{"id":40627,"date":"2021-04-27T16:00:59","date_gmt":"2021-04-27T16:00:59","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=93379"},"modified":"2021-04-27T16:00:59","modified_gmt":"2021-04-27T16:00:59","slug":"meet-critical-infrastructure-security-compliance-requirements-with-microsoft-365","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/meet-critical-infrastructure-security-compliance-requirements-with-microsoft-365\/","title":{"rendered":"Meet critical infrastructure security compliance requirements with Microsoft 365"},"content":{"rendered":"

Critical infrastructure operators face a hostile cyber threat environment and a complex compliance landscape. Every operator of an industrial control system also operates an IT network to service its productivity needs. A supervisory control and data acquisition (SCADA) system operator of a power grid or chemical plant needs email, databases, and business applications to support it, much like any enterprise.<\/p>\n

IT environments, with their large attack surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life safety, environmental, or national security consequences\u2014a different risk management challenge from other enterprise IT systems.<\/p>\n

Ransomware, thought more of as an IT problem as opposed to an industrial control system (ICS) one, has been used to attack critical infrastructure operators Norsk Hydro<\/a>, Brazilian utilities Electrobras and Copel<\/a>, as well as Reading Municipal Light Department<\/a> and Lansing Board of Water and Light<\/a> among other US utilities. Dragos and IBM X-Force identified 194 ransomware attacks against industrial entities<\/a> between 2018 and 2020, including ICS-specific strains like EKANS<\/a>.<\/p>\n

The range of threats to our increasingly converged IT and ICS environments highlights the need for a combined approach to IT and ICS security.<\/p>\n

Azure Defender for IoT<\/a> is the cornerstone of security for on-premises, cloud, and hybrid ICS. In addition to the anti-malware features of Microsoft 365<\/a>, the integration of Advanced Threat Protection (ATP) and Microsoft Compliance Manager to manage, visualize, and report on standards-based compliance are also foundational.<\/p>\n

Complex compliance landscape<\/h2>\n

As the cyber threat landscape to ICS has grown more hostile and publicized, the compliance responsibilities of critical infrastructure operators have increased as well. In the US and Canada, Bulk Electric System (BES) participants need to comply with the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP), as well as using NIST 800-53 as the basis for their organizational security policies and benchmarking to the National Institute of Standards and Technology (NIST) Cybersecurity Framework<\/a>. They may also be architecting their ICS to IEC62443\/ISA 99<\/a>. Many forward-looking utilities are increasing their use of the cloud through infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) like Microsoft 365 with Zero Trust architecture.<\/p>\n

While NERC CIP standards were written around on-premises systems, NERC has become more open to Registered Entities\u2019 use of the cloud for Bulk Electric System Cyber System Information (BCSI)<\/a>. This includes NERC\u2019s Order on Virtualization and Cloud Computing Services<\/a> and their Technical Rationale for Reliability Standard CIP-011-3<\/a>, where they discuss risk assessment of a cloud services provider. This risk assessment will include the ongoing standards-based assessment of the cloud service provider.<\/p>\n

Comprehensive and efficient compliance<\/h2>\n

As an organization moves workloads to the cloud, they move responsibility for a portion of the security controls to the cloud service provider.<\/p>\n

\"The<\/p>\n

The organization can thus focus its resources on the remaining security controls and on vetting how the cloud service provider manages the security controls for which it is responsible.<\/p>\n

\"With<\/p>\n

When customers use Office 365, Microsoft helps them manage 79 percent of the 1,021 NIST 800-53 controls, so customers need only focus on implementing and maintaining the remaining 21 percent of the controls. By using the shared responsibility model, these customer resources are made available to further secure their systems. Customers that are using on-premises infrastructure to provide those functions need to implement and maintain all 1,021 controls.<\/p>\n

Tools for comprehensive and efficient compliance<\/h2>\n

Microsoft Compliance Manager<\/a> is a feature in Microsoft 365 compliance center. It uses signals from the customer\u2019s Microsoft 365 tenant, Microsoft\u2019s compliance program, and workflows completed by the customer to manage and report compliance against regulatory and industry-standard templates. These templates include NERC CIP, NIST Cybersecurity Framework (CSF), NIST 800-53, and the US Protecting and Securing Chemical Facilities from Terrorist Attacks Act (H.R. 4007), as well as more than 330 standards-based assessments<\/a> globally. You can also create custom templates based on other standards or mapped to your own policies and control set.<\/p>\n

With each Compliance Manager assessment template, you get simplified guidance on \u201cwhat to do\u201d to meet the regulatory requirements. In this regard, you get to understand what controls are Microsoft\u2019s responsibility as your cloud service provider and what controls are your responsibility. Furthermore, for each of the controls that are your responsibility, we break down actions that you need to take to meet these control requirements. These actions can be procedural, documentation, or technical.<\/p>\n

For technical actions, you get step-by-step guidance on how to use Microsoft security, compliance, identity, or management solutions to implement and test technical actions. With this detailed information, you can efficiently implement, test, and demonstrate your compliance against regulations as per your industry and region. This information also helps you to draw maximum benefits from your Microsoft 365 security and compliance solutions. Once you create assessments within Compliance Manager, we make it very easy for you to understand what solutions you can use to implement and test technical actions on Compliance Manager.<\/p>\n

\"The<\/p>\n

You can use the custom assessment feature<\/a> to \u201cextend\u201d Compliance Manager assessment templates to track compliance against any non-Microsoft 365 assets as well. With this functionality, Compliance Manager helps you to track and manage compliance across all your assets.<\/p>\n

There are different template sets available for the different license levels<\/a>.<\/p>\n

Microsoft updates the assessment templates when the standards change, relieving the customer of this responsibility. The changes are called out to the customer and the option to update the assessment<\/a> is provided.<\/p>\n

Compliance Manager tracks, reports, and provides visualizations for:<\/p>\n