| S.No |
Operational Technology Cybersecurity Controls |
How Endpoint Central helps |
| 1-5 |
Cybersecurity in Change Management
Cybersecurity requirements within the organization’s OT/ICS change management must be defined, documented, and approved. The cybersecurity requirements must be a key part of the overall requirements of OT/ICS change management.
Cybersecurity requirements within the organization’s OT/ICS change management lifecycle must be implemented.
In addition to the ECC controls 1-6-2 and 1-6-3, cybersecurity requirements in OT/ICS change management must include, at a minimum, the following:
1-5-3-1 Cybersecurity requirements are part of the change management lifecycle.
1-5-3-2 Changes are validated in a separate environment prior to implementing the changes on the production environment.
1-5-3-3 In the event that OT/ICS devices are replaced with different, but functionally equivalent devices, whether in design, testing, or operation environments, the cybersecurity of the replacement device must be validated prior to being utilized in operational environment
1-5-3-4 Restricted processes for exceptional changes must be implemented.
1-5-3-5 Automated configuration and asset change detection mechanisms must be implemented.
Cybersecurity requirements within the organization’s OT/ICS change management requirements must be reviewed, and their implementation effectiveness is measured and evaluated periodically
|
In the event of patching the OT/ ICS systems, Endpoint Central has a provision for testing and approving the patches in a test environment, before deploying it in the production.
Endpoint Central's Inventory alerts allows the admins to detect if there is any change in the hardware or software used in OT/ICS
|
| 2-1 |
Asset Management
To ensure that the organization has an accurate and detailed inventory of OT/ICS assets in order to support the organization’s cybersecurity and operational requirements to maintain the production uptime, safe operations, confidentiality, integrity, and availability of OT/ICS asset
In addition to the controls in ECC subdomain 2-1, cybersecurity requirements for asset management in OT/ICS environment must include, at a minimum, the following:
2-1-1-1 OT/ICS assets inventory must be developed in electronic format for all OT/ICS assets, and reviewed periodically
2-1-1-2 Automated solution to collect asset inventory information must be utilized.
2-1-1-3 OT/ICS asset inventory must be stored securely.
2-1-1-4 Asset owners for all OT/ICS assets must be identified and involved throughout the relevant asset inventory management lifecycle
2-1-1-5 Criticality rating for all assets must be assigned, documented, and approved by asset owners.
With reference to the ECC control 2-1-6, the cybersecurity requirements for managing OT/ICS assets must be reviewed, and their implementation effectiveness is measured and evaluated periodically. |
Endpoint Central has comprehensive asset management capabilities for both hardware and software. It can list the OT/ ICS computers, software, and files stored in your network.
Note:
ManageEngine' ServiceDesk Plus (ITSM) leverages Endpoint Central's agent for discovering endpoint related assets. For a comprehensive asset management with asset mapping, and CMDBs, ServiceDesk Plus could complete this requirement along with Endpoint Central |
| 2-3 |
System and Processing Facilities Protection
To ensure the protection of OT/ICS systems and processing facilities (including workstations, servers and Safety Instrumented Systems “SIS”) against cyber risks.
In addition to sub-controls in the ECC control 2-3-3, cybersecurity requirements for system and processing facility protection in OT/ ICS environment must include, at a minimum, the following:
2-3-1-1 Advanced, up-to-date protection mechanisms and techniques must be utilized and securely managed to block and protect from malware, Advanced Persistent Threats (APT), malicious files, and activities.
2-3-1-2 Periodic security configurations’ review and hardening must be conducted in alignment with the vendor implementation guidance or recommendations with respect to cybersecurity and the organization’s formal change management mechanisms.
2-3-1-3 Periodic security patches and upgrades must be implemented in alignment with vendor implementation guidance or recommendations with respect to cybersecurity and the organization’s formal change management mechanisms.
2-3-1-4 Principles of least privilege and least functionality must be applied.
2-3-1-5 Safety Instrumented Systems (SIS) controllers must be configured in appropriate modes at all times, which prevent any unauthorized changes, and changes to improper modes are limited to exceptional cases with a specific period of time.
2-3-1-6 Application whitelisting techniques or other similar techniques must be deployed to limit the applications that are allowed to run in OT/ICS environment
2-3-1-7 OT/ICS assets must be managed through dedicated, segmented and hardened Engineering Workstation (EWS) and Human-Machine Interface (HMI) for management purposes and maintenance.
2-3-1-8 External storage media is scanned and analyzed against malware and APT. The scan must be executed in an isolated and secure environment.
2-3-1-9 Usage of external storage media in the production environment must be restricted unless secure mechanisms for data transfer are developed and properly implemented.
2-3-1-10 Systems’ logs and critical files must be protected from unauthorized access, tampering, illegitimate modification and/or deletion.
2-3-1-11 Unauthorized applications, scripts, tasks, and changes must be detected and analyzed.
2-3-1-12 New communications sessions and command execution must be detected and analyzed.
2-3-1-13 Direct communications between the OT/ICS environment and external hosts must be detected and analyzed.
With reference to the ECC control 2-3-4, the cybersecurity requirements for system and processing facilities protection in OT/ ICS environment must be reviewed, and their implementation effectiveness is measured and evaluated periodically. |
Admins can perform port audits with Endpoint Central so that you identify ports that exhibit
anomalous behavior.
Endpoint Central helps admins provide fixes for Zero-day vulnerabilities and security misconfigurations.
Endpoint Central has a built-in next gen antivirus engine (currently available as early access) that proactively detects cyber threats with its AI-assisted, real-time behavior detection and deep learning technology.
Apart from real-time threat detection, Endpoint Central also actively performs incident forensics so that SecOps analyze the root cause and severity of the threats.
Endpoint Central's Anti Ransomware guards your ICS systems from ransomware. lt also provides instant, non-erasable backup of the files in your network every three hours by leveraging Microsoft's volume shadow copy service.
In case, if a file is infected with ransomware, it can be restored with the most recent backup copy of the file.
Endpoint Central with its peripheral device management capabilities allows you to block/ restrict external storage devices and can enable your admin create a list of trusted devices your end users can use in their endpoints
Endpoint Central's Application Control module allows the admins to allowlist/ blocklist software applications in OT/ ICS systems.
Endpoint Central leverages the principle of least privilege and has a robust endpoint privilege management capability, providing for application specific privilege management and just-in-time access to the users of ICS/ OT systems
|
| 2-4 |
Networks Security Management
To ensure the protection of the organization’s OT/ICS networks from cyber risks.
In addition to sub-controls in ECC control 2-5-3, cybersecurity requirements for network security management in OT/ICS environment must cover, at a minimum, the following:
2-4-1-1 OT/ICS environment must be segmented logically or physically from other environments or networks.
2-4-1-2 Different zones within the OT/ICS environment must be segmented logically or physically in accordance with the zone’s ap- propriate level that isolates data flows and directs traffic to "Choke Points”
2-4-1-3 Safety Instrumented Systems (SIS) must be segmented logically or physically from other OT/ICS networks.
2-4-1-4 Wireless technologies (such as Wi-Fi, Bluetooth, cellular, satellite, etc.) must be restricted and to only be used when the technology meets specific business requirements and is properly secured.
2-4-1-5 Wireless technologies must be segmented logically or physically from other OT/ICS networks.
2-4-1-6 Network communications, services, and connection points between different zones must be limited to the minimum to meet operational, maintenance, and safety requirements.
2-4-1-7 Direct exposure of common remote authentication and access management services on external-facing hosts must be prevented.
2-4-1-8 Only authorized business-critical services are accessible from the internal OT/ICS networks, and accessibility to services with known vulnerabilities must be limited to the greatest extent possible.
2-4-1-9 Direct communications between corporate zone and OT/ ICS zones must be prevented, and direct all the required connections through dedicated, secured, and hardened jump host/solution in the DMZ zone
2-4-1-10 Remote access point in the DMZ zone must not be connected to the OT/ICS networks unless needed, while ensuring that the session is multi-factor authenticated, recorded, and established for a defined period of time only.
2-4-1-11 Proxies must be employed between the corporate and OT/ICS zones for all machine-to-machine traffic.
2-4-1-12 Dedicated gateways must be used to segment OT/ICS networks from corporate zone.
2-4-1-13 Dedicated DMZ zone must be used to reside any system that needs services provided by the corporate zone.
2-4-1-14 Strict limitation on enabling/usage of industrial proto- cols and ports to the minimum to meet operational, maintenance, and safety requirements.
2-4-1-15 Periodic patches and upgrades for production assets must be certified by the respective vendor and tested in a separate environment prior to implementation.
2-4-1-16 Details related to network architecture and topology, zones, network data flows, connectivity, and interdependencies must be documented, updated, and maintained.
2-5-4, With reference to the ECC control the cybersecurity requirements for network security management in OT/ICS environment must be reviewed, and their implementation effectiveness is measured and evaluated periodically |
Endpoint Central's Custom Group feature enable the admins to logically segregate ICS/OT systems of their convenience so that they can manage and secure them effectively
Restrict the devices from getting connected to public Wi-Fis. Or alternatively, you can ensure that your device connects to your organization's WiFi through certificates. Endpoint Central also enables the admins to create Wi-Fi profiles for the endpoints.
Endpoint Central's network neutral architecture allows our admins to manage and secure ICS/ OT systems, even if they are isolated from the internet.
In the event of patching the OT/ ICS systems, Endpoint Central has a provision for testing and approving the patches in a test environment, before deploying it in the production.
|
| 2-5 |
Mobile Devices Security
To ensure the protection of mobile devices (including laptops, handheld configuration devices, network test devices, etc.) from cyber risks and to ensure the secure handling of sensitive data and the organization’s information
In addition to subcontrols in the ECC control 2-6-3, cybersecurity requirements for mobile device security in OT/ICS must cover, at a minimum, the following:
2-5-1-1 Usage of mobile devices for OT/ICS must be restricted unless specifically required. A cybersecurity risk assessment must be conducted where risks must be defined and managed. A management approval must be granted by the respective cybersecurity function for a defined period of time only in alignment with the organization’s formal access management mechanisms.
2-5-1-2 Mobile devices must only be used for their intended purposes and in compliance with cybersecurity requirements of its respective zones prior to being connected to OT/ICS environment, and are
|
Endpoint Central's MDM capability helps in streamlining updates for both mobile OS and applications.
Our solution has integration with Checkpoint Harmony so that admins could leverage its Mobile Threat Defense (MTD) capability.
Endpoint Central can create custom groups to mobile devices can be added and configured to connect only with OT/ ICS environment.
Endpoint Central has provisions to encrypt the Android and iOS devices and their SD cards.
|
| 2-6 |
Data and Information Protection
To ensure the confidentiality, integrity, and availability of the organization’s data and information as per organizational policies and procedures, and related laws and regulations.
In addition to subcontrols in the ECC control 2-7-3, cybersecurity requirements for data and information protection in OT/ICS must include, at a minimum, the following:
2-6-1-1 Electronic and physical data (at rest and in transit) must be protected at a level consistent with its classification.
2-6-1-2 Data Leakage Prevention (DLP) mechanisms must be used to protect the classified data and information.
2-6-1-3 Secure wiping mechanisms for configuration details and stored data from OT/ICS assets prior to decommissioning must be implemented.
2-6-1-4 Transfer or usage of OT systems’ data in any environment other than the production environment must be limited, except after applying strict controls for protecting that data.
With reference to the ECC control 2-7-4, the cybersecurity re- quirements for data and information protection in OT/ICS environment must be reviewed, and their implementation effectiveness is measured and evaluated periodically
|
Endpoint Central has powerful data leakage prevention capability that lets you detect and classify data and have complete control over how data flows in your IT environment by configuring policies on data transfers through the cloud and peripheral devices.
Endpoint Central helps admins perform remote wipes to ensure corporate data security in case a OT/ ICS asset is lost.
Endpoint Central can help admins to encrypt OT Windows devices using its Bitlocker Management and OT Mac devices with FileVault encryption.
|
| 2-9 |
Vulnerabilities Management
To ensure timely detection and effective remediation of technical vulnerabilities to prevent or minimize the probability of exploiting these vulnerabilities to launch cyber-attacks against the organization.
In addition to subcontrols in the ECC control 2-10-3, cybersecurity requirements for vulnerability management in OT/ICS must cover, at a minimum, the following:
2-9-1-1 Scope and activities of vulnerability assessments must be defined for OT/ICS environment as part of organization’s formal vulnerability management while ensuring limited or no impact on the production environment.
2-9-1-2 With reference to the ECC sub-control 2-10-3-3, remediation of newly discovered critical vulnerabilities presenting significant risks to the OT/ICS environment must be performed in a timely manner.
2-9-1-3 With reference to the ECC sub-control 2-10-3-1, vulnerability assessment for OT/ICS systems must be conducted periodically
With reference to the ECC control 2-10-4, the cybersecurity requirements for vulnerability management in OT/ICS environment must be reviewed, and their implementation effectiveness is measured and evaluated periodically.
|
Endpoint Central provides comprehensive vulnerability management in terms of constant assessment and visibility of threats from a single console. Apart from vulnerability assessment, it also provides built-in remediation of the vulnerabilities detected.
For both critical and non-critical information systems, Endpoint Central provides risk-based vulnerability management so that admins can prioritize the vulnerabilities based on metrics like CVSS score, CVE impact type, Patch availability, and much more
|
