What are the CIS Top 20?
The Center for Internet Security Critical Security Controls (CIS CSC) were created in coordination with U.S. DHS, NSA, SANS and other groups to establish a set of the most critical security controls to ensure cyber security.
Now on Version 7, CIS Top 20 contains over 170 sub-controls with specific target levels for compliance. The CIS Top 20 is now one of the leading cyber security standards for IT organizations to secure their networks, assets, and data.
What are the benefits of the CIS Top 20?
Aside from its comprehensive set of critical controls, the CIS Top 20 is unique because of its prescriptive nature of different levels of compliance. Where many cyber security standards provide a framework for the types of controls or procedures to implement, the Top 20 includes a set of measurable benchmarks for each control to determine if the organization is at a level 1, 2, 3, 4 or 5.
This “prescriptive” nature enables organizations to accelerate the process by reducing the debate on maturity levels to decide which of the pre-defined levels it aspires to. We have seen this type of approach result in significant benefits in comparison to the more general guidance frameworks.
What are the top level controls in the CSC 20?
Basic CIS Controls
|1||Inventory and Control of Hardware Assets|
|2||Inventory and Control of Software Assets|
|3||Continuous Vulnerability Management|
|4||Controlled Use of Administrative Privileges|
|5||Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers|
|6||Maintenance, Monitoring and Analysis of Audit Logs|
Foundational CIS Controls
|7||Email and Web Browser Protections|
|9||Limitation and Control of Network Ports, Protocols and Services|
|10||Data Recovery Capabilities|
|11||Secure Configuration for Network Devices, such as Firewalls, Routers and Switches|
|14||Controlled Access Based on the Need to Know|
|15||Wireless Access Control|
|16||Account Monitoring and Control|
Organizational CIS Controls
|17||Implement a Security Awareness and Training Program|
|18||Application Software Security|
|19||Incident Response and Management|
|20||Penetration Tests and Red Team Exercises|
As seen, these are a comprehensive collection of controls. Version 7 introduced the notion of prioritization into the 20 with the first six as “basic” the next ten as “foundational” and the final four as “organizational”. We may differ with the naming conventions, but the concept is instructive as the first. Six can address, according to CIS, almost 75% of the known attacks in the past three years. Again, one can differ with the exact statistic, the basic concept seems correct.
It is worth focusing a bit on the “basic” six controls. As in all cyber security standards, developing a robust asset and network inventory is the base element that enables the rest of security to be effective. This is clear in the CIS Top 20 (just as it is with the NIST CSF).
Controls 1 and 2 require not just a hardware inventory or an OS inventory, but a comprehensive software inventory on all assets. As one dives deeper into the sub-controls of these first six controls, the power of a deep asset inventory that extends beyond just seeing if a hardware device is on the network.
For instance, in CIS 2.5, the sub-control calls for comprehensive software inventory integrated with hardware inventory and 2.6 requires removal of unapproved software. These both require deep views on each asset as well as active management of the software on the asset to ensure unnecessary and potentially risky software is removed.
Or in sub-controls 4.2 and 4.3, they require changing default passwords and ensuring dedicated administrative accounts. These two sub-controls require both deep visibility into the status of an asset as well as the active management of that asset to ensure it is secure. As one goes through the list of these six “basic” controls, it becomes clear that basic means deep visibility and active systems management to maintain security.
How are the CIS Top 20 implemented?
To achieve maturity for CIS (or NIST or IEC62443 or ISO 27001, etc.), it requires more than a passive review of assets. This is particularly challenging in OT and creates challenges that we have addressed with the Verve Security Center.
While originally designed for IT, Verve worked with clients to adapt the standard into the OT/ICS environment, enabling a single standard across IT and OT. Verve works closely with industrial organizations to establish CSC Top 20 programs and build dynamic compliance and security management processes. With the Verve Security Center platform, visibility into measurement, alerting and discovery is enhanced by supporting services.
To bridge these controls from IT into OT, several adjustments need to be made:
- Many controls are not feasible on embedded industrial devices, such as PLCs, controllers drives, etc. These controls include anti-virus or application whitelisting, etc.
- Some controls are feasible but the level of reasonable maturity may differ. These include items such as patching on a bi-weekly or monthly basis which is often not appropriate in operational facilities that cannot be regularly rebooted.
- Procedural requirements may need “OT-customization” such as items like incident response or red-teaming which require different procedures due to the sensitivity of OT processes.
- Specific secure standards often need adjusting. For instance, CIS calls for standard secure configurations for different device types. Those configurations will likely be different for OT devices vs. IT devices.
Even though there are several adjustments required, there are significant benefits to using this common standard across OT and IT. This includes:
- Common reporting and measurement across the organization.
- Shared understanding and vocabulary on security simplifies training and communication.
- The “prescriptive” nature can accelerate time to security.
- Editing a standard has proven much easier than creating from scratch.
The CIS 20 really requires what we have come to call OT Systems Management. This practice is similar to ITSM which has been practiced for many years. But in OT, assets are not often actively managed for many of the reasons above. Implementing CIS as a standard drives greater security and a more robust and reliable operations because systems are managed, updated and controlled on a regular basis.
Over the past decade, Verve has worked with clients implementing a range of different security standards from NIST CSF or 800-53 or NERC CIP and ISA 99, etc. We have found that the CIS offers a very good alternative for large organizations that seek consistency between IT and OT.
Learn more about implementing the CIS controls in our case study: