The highest priority for the Industrial Control Systems (ICS) Cybersecurity Initiative is for owners and operators to enhance their detection, mitigation, and forensic capabilities. Below are suggested evaluation considerations for technologies to monitor ICS and operational technologies (OT) cybersecurity.  All entities are encouraged to deploy technology to improve visibility on their systems and share those outputs with government partners.  Each entity must assess and select the technology or provider that is best for it. The considerations listed below are recommendations, not requirements, and each entity should determine which of the considerations are applicable to its situation and which technology best fits its needs. The United States Government does not and will not select, endorse, or recommend any specific technology or provider as part of this Action Plan.  The government  intends to work with entities and other private sector stakeholders to integrate, to the maximum extent possible, information sharing with any ICS monitoring technology.

 

  1. Technologies built for ICS networks with integration compatibility with ICS protocols and communications.
  2. Technologies that provide sensor-based continuous network cybersecurity monitoring, detection, and facilitate response capabilities for ICS/OT (i.e., the technology is ICS-focused and already understands ICS communications, such as deep packet inspection capabilities for ICS protocols).
  3. Technology software that has a collective-defense capability/framework to allow the sharing of insights and detections rapidly with the Federal government, participants, and trusted organizations such as relevant information sharing and analysis centers (ISACs)/information sharing and analysis organizations (ISAOs). Data and insights collected must be sharable across the Federal government, to the greatest extent possible, and should be compatible with other sector sensing partnerships.
  4. Technologies that do not collect or store sensitive data off the participants’ site (e.g., perform analysis at the edge); however, certain insights or analysis outputs, such as whether a threat was present and relevant indicators of compromise, may be stored off premises. 
  5. Technologies must protect or anonymize participant identity, and ensure that risks and vulnerability information is not inadvertently disclosed between participants unless explicitly authorized by the participating entity.
  6. The technology allows for centralized queries and correlation. Sensitive information that contextualizes anomalies that may indicate adversary presence may be stored off premises for analysis.
  7. The technology allows for short-term (minimum of one year) on-site storage of raw data so new insights or detections can be retroactively applied to full data sets as needed.
  8. The technology is passive in its deployment, using isolation technologies to ensure that the technology itself cannot be used as a vector for adversaries to gain access into sensitive ICS networks.
  9. The ICS sensing technology is capable of working with correlation and aggregation technologies to allow for OT/IT sensing cross correlation and analysis. 
  10. Technology has the capability of baselining normal ICS operations and can compare/detect abnormal operations from a known good baseline. 
  11. Data at rest should be cryptographically protected, (e.g., leverage NIST FIPS 140-3 certified cryptology to protect the data).
  12. Technology has the capability to detect known unauthorized remote access operations.
  13. Technology has the capability to detect unauthorized movement from the IT to the OT environment including via non-Internet Protocol (IP) communication pathways.
  14. Technology has the capability to detect unauthorized network activity and actions consistent with the MITRE ATT&CK for ICS framework including detecting potential tactics that may be used for disruptive or destructive actions.
  15. Technology has analytic and detection capabilities, which are dynamically updatable leveraging timely, validated, and trusted external or internal threat intelligence.
  16. Technology has the capability to detect access credential misuse.
  17. Technology to identify violations of implemented application allow listing policies enforced on IT and OT systems.