Critical infrastructure operators face a hostile cyber threat environment and a complex compliance landscape. Every operator of an industrial control system also operates an IT network to service its productivity needs. A supervisory control and data acquisition( SCADA) system operator of a power grid or chemical flower needs email, databases, and business applications to support it, much like any enterprise.
IT environments, with their large-scale onslaught surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life-time security, environmental, or national security consequences–a different risk management challenge from other enterprise IT systems.
Ransomware, reckoned more of as an IT difficulty as opposed to an industrial control system( ICS) one, has been used to attack critical infrastructure operators Norsk Hydro, Brazilian utilities Electrobras and Copel, as well as Reading Municipal Light Department and Lansing Board of Water and Light among other US utilities. Dragos and IBM X-Force identified 194 ransomware attacks against industrial entities between 2018 and 2020, including ICS-specific stress like EKANS.
The range of threats to our increasingly converged IT and ICS environments underlines the need for a combined approach to IT and ICS security.
Azure Defender for IoT is the cornerstone of security for on-premises, cloud, and hybrid ICS. In addition to the anti-malware features of Microsoft 365, the integrating of Advanced Threat Protection( ATP) and Microsoft Compliance Manager to manage, visualize, and report on standards-based compliance are also foundational.
Complex conformity scenery
As the cyber menace scenery to ICS has grown more hostile and publicized, the compliance responsibilities of critical infrastructure operators have increased as well. In the US and Canada, Bulk Electric System( BES) participates need to comply with the North American Electric Reliability Corporation Critical Infrastructure Protection Standards( NERC CIP ), as well as using NIST 800 -5 3 as the basis for their organizational security policies and benchmarking to the National Institute of Standards and Technology( NIST) Cybersecurity Framework. They may also be architecting their ICS to IEC6 2443/ ISA 99. Many forward-looking utilities are increasing their use of the cloud through infrastructure as a service( IaaS ), platform as a service( PaaS ), and software as a service( SaaS) like Microsoft 365 with Zero Trust architecture.
While NERC CIP standards were written around on-premises systems, NERC has become more open to Registered Entities’ use of the cloud for Bulk Electric System Cyber System Information( BCSI ). This includes NERC’s Order on Virtualization and Cloud Computing Services and their Technical Rationale for Reliability Standard CIP-0 11 -3, where they discuss risk assessment of a cloud services provider. This risk assessment will include the ongoing standards-based assessment of the cloud service provider.
Comprehensive and efficient compliance
When clients use Office 365, Microsoft helps them manage 79 percentage of the 1,021 NIST 800 -5 3 controls, so customers is needed focus on implementing and maintaining the remaining 21 percent of the controls. By using the shared responsibility model, these customer resources are made available to further secure their systems. Patrons that are using on-premises infrastructure to provide those functions need to implement and maintain all 1,021 controls.
Tools for comprehensive and efficient compliance
Microsoft Compliance Manager is a feature in Microsoft 365 conformity center. It utilizes signals from the customer’s Microsoft 365 renter, Microsoft’s compliance program, and workflows completed by the customer to manage and report compliance against regulatory and industry-standard templates. These templates include NERC CIP, NIST Cybersecurity Framework( CSF ), NIST 800 -5 3, and the US Protecting and Securing Chemical Facility from Terrorist Attacks Act( H.R. 4007 ), as well as more than 330 standards-based assessments globally. You can also make tradition templates based on other standards or mapped to your own policies and control set.
With each Compliance Manager assessment template, you get simplified counseling on “what to do” to meet the regulatory requirements. In this regard, you get to understand what controls are Microsoft’s responsibility as your cloud service provider and what controls are your responsibility. Furthermore, for each of the controls that are your responsibility, we break down activities that you need to take to meet these control requirements. These actions can be procedural, documentation, or technical.
For technological activities, you get step-by-step guidance on how to use Microsoft security, conformity, identity, or handling solutions to implement and test technical activities. With this detailed information, you can efficiently implement, test, and demonstrate your compliance against regulations as per your industry and region. This information also helps you to draw maximum benefits from your Microsoft 365 security and compliance solutions. Once you create assessments within Compliance Manager, we make it very easy for you to understand what solutions you can use to implement and test technical activities on Compliance Manager.
You can use the custom assessment feature to “extend” Compliance Manager assessment templates to track compliance against any non-Microsoft 365 assets as well. With this functionality, Compliance Manager helps you to trail and manage conformity across all your assets.
There are different template specifies available for the different license levels.
Microsoft updates the assessment templates when service standards alter, allaying the customer of these duties. The alters are called out to the customer and the option to update the assessment is provided.
Compliance Manager tracks, reports, and renders visualizations for 😛 TAGEND
Microsoft-managed controls: these are controls for Microsoft cloud services, for which Microsoft is responsible for implementing. Your controls: these are controls implemented and managed by your organization, sometimes referred to as “customer-managed controls.” Shared controls: these are controls that both your organization and Microsoft share responsibility for implementing.
The ratings are provided with visualizations that allow the user to drill down into the individual control status and view evidence. High impact improvement actions are suggested.
Compliance Manager covers both the Microsoft and customer-managed controls as part of the shared cloud security and compliance responsibility framework. Automated workflows and indication storehouses are provided for customer-managed and shared controls.
You can designate a stakeholder and an automated message with instructions and upload link is provided on a schedule to remind them of the conformity activity necessitated, report status, and upload proof. This renders an efficient and defensible system to react to auditors and benchmark conformity programs.
Mapping controls across standards such as 😛 TAGEND
Access Control( PR.AC ): Access to assets and associated facilities is limited to authorized consumers, process, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for permitted devices and users. NIST SP 800 -5 3 Rev. 4 AC-2, IA Family ISO/IEC 27001:2013 A. 9.2.1, A. 9.2.2, A. 9.2.4, A. 9.3.1, A. 9.4.2, A. 9.4.3 CIP-004-6- Access Management Program, portions 4 and 5
This crosswalk across standards is part of the Compliance Manager and inhabited automatically across a customer’s assessments.
The level of effort to benchmark and report comply with a new standards regime is dramatically reduced.
IT and ICS convergence is a continuing trend for critical infrastructure operators. Attack methodologies, surfaces, and menace actors are crossing over to put our more critical resources at risk. Compliance regimes must be efficiently met in an auditable style to protect the availability of our systems. Microsoft provides the range of tools described above to help you manage across the IT and ICS environments.
To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The post Meet critical infrastructure security conformity requirements with Microsoft 365 showed first on Microsoft Security .
Read more: microsoft.com