Malicious actors have critical infrastructure firmly in their crosshairs, understanding the enormous damage that can be inflicted by compromising these vital systems. From power grids and water supplies to transportation networks and communication systems, the backbone of modern society is under constant threat.

Protecting these operational technology (OT) infrastructures is a matter of national security, public safety, and economic stability. A successful attack could result in widespread disruptions, catastrophic losses, and, in the worst-case scenario, loss of life. The stakes have never been higher, placing the protection of critical infrastructure at the top of the priority list. One way to do this is with CIS Controls.

What Are CIS Controls?

The CIS Critical Security Controls (CIS Controls) are best practices for helping critical infrastructure entities defend themselves against modern cyber threats. They were developed by the Center for Internet Security (CIS), a non-profit organization dedicated to enhancing cybersecurity. The controls are organized into a prioritized list of actions, each aimed at reducing security risks and improving overall security posture.

In this blog, we’ll look at the areas each control addresses, why they are important, and the tools available to help businesses adhere to them.

Control 1: Inventory and Control of Enterprise Assets

The foundation of any robust cybersecurity strategy is understanding the organization’s assets, who controls them, and their roles within the infrastructure. This means creating and maintaining an accurate, up-to-date inventory of all hardware connected to the network, including assets beyond the IT team’s direct control, such as staff members’ personal devices. This inventory must remain dynamic since portable devices often connect to and disconnect from networks.

This is important because securing every potential attack surface becomes nearly impossible without a clear understanding of all assets connected to the network. Maintaining a comprehensive inventory and eliminating unauthorized devices can significantly reduce the risk of exposure.

Control 2: Inventory and Control of Software Assets

This control addresses the threats posed by the wide range of software used in modern OT environments. Key practices include:

  • Identifying and documenting all software assets and removing outdated or vulnerable ones.
  • Preventing unauthorized software installation through an allowlist of approved applications.
  • Using automated tools to monitor and manage software.

Unpatched software remains the leading entry point for ransomware attackers. Maintaining a comprehensive software inventory helps ensure all assets are up to date, with vulnerabilities promptly patched and addressed. This is especially crucial for applications with open-source components, as these weaknesses are often publicly known and easily exploited.

Control 3: Data Protection

Data is one of any organization’s most valuable assets. CIS Control 3 provides guidelines for protecting data, including processes for identifying, classifying, securely handling, retaining, and disposing of it. This control includes provisions for:

  • Data inventory
  • Access controls
  • Retention and disposal policies
  • Data encryption (at all stages, including on removable media)
  • Data classification
  • Flow mapping
  • Segmenting data based on sensitivity
  • Data loss prevention
  • Logging access to sensitive data

Data loss or damage often happens thanks to human error or poor security practices, not only malicious actions. Implementing solutions to detect data exfiltration can mitigate these risks and lessen the impact of data compromise.

Control 4: Secure Configuration of Enterprise Assets and Software

This control outlines best practices for establishing and maintaining secure configurations on hardware and software assets.

Even a sole misconfiguration can create security risks and disrupt operations. Automating hardening and monitoring IT assets can help build strong baseline configurations and provide real-time alerts to any unexpected changes, thus reducing risk.

Control 5: Account Management

Control 5 focuses on securely managing user, administrator, and service accounts. Key steps include:

  • Maintaining an inventory of all accounts
  • Using unique passwords
  • Disabling inactive accounts after 45 days
  • Restricting privileged account use
  • Managing service accounts centrally

Unused and privileged accounts leave the door open for threat actors to infiltrate the network. Minimizing and controlling these accounts improves data security and reduces the risk of unauthorized access.

Control 6: Access Control Management

This control involves managing user privileges through practices such as establishing processes for granting and revoking access, using multifactor authentication (MFA), and maintaining an inventory of systems that require access control.

Granting excessive privileges increases the attack surface. Enforcing the principle of least privilege and limiting user access to only what is strictly necessary for their role reduces security risks.

Control 7: Continuous Vulnerability Management

This control covers the identification, prioritization, documentation, and remediation of security vulnerabilities in company networks, including open services, network ports, and default accounts.

Identifying and addressing vulnerabilities proactively can compromise assets and cause business disruptions.

Control 8: Audit Log Management

Audit log management involves controls for collecting, storing, retaining, time-synchronizing, and reviewing audit logs.

Security logging and analysis are vital for detecting and understanding malicious activities. Complete logs are key to responding quickly and effectively to incidents and conducting thorough follow-up investigations.

Control 9: Email and Web Browser Protections

Control 9 aims to secure email and web browsers, two common attack vectors, by implementing measures like blocking malicious URLs and file types. It also emphasizes organization-wide training on best practices for security.

Cybercriminals frequently use sophisticated spoofing and social engineering techniques to deceive users into taking actions that compromise security. Implementing robust security controls and regular training can help prevent these types of attacks.

Control 10: Malware Defenses

This control outlines safeguards for preventing and controlling the installation and spread of malware. The most effective defense combines behavior-based and signature-based anti-malware tools with automated updates.

Malicious code, including ransomware, can steal, encrypt, or destroy data. The global impact of ransomware is expected to reach $265 billion by 2031. Sticking to the practices in this control helps entities protect themselves against these attacks.

Control 11: Data Recovery

Control 11 sets out five key safeguards for robust data backup and recovery:

  • Data recovery process
  • Automated backups
  • Backup data protection
  • Isolated backup data
  • Testing data recovery protocols

Storing backups in a secure location can protect businesses from expensive extortion during a ransomware attack. Robust data recovery is also critical for preventing data loss from accidental deletion or corruption.

Control 12: Network Infrastructure Management

New to CIS Controls v8, control 12 requires active management of all network devices to mitigate risks from attacks on network services and access points.

Network security is essential for defending against attacks. To secure their network infrastructure, businesses must continually evaluate and update configurations, access controls, and traffic flows. Comprehensively documenting and monitoring the network for unauthorized changes helps identify and mitigate security risks.

Control 13: Network Monitoring and Defense

Also new to CIS Controls v8, this control emphasizes the use of processes and tools to monitor and protect against security threats across the network infrastructure and user base. The 11 safeguards cover data collection and analysis, traffic filtering, access control management, traffic flow logging, and security event alerting.

Amalgamating automated technology with a trained team can help detect, analyze, and mitigate network threats more effectively.

Control 14: Security Awareness and Skills Training

Implementing a cybersecurity education program to improve awareness and skills among users is covered in control 14. Key areas to cover include:

  • Recognizing social engineering attacks
  • Authentication best practices
  • Safe data handling, including the risks of insecure networks
  • Causes of unintentional data exposure
  • Recognizing and reporting security incidents
  • Identifying and reporting missing security updates
  • Role-specific security awareness training

A vast number of data breaches happen due to human error, phishing attacks, and poor password policies. Security training helps to prevent breaches, identity theft, compliance penalties, and other damages that accompany them.

Control 15: Service Provider Management

Control 15, another new control in CIS Controls v8, addresses the management of data, processes, and systems handled by third-party service providers. It includes guidelines for creating a service provider inventory, classifying providers, incorporating security requirements into contracts, and assessing and monitoring providers.

Even when a business outsources services, it remains accountable for its data security. Effectively managing service providers is crucial to ensure that their handling of data aligns with the company’s security standards.

Control 16: Application Software Security

This control focuses on managing the software’s security lifecycle. It includes ensuring applications are up to date and all relevant patches are installed promptly.

Threat actors exploit vulnerabilities in web applications and other software to achieve their goals. Techniques like buffer overflows, SQL injection, cross-site scripting, and click-jacking can compromise a business’s data without bypassing network security controls.

Control 17: Incident Response Management

Proper incident response includes planning, role definition, training, and oversight to help detect and contain attacks. Control 17 covers all these elements.

The common maxim today is that successful cyberattacks are an inevitability. Without a response plan, businesses may not detect the attack until it is too late, and the damage has been done. A well-designed incident response plan facilitates quicker recovery and minimizes the impact of an attack.

Control 18. Penetration Testing

Control 18 concerns regular external and internal penetration tests to assess an entity’s defenses. These tests help identify vulnerabilities in technology, processes, and individuals that are susceptible to exploitation.

Regularly testing defenses is vital in a technological environment that evolves all the time. This helps companies identify and address chinks in their security armor before attackers do.

CIS Controls v8.1: What’s New?

The release of CIS Controls v8.1 on June 25 of this year debuted several updates and new governance recommendations to enhance cybersecurity practices. Here’s what businesses should know:

Enhanced governance recommendations

Updated guidance on integrating cybersecurity practices into governance frameworks. This helps align security measures with overall business objectives and risk management strategies.

Improved focus on emerging threats

The new version addresses evolving threats and technologies, offering updated recommendations on handling these challenges. This includes refined strategies for managing cloud security, critical as businesses move more data and workloads to cloud-based environments.

Expanded emphasis on data protection

More emphasis is placed on protecting data across its lifecycle, reflecting the growing importance of data privacy and compliance requirements.

Integration with modern security technologies

It includes guidance on leveraging advanced security technologies, such as MDR and XDR, to enhance the effectiveness of the controls. This integration helps entities avoid advanced threats and respond more efficiently to incidents.

Designed to Align with CIS Controls

Fortra’s Alert Logic solutions are tailored to align with multiple CIS Controls, delivering comprehensive protection and strengthening cybersecurity postures across critical infrastructure. Specifically, Fortra Managed Web Application Firewall (WAF) helps with CIS Control 2.7 Allowlist Authorized Scripts as it features client-side controls for scripts. In addition, CIS Control 13 calls for Networking Monitoring and Defense, and 13.10 for Application Layer Filtering/Application Layer Firewall. Fortra Managed WAF is also applicable for CIS Control 16 — Application Software Security, as 16.10 requires input checking for web servers and limiting the attack surface.

Alert Logic’s XDR and MDR solutions also align with other CIS safeguards. For example, our detection and response solutions can support several CIS Controls, including:

  • Control 1: Inventory and Control of Enterprise Assets
  • Control 3: Data Protection
  • Control 6: Access Control Management
  • Control 10: Malware Defenses
  • Control 12: Network Infrastructure Management

Beyond Alert Logic’s managed security solutions, Fortra provides a wide range of solutions that can further strengthen your security strategy as it relates to CIS Controls. These services include advanced data protection, penetration testing, and threat intelligence, which together offer a holistic approach to safeguarding critical infrastructure organizations against known and emerging threats.

A Critical Step for OT Entities

Implementing CIS Controls is essential for organizations aiming to safeguard their OT infrastructure against cyber threats. These controls bring a structured approach to bolstering cybersecurity practices and aligning defenses with best practices. The latest updates in CIS Controls v8.1 further enhance these controls by addressing emerging threats and integrating modern security technologies.

Kirsten Doyle
About the Author
Kirsten Doyle
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data center.

Related Post

Ready to protect your company with Alert Logic MDR?