CISA and NIST recently partnered to create Cross-Sector Cybersecurity Performance Goals (CPG) as part of the National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems initiatives released in July 2021. These CPGs are baseline cybersecurity practices that are voluntary to help small to medium-sized organizations begin their cybersecurity journey.
The CPGs combine fundamental IT and OT cybersecurity practices and are prioritized to provide meaningful guidance to critical infrastructure owners and operators. This subset of practices is intended to aid in highlighting the essential areas on which owners and operators should focus.
The CPGs emphasize desired, measurable outcomes rather than prescriptive processes, techniques, or procedures. This approach leads to defined results without specific directions regarding how those results will be obtained. It empowers asset owners and operators with the flexibility to implement the technologies and practices that work best with their company or facility.
Existing cybersecurity frameworks and guidance informed the goals of the CPGs. Each practice in the CPGs aligns with and is mapped to NIST Cyber Security Framework (CSF). However, it should be noted that the CPGs do not fully address each NIST CSF subcategory. The CPGs are a great resource and can be used as a first step towards implementing the complete NIST CSF, especially for those that have had challenges implementing the CSF due to resource or budget constraints or its complexity.
The CPGs were informed by real-world threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA, the government, and industry partners. The 5 Critical Controls for ICS/OT Cybersecurity identified by the SANS Institute uses scenarios based on real-world TTPs to design and improve cybersecurity defense and response. The five critical controls puts a strong emphasis on practices that facilitate an active defense as opposed to the traditional prevention-focused approach seen in many current regulations and control frameworks.
The CPGs and five critical controls provide small and medium asset owners a path into a world-class OT cybersecurity program while being meaningful for larger or more mature asset owners. Dragos has been on a global mission to safeguard civilization from day one. Per this mission, Dragos offers free resources to small and medium businesses through the Dragos Operational Technology – Cyber Emergency Readiness Team (OT-CERT) to help them create or enhance their OT cybersecurity program.
The Dragos OT-CERT can offer practical cybersecurity guidance to the greater community by cooperating with small and medium businesses and various partners to provide workshops and tabletop exercises. This enables participants to learn from each other and allows OT-CERT to maintain a growing list of recommended practices for OT security that address common security challenges.
The following table maps the CPGs to the five critical controls for ICS/OT cybersecurity.
| CPG Family | CPG | CPG Title | Critical Control |
| Account Security | 1.1 | Detection of Unsuccessful (Automated) Login Attempts | #3 ICS Network Visibility & Monitoring |
| 1.2 | Changing Default Passwords | #2 Defensible Architecture | |
| 1.3 | Multi-Factor Authentication (MFA) | #4 Secure Remote Access | |
| 1.4 | Minimum Password Strength | #2 Defensible Architecture | |
| 1.5 | Separating User and Privileged Accounts | #2 Defensible Architecture | |
| 1.6 | Unique Credentials | #2 Defensible Architecture | |
| 1.7 | Revoking Credentials for Departing Employees | #2 Defensible Architecture | |
| Device Security | 2.1 | Hardware and Software Approval Process | #2 Defensible Architecture |
| 2.2 | Disable Macros by Default | #2 Defensible Architecture | |
| 2.3 | Asset Inventory | #2 Defensible Architecture | |
| 2.4 | Prohibit Connection of Unauthorized Devices | #2 Defensible Architecture | |
| 2.5 | Document Device Configurations | #2 Defensible Architecture | |
| Data Security | 3.1 | Log Collection | #3 ICS Network Visibility & Monitoring |
| 3.2 | Secure Log Storage | #3 ICS Network Visibility & Monitoring | |
| 3.3 | Strong and Agile Encryption | #2 Defensible Architecture | |
| 3.4 | Secure Sensitive Data | #2 Defensible Architecture | |
| Governance and Training | 4.1 | Organizational Cybersecurity Leadership | #1 ICS Incident Response |
| 4.2 | OT Cybersecurity Leadership | #1 ICS Incident Response | |
| 4.3 | Basic Cybersecurity Training | #1 ICS Incident Response | |
| 4.4 | OT Cybersecurity Training | #1 ICS Incident Response | |
| 4.5 | Improving IT and OT Cybersecurity Relationships | #1 ICS Incident Response | |
| Vulnerability Management | 5.1 | Mitigating Known Vulnerabilities | #5 Risk-Based Vulnerability Management |
| 5.2 | Vulnerability Disclosure / Reporting | #5 Risk-Based Vulnerability Management | |
| 5.3 | Deploy Security.txt Files | #5 Risk-Based Vulnerability Management | |
| 5.4 | No Exploitable Services on the Internet | #2 Defensible Architecture | |
| 5.5 | Limit OT Connections to Public Internet | #2 Defensible Architecture | |
| 5.6 | Third-Party Validation of Cybersecurity Control Effectiveness | #1 ICS Incident Response #2 Defensible Architecture | |
| Supply Chain Third Party | 6.1 | Vendor/Supplier Cybersecurity Requirements | #2 Defensible Architecture |
| 6.2 | Supply Chain Incident Reporting | #1 ICS Incident Response | |
| 6.3 | Supply Chain Vulnerability Disclosure | #1 ICS Incident Response | |
| Response and Recovery | 7.1 | Incident Reporting | #1 ICS Incident Response |
| 7.2 | Incident Response (IR) Plans | #1 ICS Incident Response | |
| 7.3 | System Back Ups | #2 Defensible Architecture | |
| 7.4 | Document Network Topology | #2 Defensible Architecture #3 ICS Network Visibility & Monitoring | |
| Other | 8.1 | Network Segmentation | #2 Defensible Architecture |
| 8.2 | Detection Relevant Threats and TTPs | #3 ICS Network Visibility & Monitoring | |
| 8.3 | Email Security | #2 Defensible Architecture |
Both CPGs and five critical controls offer a path for small and medium businesses to reduce the complexity often encountered in a comprehensive cybersecurity program. Both objectives complement each other and can help reduce the resources required to implement sound security practices [against the most pressing cybersecurity threats]. At the same time, indirect collaboration amongst small and medium businesses through lessons learned, tabletop exercises, and knowledge sharing strengthens the entire community and provides a framework to improve and bolster cybersecurity defenses continuously.
Join Dragos OT-CERT Today
Dragos provides additional resources to resource-challenged organizations with OT environments that lack in-house security expertise through the Dragos OT-CERT membership. This membership is free and open to all OT asset owners and operators. Members can access a growing library of resources such as reports, webinars, training, recommended practice blogs, assessment toolkits, tabletop exercises, and more.
Ready to put your insights into action?
Take the next steps and contact our team today.