SI.L3-3.14.3e Specialized Asset Security

Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems, and test equipment are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks.

Source: NIST SP 800-172 3.14.3e

Discussion: Organizations may have a variety of systems and system components in their inventory, including Information Technology (IT), Internet of Things (IoT), Operational Technology (OT), and Industrial Internet of Things (IIoT). The convergence of IT, OT, IoT, and IIoT significantly increases the attack surface of organizations and provides attack vectors that are challenging to address. Compromised IoT, OT, and IIoT system components can serve as launching points for attacks on organizational IT systems that handle CUI. Some IoT, OT, and IIoT system components can store, transmit, or process CUI (e.g., specifications or parameters for objects manufactured in support of critical programs). Most of the current generation of IoT, OT, and IIoT system components are not designed with security as a foundational property and may not be able to be configured to support security functionality. Connections to and from such system components are generally not encrypted, do not provide the necessary authentication, are not monitored, and are not logged. Therefore, these components pose a significant cyber threat. Gaps in IoT, OT, and IIoT security capabilities may be addressed by employing intermediary system components that can provide encryption, authentication, security scanning, and logging capabilities—thus, preventing the components from being accessible from the Internet. However, such mitigation options are not always available or practicable. The situation is further complicated because some of the IoT, OT, and IIoT devices may be needed for essential missions and business functions. In those instances, it is necessary for such devices to be isolated from the Internet to reduce the susceptibility to cyber-attacks. [SP 800-160-1] provides guidance on security engineering practices and security design concepts.

Assessment Objectives:

Determine if:

Examine: [SELECT FROM: Access control policy; information flow control policies; system and services acquisition policy; system and communications protection policy; procedures addressing security function isolation; procedures addressing application partitioning; procedures addressing security engineering principles used in the specification, design, development, implementation, and modification of the system; procedures addressing information flow enforcement; procedures addressing access enforcement; system architecture; system design documentation; security plan; system component inventory; system configuration settings and associated documentation; system baseline configuration; list of security functions to be isolated from non-security functions; system audit records; security requirements and specifications for the system; list of approved authorizations (user privileges); list of information flow authorizations; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for access enforcement; system/network administrators; organizational personnel responsible for information security; system developers; system integrators; organizational personnel responsible for acquisition/contracting; organizational personnel responsible for determining system security requirements; system security architects; enterprise architects; organizational personnel responsible for system specification, design, development, implementation, and modification].

Test: [SELECT FROM: Mechanisms implementing the access control policy; mechanisms implementing the information flow enforcement policy; mechanisms supporting the application of security engineering principles in system specification, design, development, implementation, and modification].

SPRS Score: 1

POA&M Allowed: No