ID.AM-1 Inventory of physical devices and systems within the organization |
Network integrity control, Hardware and software inventory |
|
|
ID.AM-2: Software platforms and applications within the organization are inventoried |
Hardware and software inventory, Verification of integrity of software and hardware code |
|
|
ID.AM-3 Organizational communication and data flows are mapped |
Network communications control, Industrial DPI for anomaly detection, Network communication visualization |
Ascent Look Out |
Partial coverage |
ID.AM-4 External information systems are catalogued |
Hardware and software inventory |
|
|
ID.AM-5 Resources (e.g., hardware, devices, data, time, and software) are prioritized based on their classification, criticality, and business value |
Risk and Vulnerability Management, Access control policy, Use control policy |
Ascent Look Out |
Partial coverage |
ID.AM-6 Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established |
Role-based access, Communications plan, Access control policy, Reporting of events and communication to responsible parties |
|
|
DE.AE-1 A baseline of network operations and expected data flows for users and systems is established and managed |
Industrial DPI for anomaly detection |
|
|
DE.AE-2 Detected events are analyzed to understand attack targets and methods |
Network event correlation analysis, SIEM integration, Activity log policy, Reporting of events and communication to responsible parties |
Ascent Look Out |
Partial coverage |
DE.AE-3 Event data are aggregated and correlated from multiple sources and sensors |
Network event correlation analysis, SIEM integration |
|
|
DE.AE-4 Impact of events is determined |
Activity log policy |
Ascent Look Out |
Full coverage |
DE.AE-5 Incident alert thresholds are established |
Activity log policy, Reporting of events and communication to responsible parties |
Ascent Look Out |
Partial coverage |
DE.CM-1 The network is monitored to detect potential cybersecurity events |
WI-FI control, Network communications control, Industrial DPI for anomaly detection, Advanced detection of anomalies in the IP layer, Detect attacks on industrial networks (signature-based) , Network communication visualization |
Ascent Look Out |
Partial coverage |
DE.CM-2 The physical environment is monitored to detect potential cybersecurity events |
Activity log policy, Security log |
Ascent Look Out |
Partial coverage |
Testing service |
Partial coverage |
test1apps |
Partial coverage |
DE.CM-3 Personnel activity is monitored to detect potential cybersecurity events |
Risk and Vulnerability Management, Inspect endpoint logs, SIEM integration, Activity log policy, Industrial network event log (forensic analysis), Security log |
Ascent Look Out |
Partial coverage |
DE.CM-4 Malicious code is detected |
Advanced antimalware, Equipment use control, Upgrade testing support |
|
|
DE.CM-5 Unauthorized mobile code is detected |
Advanced antimalware, Risk and Vulnerability Management |
|
|
DE.CM-6 External service provider activity is monitored to detect potential cybersecurity events |
Network communications control, Secure network design, Risk and Vulnerability Management, Activity log policy |
Ascent Look Out |
Partial coverage |
DE.CM-7 Monitoring for unauthorized personnel, connections, devices, and software is performed |
Inspect endpoint logs, SIEM integration, Activity log policy, Industrial network event log (forensic analysis), Security log |
Ascent Look Out |
Partial coverage |
DE.CM-8 Vulnerability scans are performed |
Cybersecurity assessment, Risk and Vulnerability Management |
|
|
DE.DP-1 Roles and responsibilities for detection are well defined to ensure accountability |
Awareness and Training, Risk and Vulnerability Management, Communications plan |
|
|
DE.DP-2 Detection activities comply with all applicable requirements |
Compliance, Risk and Vulnerability Management |
|
|
DE.DP-3 Detection processes are tested |
Risk and Vulnerability Management, Incident response support |
|
|
DE.DP-4 Event detection information is communicated to appropriate parties |
Awareness and Training, Risk and Vulnerability Management, Communications plan, Incident response support |
|
|
DE.DP-5 Detection processes are continuously improved |
Awareness and Training, Risk and Vulnerability Management |
|
|
ID.BE-1 The organization’s role in the supply chain is identified and communicated |
Communications plan, Reporting of events and communication to responsible parties, Incident response support |
|
|
ID.BE-2 The organization’s place in critical infrastructure and its industry sector is identified and communicated |
Communications plan |
|
|
ID.BE-3 Priorities for organizational mission, objectives, and activities are established and communicated |
Communications plan |
|
|
ID.BE-4 Dependencies and critical functions for delivery of critical services are established |
Physical security in the installation of devices, Redundancy system, Incident response support |
|
|
ID.BE-5 Resilience requirements to support delivery of critical services are established for all operating states (e.g. under duress/attack, during recovery, normal operations) |
Detect attacks on industrial networks (signature-based) , Reporting of events and communication to responsible parties, Incident response support |
|
|
ID.GV-1 Organizational information security policy is established |
Centralized management of security policies, Access control policy, Activity log policy, Backup Policy |
Ascent Look Out |
Partial coverage |
ID.GV-2 Information security roles & responsibilities are coordinated and aligned with internal roles and external partners |
Role-based access, Compliance, Communications plan, Reporting of events and communication to responsible parties |
|
|
ID.GV-4 Governance and risk management processes address cybersecurity risks |
Compliance, Risk and Vulnerability Management |
|
|
ID.RA-1 Asset vulnerabilities are identified and documented |
Risk and Vulnerability Management |
|
|
ID.RA-2 Cyber threat intelligence and vulnerability information is received from information sharing forums and sources |
Risk and Vulnerability Management, Communications plan, Reporting of events and communication to responsible parties |
|
|
ID.RA-3 Threats, both internal and external, are identified and documented |
Risk and Vulnerability Management |
|
|
ID.RA-4 Potential business impacts and likelihoods are identified |
Risk and Vulnerability Management |
|
|
ID.RA-5 Threats, vulnerabilities, likelihoods, and impacts are used to determine risk |
Risk and Vulnerability Management |
|
|
ID.RA-6 Risk responses are identified and prioritized |
Risk and Vulnerability Management |
|
|
ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders |
Risk and Vulnerability Management |
|
|
ID.RM-2 Organizational risk tolerance is determined and clearly expressed |
Risk and Vulnerability Management |
|
|
ID.RM-3 The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis |
Risk and Vulnerability Management, Communications plan |
|
|
ID.SC-1 Cyber supply chain risk management processes are identified, established, assessed, managed, and agreed to by organizational stakeholders |
Risk and Vulnerability Management |
|
|
ID.SC-2 Identify, prioritize and assess suppliers and partners of critical information systems, components and services using a cyber supply chain risk assessment process |
Risk and Vulnerability Management |
|
|
ID.SC-3 Suppliers and partners are required by contract to implement appropriate measures designed to meet the objectives of the Information Security program or Cyber Supply Chain Risk Management Plan. |
Risk and Vulnerability Management |
|
|
ID.SC-4 Suppliers and partners are monitored to confirm that they have satisfied their obligations as required. Reviews of audits, summaries of test results, or other equivalent evaluations of suppliers/providers are conducted |
Risk and Vulnerability Management, Communications plan |
|
|
ID.SC-5 Response and recovery planning and testing are conducted with critical suppliers/providers |
Risk and Vulnerability Management, Communications plan, Activity log policy, Backup Policy, Reporting of events and communication to responsible parties, Redundancy system, Backup system |
Ascent Look Out |
Partial coverage |
PR.AC-1: Identities and credentials are issued, managed, revoked, and audited for authorized devices, users, and processes |
Basic user access control, User access control with hidden display, Account management, Access control policy |
Ascent Look Out |
Partial coverage |
PR.AC-2 Physical access to assets is managed and protected |
Basic user access control, User access control with hidden display |
|
|
PR.AC-3 Remote access is managed |
Basic user access control, User access control with hidden display, Multi-factor user access control, Access control policy |
|
|
PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
Role-based access, Basic user access control, Multi-factor user access control, Account management, Access control policy |
Ascent Look Out |
Partial coverage |
PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate |
Network communications control, Network integrity control, Secure network design, Separation of environments |
Ascent Look Out |
Partial coverage |
test1apps |
Partial coverage |
PR.AC-6 Identities are proofed and bound to credentials, and asserted in interactions when appropriate |
Basic user access control, User access control with hidden display, Account management, Access control policy |
Ascent Look Out |
Partial coverage |
PR.AT-1 All users are informed and trained |
Awareness and Training |
|
|
PR.AT-2: Privileged users understand roles & responsibilities |
Awareness and Training, Communications plan, Access control policy |
|
|
PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles & responsibilities |
Certification of the main ICS providers, Awareness and Training, Communications plan, Access control policy |
|
|
PR.AT-4: Senior executives understand roles & responsibilities |
Awareness and Training, Communications plan, Access control policy |
|
|
PR.AT-5: Physical and information security personnel understand roles & responsibilities |
Awareness and Training, Communications plan, Access control policy |
|
|
PR.DS-1 Data-at-rest is protected |
Hardware Security Keys, Equipment use control, Certificate use policy, Data Protection |
test1apps |
Partial coverage |
PR.DS-2 Data-in-transit is protected |
PKI infrastructure, Certificate use policy, Data Protection |
test1apps |
Partial coverage |
PR.DS-3 Assets are formally managed throughout removal, transfers, and disposition |
Equipment use control, Hardware and software inventory, Data Protection, Physical security in the installation of devices |
|
|
PR.DS-4 Adequate capacity to ensure availability is maintained |
Redundancy system |
|
|
PR.DS-5 Protections against data leaks are implemented |
Awareness and Training, Equipment use control, Compliance, Data Protection |
|
|
PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity |
Software usage control, File integrity monitoring, Verification of integrity of software and hardware code, Verify PLC integrity |
|
|
PR.DS-7 The development and testing environment(s) are separate from the production environment |
Role-based access, Data Protection, Separation of environments |
test1apps |
Partial coverage |
PR.DS-8 Integrity checking mechanisms are used to verify hardware integrity |
Verification of integrity of software and hardware code, Verify PLC integrity |
|
|
PR.IP-1 A baseline configuration of information technology/industrial control systems is created and maintained incorporating appropriate security principles (e.g. concept of least functionality) |
Configuration control, Detection of use of default passwords |
|
|
PR.IP-2 A System Development Life Cycle to manage systems is implemented |
Awareness and Training, Configuration control, Centralized management of security policies, Risk and Vulnerability Management, Separation of environments |
|
|
PR.IP-3 Configuration change control processes are in place |
Configuration control, Activity log policy |
Ascent Look Out |
Partial coverage |
PR.IP-4 Backups of information are conducted, maintained, and tested periodically |
Backup Policy, Data Protection, Backup system |
Testing service |
Partial coverage |
PR.IP-5 Policy and regulations regarding the physical operating environment for organizational assets are met |
Compliance, Physical security in the installation of devices |
|
|
PR.IP-6 Data is destroyed according to policy |
Compliance, Data Protection |
|
|
PR.IP-7 Protection processes are continuously improved |
Centralized management of security policies, Risk and Vulnerability Management |
|
|
PR.IP-8 Effectiveness of protection technologies is shared with appropriate parties |
Certification of the main ICS providers, Awareness and Training, Communications plan |
|
|
PR.IP-9 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
Certification of the main ICS providers, Awareness and Training, Communications plan, Access control policy |
|
|
PR.IP-10 Response and recovery plans are tested |
Awareness and Training, Communications plan, Backup Policy, Backup system |
|
|
PR.IP-11 Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening) |
Awareness and Training, Communications plan |
|
|
PR.IP-12 A vulnerability management plan is developed and implemented |
Risk and Vulnerability Management |
|
|
PR.MA-1 Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools |
Use control policy, Activity log policy, Security log, Physical security in the installation of devices |
Ascent Look Out |
Partial coverage |
test1apps |
Partial coverage |
PR.MA-2 Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
Device control, Use control policy, Activity log policy, Security log |
Ascent Look Out |
Partial coverage |
test1apps |
Partial coverage |
PR.PT-1 Audit/log records are determined, documented, implemented, and reviewed in accordance with policy |
Equipment protection diagnostics, Inspect endpoint logs, SIEM integration, Activity log policy, Industrial network event log (forensic analysis), Security log, Reporting of events and communication to responsible parties |
Ascent Look Out |
Partial coverage |
PR.PT-2 Removable media is protected and its use restricted according to policy |
Device control, Monitor USB access, Activity log policy, Reporting of events and communication to responsible parties |
Ascent Look Out |
Partial coverage |
PR.PT-3 The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
Configuration control, Equipment use control |
|
|
PR.PT-4 Communications and control networks are protected |
WI-FI control, Network communications control, Network integrity control, Industrial DPI for anomaly detection, Advanced detection of anomalies in the IP layer, Detect attacks on industrial networks (signature-based) , Secure network design, PKI infrastructure, Network communication visualization |
|
|
PR.PT-5 Systems operate in pre-defined functional states to achieve availability (e.g. under duress, under attack, during recovery, normal operations). |
Secure network design, Advanced process control rules |
|
|
RS.RP-1 Response plan is executed during or after an event |
Awareness and Training, Incident response support |
|
|
RS.CO-1 Personnel know their roles and order of operations when a response is needed |
Awareness and Training, Communications plan |
|
|
RS.CO-2 Events are reported consistent with established criteria |
Awareness and Training, Communications plan |
|
|
RS.CO-3 Information is shared consistent with response plans |
Awareness and Training, Communications plan |
|
|
RS.CO-4 Coordination with stakeholders occurs consistent with response plans |
Awareness and Training, Communications plan |
|
|
RS.CO-5 Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness |
Awareness and Training, Communications plan |
|
|
RS.AN-1 Notifications from detection systems are investigated |
Awareness and Training, Communications plan, Incident response support |
|
|
RS.AN-2 The impact of the incident is understood |
Awareness and Training, Communications plan, Incident response support |
|
|
RS.AN-3 Forensics are performed |
Industrial network event log (forensic analysis), Incident response support |
Ascent Look Out |
Partial coverage |
RS.AN-4 Incidents are categorized consistent with response plans |
Communications plan, Incident response support |
|
|
RS.MI-1 Incidents are contained |
Incident response support |
|
|
RS.MI-2 Incidents are mitigated |
Incident response support |
|
|
RS.MI-3 Newly identified vulnerabilities are mitigated or documented as accepted risks |
Risk and Vulnerability Management |
|
|
RS.IM-2 Response strategies are updated |
Compliance |
|
|
RS.IM-1 Response plans incorporate lessons learned |
Awareness and Training, Compliance, Backup Policy |
Testing service |
Partial coverage |
RC.RP-1 Recovery plan is executed during or after an event |
Backup Policy, Redundancy system, Backup system |
Testing service |
Partial coverage |
RC.IM-1 Recovery plans incorporate lessons learned |
Awareness and Training, Compliance, Backup Policy |
Testing service |
Partial coverage |
RC.IM-2 Recovery strategies are updated |
Awareness and Training, Compliance, Communications plan, Backup Policy |
|
|
RC.CO-1 Public relations are managed |
Communications plan |
|
|
RC.CO-2: Reputation after an event is repaired |
Communications plan |
|
|
RC.CO-3 Recovery activities are communicated to internal stakeholders and executive and management teams |
Communications plan |
|
|