment from inside or outside your industrial network and brings innovation like automated, single-use MFA credentials to machine-to-machine communications. Strong identity, access, and encryption for machines helps you track all of your connections, create a unified zero trust baseline, and securely move data across your industrial network in real-time.