Part 1 Recap: Expanding Risk Management for the Growing Edge
In my last post, we discussed how NIST CSF 2.0 goes beyond cybersecurity risks to encompass a broader spectrum of threats to an organization, essentially defining and managing risks.
These can be financial, supply chain, reputational, technological, or physical. This series aims to provide a clear understanding of operationalizing risk management for the ever-increasing number of devices at the edge.
Securing the Edge: The Importance of Asset Inventory
The first crucial step in securing your edge environment, as defined by NIST CSF 2.0 for edge digital assets, is gaining a comprehensive understanding of your operational assets. This requires creating a meticulous inventory of all devices, sensors, controllers, and other components that make up your edge network.
Identify: Building a Comprehensive View of Your Edge
The “Identify” function in NIST CSF 2.0 has three key sections:
1. Asset Management: Here, we identify assets critical to a business unit (BU) fulfilling its objectives. This involves:
- Inventories of hardware, software, services, and systems managed by the organization.
- Network Topology: How are all the assets connected? What is allowed to communicate with what etc.,
- Supplier-provided services relevant to the BU’s owned inventory.
- Prioritization based on criticality to BU goals, resource needs, and potential impact of a security breach.
- Comprehensive metadata (location, owner, financial information, warranty details, support contacts, software Bill of Materials, etc.) and key data with documented threshold triggers.
- Documentation on lifecycle management for each asset. This is key, because assets can quickly get orphaned in terms of unknown ownership, purpose and criticality to business.
2. Risk Assessment: This section focuses on cybersecurity risks to the BU’s existence in terms of assets, and personnel. Key considerations include:
- Vulnerabilities and threat intelligence (from vendors, other sources) alongside internal and external threats (e.g., certificate and user management, vulnerabilities).
- Potential impact of a failure within a set of owned components, to the BU.
- Risk response strategies (discussed in a later part of this series).
- Processes for receiving, analyzing, and responding to threats targeting the owned inventory.
- Ensuring authenticity and integrity of owned components. This includes verifying updates and using signed packages from vendors. Or password rotation when personnel change.
3. Improvement: Continuous monitoring is essential.
- This involves monitoring the inventory, managing threat exposure, and making improvements based on KPIs (Key Performance Indicators) to track the performance & security posture of different components. This includes evaluations, tests, simulations, and real-world monitoring of production processes.
Implementing Edge Security: Practical Approach
Here’s how the “Identify” function translates into actions for edge security:
- Device Discovery: Leverage automated tools to identify all connected devices at the edge. These tools can be network scanners or communication protocol-specific discovery mechanisms.
- Device Classification: Categorize devices based on their function, operating system, and security capabilities. This helps prioritize security efforts and identify potential vulnerabilities.
- Data Mapping: Identify the data collected, processed, and transmitted by edge devices. Understand the sensitivity of this data to determine appropriate security controls. This translates to knowing device meta-data and defining the performance metrics (like CPU usage, memory levels etc., where it is possible).
- Dependency Mapping: Identify how edge devices interact with other systems and applications within the OT environment. This helps assess the impact of a security incident on interconnected systems.
By following these steps, organizations can develop a detailed understanding of their edge landscape. This comprehensive understanding forms the foundation for effective risk management and security control implementation.
