Cyber Security Best Practices and Recommendations

Faisal NahianMichael Bilheimer

PUBLIC 1

These recommendations are non-binding and non-compliance purposes and presented to assist Entitiesin reducing the risk of cyber-attacks . Users, owners and operators may employ different cyber securitysolutions as they deem appropriate.

Audience• The intended audiences are subject matter

experts implementing cyber security and executives approving cyber security controls.

PUBLIC 2

The recommendations are combined from CISA/SANS/E-ISAC. Each recommendation indicates the Critical Infrastructure Protection (CIP) requirement(s) that may be related to the recommendation, also provided are best practices, examples or comments on implementing the recommendations and benefits.

3Source: 2021 Data Breach Report by IBMPUBLIC

4PUBLIC Source: 2021 Data Breach Report by IBM

PUBLIC 5Source: 2021 Data Breach Report by IBM

Security Controls• The NERC CIP Standards• The Sliding Scale of Cyber Security• Cybersecurity Capability Maturity Model• NIST Cybersecurity Framework• CIS Controls• CSA Cloud Controls Matrix (CCM)

PUBLIC 6

The Sliding Scale of Cyber Security

PUBLIC 7

The Sliding Scale of Cyber Security (Continued)

PUBLIC 8

Architecture – Network Segmentation• Recommendation – Segment networks from each other and

consider a Zero Trust approach.• Related CIP Requirement – CIP-005-6 Part 1.2 and CIP-003-

8 R2• Best Practice – All high impact or high value operational

systems should be segmented from non-critical and/or business systems. Configure VLAN in a firewall or layer-3 switch to only allow authorized network traffic, at the edge of a network. For example, SCADA should be in its own electronic perimeter with restricted access.

PUBLIC 9

Architecture – Zero Trust• Recommendation – Consider a Zero Trust Architecture• Related CIP Requirement – The CIP Modifications SDT

incorporates zero trust concepts into those proposed updates

• Best Practice – A Zero Trust architecture should be considered when architecting user access, assets, resource controls, and system to system communication. For more information, see the NIST Zero Trust Architecture for implementation strategy.

PUBLIC 10

Architecture – Logging & Event Monitoring• Recommendation – Ensure logging is enabled

on devices that support it, including both IT and OT assets. Use a System Information and Event Monitoring (SIEM) tool.

• Related CIP Requirement – CIP-007-6 R4• Best Practice – Logs can be grouped into Security

Events, Operating System and Application categories, and should be organized into a standard format to facilitate automation or manual review.

PUBLIC 11

Architecture - Collecting Data• Recommendation – Ensure that network

architecture is managed and can capture data from the environment to support Passive and Active Defense mechanisms.

• Related CIP Requirement – CIP-005-6 R1 Part 1.2 and Part 1.5

• Best Practice – Deployment of network monitoring tool(s) such as Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).

PUBLIC 12

Architecture - Backups• Recommendation – Create backups of critical

software, hardware configurations, and servers.• Related CIP Requirement – CIP-009-6 R1• Best Practice – Follow the 3-2-1 rule of backup to

keep three complete up-to-date copies of critical data: two local copies but on different types of media, and one offsite. Retention of backups should be a minimum of 90 days or greater, if storage is not a factor.

PUBLIC 13

Architecture – Patching & Addressing Vulnerabilities

• Recommendation – Patch network devices and address vulnerabilities regularly.

• Related CIP Requirement – CIP-007-6 R2• Best Practice – Implement a patch

management program and a continuous vulnerability assessment/monitoring program.

PUBLIC 14

Architecture – Testing Hardware, Software, and Firmware

• Recommendation – Test new hardware, software, and/or firmware prior to deployment to ensure system stability, functionality, and security.

• Related CIP Requirement – CIP-010 R1• Best Practice – Utilize a test environment to

mirror the production environment.

PUBLIC 15

Architecture – Remote Access• Recommendation – Limit remote connections to only

those systems that are required to perform tasks to limit unauthorized lateral movement.

• Related CIP Requirement – CIP-005-6 R2• Best Practice – Remote connection should be completed

via an intermediate system that does not allow direct interaction with cyber systems. Users should be restricted to the least privilege access to perform required tasks. Utilize Multi-Factor Authentication (MFA) on the remote connections to critical systems. All connections should be logged and monitored.

PUBLIC 16

Architecture - Integration of Services• Recommendation – During the merger of IT or OT by the

“platform of platforms” concept, organizations should consider the security and integrity of the overall infrastructure.

• Related CIP Requirement – CIP-005 R1 and R2• Best Practice – The integrated IT and OT solutions that

perform day to day functions must be investigated and evaluated to confirm external access utilizes mechanisms and techniques that are secure and appropriately limited. Having an oversight of integrations can help minimize the potential damage by different vulnerabilities.

PUBLIC 17

Passive Defense – Application Whitelisting

• Recommendation – Application whitelisting can help limit adversary attack vectors.

• Related CIP Requirement – CIP-007-6 R3 and CIP-010-2 R1

• Best Practice – Identify all applications that are authorized for use in the organization to enforce defined configurations and control the unauthorized execution of processes.

PUBLIC 18

Passive Defense – Firewall• Recommendation – Configure and enable network-based

and/or host-based firewalls to secure the perimeter by allowing only approved connections. Host-based firewalls should be deployed to assure that communications to specific hosts are restricted to only approved ports and services.

• Related CIP Requirement – CIP-005-5 R1• Best Practice – Utilize high availability network-based

firewalls for reliability. Network devices should not bypass network-based firewalls. Additionally, enable firewalls on host or implement third party firewalls (integrated with Anti-Virus or Anti-Malware).

PUBLIC 19

Passive Defense – Secure Privileged Accounts

• Recommendation – Enforce NIST password standards to secure privileged accounts.

• Related CIP Requirement – CIP-007-6 R5, CIP-004-06 R4

• Best Practice – Utilize Multi-Factor Authentication (MFA) for all access (local and remote) of privileged accounts and perform quarterly reviews of privileged accounts. For more information, see the NIST Special Publication 800-63B for implementation strategy.

PUBLIC 20

Passive Defense – Endpoint Security Management

• Recommendation – Utilize an up-to-date endpoint security management software.

• Related CIP Requirement – CIP-007-6 R3• Best Practice – Employ an endpoint security

management solution to detect, remove and enhance visibility across the entire technology stack eliminating any blind spots.

PUBLIC 21

Active Defense- Incident Response Plans

• Recommendation – Update and test incident response plans annually.

• Related CIP Requirement – CIP-008-6, CIP-010-6• Best Practice – Perform annual tabletops,

penetration tests and red team exercises.

PUBLIC 22

Active Defense - Sandbox• Recommendation – Ensure that personnel

performing application development and maintenance, or IT administrative tasks have access to technologies such as sandboxes.

• Related CIP Requirement – CIP-010-6 R1• Best Practice – A sandbox should be isolated

to specific functions and not shared with multiple personnel.

PUBLIC 23

Passive/Active Defense – SIEM• Recommendation – Establish a Security Information

and Event Management (SIEM) solution to centrally store logs for real-time analysis of security and event alerts.

• Related CIP Requirement – CIP-005-6 R1, CIP-007-6 R4

• Best Practice – Institute a continuous monitoring strategy and set up a security operations center to review and coordinate responses to alerts.

PUBLIC 24

Intelligence• Recommendation – Understand the

organization's Active and Passive Defense, and Security Architecture well enough to truly know and identify the threat.

• Related CIP Requirement – None• Best Practice – Establish a Cyber Threat

Intelligence Program.

PUBLIC 25

Intelligence (Continued)

PUBLIC 26

Intelligence Models• The Cyber Kill Chain• The Diamond Model of Intrusion Analysis• Intelligence Life Cycle• MITRE ATT&CK

PUBLIC 27

Offense• Recommendation – Offensive cyber operations by

organizations, civilian or nation-states must be legal in nature to be deemed an act of cyber security and not an act of an aggressor.

• Related CIP Requirement – None• Best Practice – Civilian organizations should

not participate in offensive cyber operations and remain within the spirit of the law.

PUBLIC 28

Offense (Continued)

PUBLIC 29