WHITE PAPER

Copyright © 2020 Claroty Ltd. All rights reserved

CONTENTS
03 Introduction
03 What is the NIST Cybersecurity Framework?
03 What is the purpose of this paper?

04 The Claroty Platform Mapped to NIST CSF Functions

04 Function 1: Identify (ID)
05 Function 1: Identify (ID), Continued
06 Function 2: Protect (PR)
07 Function 2: Protect (PR), Continued
08 Function 3: Detect (DE)
09 Function 3: Detect (DE), Continued
10 Function 4: Respond (RS)
11 Function 4: Respond (RS), Continued
12 Function 5: Recover

13 Conclusion
13 About Claroty Continuous Threat Detection (CTD)
13 About Claroty Secure Remote Access (SRA)
13 About Claroty
INTRODUCTION
What is the NIST Cybersecurity
Framework?
The National Institute of Standards and
Technology (NIST) Cybersecurity Framework (CSF)
is a comprehensive set of guidelines designed to
help critical infrastructure owners and operators
better manage and reduce cybersecurity risk.
Created in response to Improving Critical
Infrastructure Cybersecurity, a 2013 U.S. federal
executive order, the framework is voluntary.
Nonetheless, its flexibility, common lexicon, and
emphasis on using business drivers to shape
cybersecurity initiatives have fueled the
framework’s widespread appeal, adoption, and
recognition as a true requirement across all
sectors and industries not only in the U.S., but also
in numerous countries globally.
The NIST CSF has also since inspired and shaped a
number of other regulatory frameworks and best-
practices that are widely adhered to and
embraced worldwide.
What is the purpose of this paper?
Organizations seeking to comply with the NIST CSF
have many variables to consider, including the
suitability of their technology stack. While the
framework is technology-neutral, adhering to its
guidelines requires specific types of tools with
specific capabilities.
Having long supported critical infrastructure owners
and operators in their efforts to better manage and
reduce cybersecurity risk in their operational
technology (OT) environments, the Claroty Platform is
highly conducive to compliance with the vast majority
of these guidelines.
This paper details the extent that the Claroty
Platform — which includes Claroty’s Continuous
Threat Detection (CTD) and Secure Remote Access
(SRA) products — maps to the guidelines set forth by
the five core functions, as well as all corresponding
categories and subcategories, of version 1.1 of the
NIST Cybersecurity Framework.

"Created through collaboration between industry and government, the voluntary

Framework consists of standards, guidelines, and practices to promote the
protection of critical infrastructure. The prioritized, flexible, repeatable, and
cost-effective approach of the Framework helps owners and operators of critical
infrastructure to manage cybersecurity-related risk."

—The National Institute of Standards and Technology (NIST)

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 3

 THE CLAROTY PLATFORM MAPPED TO NIST CSF FUNCTIONS
This section of the paper introduces the five NIST CSF functions and their corresponding
categories, as well as how The Claroty Platform maps to the guidelines set forth by each.

Function 1: Identify (ID)

The Identify function entails understanding the organization and its operational context,
assets, resources, capabilities, and risks so that cybersecurity efforts can be focused and
prioritized in accordance with existing risk management and organizational objectives.

ID
Subcategories
ID Category ID Category Description Claroty Support
with Claroty
Support

CTD provides discovery and inventory

The data, personnel, devices, systems,
and facilities that enable the
ID.AM: organization to achieve business
Asset purposes are identified and managed
Management consistent with their relative
importance to organizational objectives
and the organization’s risk strategy.
of OT physical and virtual devices. It
also provides software/firmware ID.AM-1;
information on such devices. ID.AM-2;
ID-AM-3;
CTD provides full visibility of ID.AM-4;
communications flows in the in-scope ID.AM-5
environment, including to other parts of
the organization and external systems.

The organization’s mission, objectives,

ID.BE: stakeholders, and activities are
Claroty
Business understood and prioritized; this
Claroty Support Not Applicable Support Not
Environment information is used to inform
Applicable
cybersecurity roles, responsibilities, and
risk management decisions

The policies, procedures, and processes

to manage and monitor the
ID.GV: CTD and SRA each provide components
organization’s regulatory, legal, risk,
of a broader risk monitoring process ID.GV-4
Governance environmental, and operational
that informs cyber risk.
requirements are understood and inform
the management of cybersecurity risk.

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 4

 Function 1: Identify (ID), Continued
The Identify function entails understanding the organization and its operational context,
assets, resources, capabilities, and risks so that cybersecurity efforts can be focused and
prioritized in accordance with existing risk management and organizational objectives.
ID Category ID Category Description
The organization understands the
ID.RA:
cybersecurity risk to organizational
Risk
operations (including mission, functions,
Assessment image, or reputation), organizational
assets, and individuals.
ID.RM: The organization’s priorities, constraints,
Risk risk tolerances, and assumptions are
Management established and used to support
Strategy operational risk decisions.
The organization’s priorities, constraints,
risk tolerances, and assumptions are
established and used to support risk
ID.SC:
decisions associated with managing
Supply Chain
supply chain risk.
Risk
Management
The organization has established and
implemented the processes to identify,
assess and manage supply chain risks
Copyright © 2020 Claroty Ltd. All rights reserved claroty.com
ID
Subcategories
Claroty Support
with Claroty
Support
CTD provides risk assessment at multiple
levels: device, segmentation, external
communications, and observed threats.
Correlation of activity to OT processes
provides business impact data via CTD. ID.RA-1;
It also supplies candidate risk responses ID.RA-3;
and priorities. ID.RA-4;
ID.RA-5;
CTD’s Attack Vector Mapping capability ID.RA-6
identifies the most likely paths for
adversaries, supporting proactive
prevention.
SRA's logging of admin activity supports
assessing risk from such activity.
Operational risk tolerance cannot be
determined without an understanding
of the risk potential in the OT
environment.
ID.RM-2
CTD and SRA provides a high-level
understanding of risk in the OT
environment, which drives the strategic
discussion.
CTD identifies third party partner
activity, components, processes, and
corresponding risk.
ID.SC-1;
SRA provides visibility of third-party ID.SC-2;
remote access as part of supply chain ID.SC-4;
risk management, supports audit of ID.SC-5
third-party activity, and supports
recovery procedures for emergency
situations.
5
 Function 2: Protect (PR)
The Protect function is about developing and implementing appropriate safeguards in order
to ensure the delivery of critical services. This function supports the ability to limit and/or
contain the impact of a potential cybersecurity event.

PR
Subcategories
PR Category PR Category Description Claroty Support
with Claroty
Support

SRA manages remote access and issues

credentials for access to OT systems,
obfuscating the underlying credentials. It
also binds ICS credentials to end user
PR.AC: Access to physical and logical assets PR.AC-1;
identities.
Identity and associated facilities is limited to PR.AC-3;
Management authorized users, processes, and PR.AC-4;
SRA supports least privilege policies and
and Access devices, and is managed consistent with PR.AC-5;
separation of duties (secondary
Control the assessed risk of unauthorized access PR.AC-6
approval).
to authorized activities and transactions.
CTD supports network segmentation
through communication audit and virtual
segmentation for flat networks.

The organization’s personnel and

partners are provided cybersecurity
PR.AT: awareness education and are trained to Claroty
Awareness and perform their cybersecurity-related Claroty Support Not Applicable Support Not
Training duties and responsibilities consistent Applicable
with related policies, procedures, and
agreements.

CTD's mapping of segmentation and

Information and records (data) are
network flows, and change notification
PR.DS: managed consistent with the
for ICS components, help prevent data PR.DS-5;
Data Security organization’s risk strategy to protect the
leakage. ICS/PLC change monitoring PR.DS-6
confidentiality, integrity, and availability
helps assure configuration data security
of information
and integrity.

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 6

 Function 2: Protect (PR), Continued
The Protect function is about developing and implementing appropriate safeguards in order
to ensure the delivery of critical services. This function supports the ability to limit and/or
contain the impact of a potential cybersecurity event.
PR Category PR Category Description
Security policies (that address purpose,
PR.IP: scope, roles, responsibilities,
Information management commitment, and
Protection coordination among organizational
Processes and entities), processes, and procedures are
Procedures maintained and used to manage
protection of information systems and
assets
Maintenance and repairs of industrial
PR.MA: control and information system
Maintenance components are performed consistent
with policies and procedures
Technical security solutions are
managed to ensure the security
PR.PT:
and resilience of systems and
Protective
assets, consistent with related
Technology
policies, procedures, and
agreements.
Copyright © 2020 Claroty Ltd. All rights reserved claroty.com
PR
Subcategories
Claroty Support
with Claroty
Support
CTD ICS/PLC change monitoring helps
establish baseline configurations, and
aides in establishing configuration
change control processes.
CTD network virtual segmentation and PR.IP-1;
asset monitoring is a critical input to PR.IP-3;
process improvement and least privilege PR.IP-7;
tuning. PR.IP-12
CTD evaluates assets for vulnerabilities,
driving a vulnerability management plan.
SRA contributes to the establishment of
change control processes by managing
administrative access.
SRA provides multiple controls for
system maintenance activities: Multi-
factor access control; two-level change
PR.MA-1;
approvals; log of maintenance activity.
PR.MA-2
CTD monitors maintenance activity of
industrial systems, facilitating audit.
CTD and SRA create logging of
configuration alterations on industrial
systems, to inform updates to
protections.
CTD monitors for removable media use.
PR.PT-1;
CTD Risk and Vulnerability Management PR.PT-2;
identifies unnecessary capabilities on in- PR.PT-3;
scope systems that should be removed. PR.PT-4;
PR.PT-5
CTD Policy Zones and network analysis
protects control networks directly, and
through instantiation of firewall policy.
CTD's passive approach drives resilience
of production systems.
7
 Function 3: Detect (DE)
The Detect function encompasses developing and implementing appropriate activities and
controls to enable the timely and accurate discovery of a cybersecurity event.

DE
Subcategories
DE Category DE Category Description Claroty Support
with Claroty
Support

CTD baselines both network operations

and data flows, configuration and
firmware changes.

CTD threat detection creates events for

anomalous activity on in-scope systems
and networks. Detected events are
analyzed by Claroty to understand
typical targets and methods. DE.AE-1;
DE.AE: Anomalous activity is detected, and the
DE.AE-2;
Anomalies and potential impact of events is
CTD supports broad deployment to DE.AE-4;
Events understood.
supply multiple information sources. DE.AE-5
Event impact is determined based on
understanding of system functions and
type.

CTD Process Value View supports

automatic creation of alert thresholds
for process changes and detects
unusual USB actions.

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 8

 Function 3: Detect (DE), Continued
The Detect function encompasses developing and implementing appropriate activities and
controls to enable the timely and accurate discovery of a cybersecurity event.

DE
Subcategories
DE Category DE Category Description Claroty Support
with Claroty
Support

CTD monitors in-scope networks to

detect security events.

CTD and SRA monitor personal activity

for remote access and to each industrial
system, including external service
providers that supply maintenance
services.
DE.CM: DE.CM-1;
Security The network is monitored to detect CTD and SRA monitor for unauthorized
DE.CM-3;
Continuous potential cybersecurity events. personal, network connections (baseline
DE.CM-6;
Monitoring deviation), devices (in-scope asset
DE.CM-7
inventory) and software (ICS/PLC
firmware changes).

CTD Virtual Zones detects anomalous

communication between process control
systems.

CTD continuous risk scoring surfaces

highest priority risks to speed response.

CTD detection events are consolidated

DE.DP: and communicated via the user
Detection processes and procedures are
Detection interface, syslog, and API for ease of DE.DP-4;
maintained and tested to ensure
Processes maintenance. Baselines and policy zones DE.DP-5
awareness of anomalous events
inform maintenance of and adjustment
of detection processes.

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 9

 Function 4: Respond (RS)
The Respond function is about developing and implementing suitable activities to act in
response to a detected cybersecurity incident. This function supports the ability to contain
the impact of such an incident.

RS
Subcategories
RS Category RS Category Description Claroty Support
with Claroty
Support

Response processes and procedures are CTD insights, communications

RS.RP:
executed and maintained, to ensure monitoring, and Attack Vector Mapping
Response RS.RP-1
response to detected cybersecurity surface areas of higher risk, thereby
Planning
incidents. informing efficient response plans.

CTD’s open API and event feeds

facilitate consistent reporting of
incidents across the organization.
Response activities are coordinated
RS.CO:
with internal and external stakeholders Sharing of insights via the Claroty Cloud RS.CO-2;
Communica-
(e.g. external support from law provides a mechanism for sharing OT RS-CO-5
tions
enforcement agencies). threat intelligence in a secure manner.

Predefined reports aid in cross-

functional communications.

CTD provides full forensic information

and insights related to the event and
associated asset in order to facilitate
analysis. PCAP capability provides
forensic information relevant to the
incident.
RS.AN-1;
RS.AN: RS.AN-2;
Analysis is conducted to ensure effective CTD supplies insights and attack vector
RS.AN-3;
Analysis response and support recovery activities. information necessary to categorize
RS.AN-4;
incident severity. Process Value data
RS.AN-5
clearly shows the actual impact of
incidents on OT systems.

Claroty Cloud updates via CTD allow

organizations to receive and apply
vulnerability information relevant to OT.

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 1

0
 Function 4: Respond (RS), Continued
The Respond function is about developing and implementing suitable activities to act in
response to a detected cybersecurity incident. This function supports the ability to contain
the impact of such an incident.

RS
Subcategories
RS Category RS Category Description Claroty Support
with Claroty
Support

SRA limits potential damage from

compromised third-party credentials to
minimum number of assets.

Activities are performed to prevent CTD’s firewall integrations support the

RS.MI: RS.MI-1;
expansion of an event, mitigate its dynamic insertion of rules to limit
Mitigation RS.MI-3
effects, and resolve the incident. compromise.

CTD provides complete documentation

of OT CVEs, from which risk-based
decisions can be made.

CTD event forensics, Process Value, and

Organizational response activities are
RS.IM: improved by incorporating lessons
Improvements learned from current and previous
detection/response activities.
baseline exceptions inform specific
adjustments to both recovery and
strategy planning. RS.IM-1;
RS.IM-2
Claroty continuously updates PLC
protocol support as new vulnerabilities
are uncovered.

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 1

1
 Function 5: Recover (RC)
The Recover function is about developing and implementing activities to maintain plans for
resilience and restore capabilities that were impaired due to a cybersecurity incident. It
supports timely recovery to normal operations to reduce the impact of such an incident.
RC Category RC Category Description
Recovery processes and procedures are
RC.RP:
executed and maintained to ensure
Recovery
restoration of systems or assets
Planning
affected by cybersecurity incidents.
Recovery planning and processes are
RC.IM:
improved by incorporating lessons
Improvements
learned into future activities.
Restoration activities are coordinated
RC.CO: with internal and external parties (e.g.
Communica- coordinating centers, Internet Service
tions Providers, owners of attacking systems,
victims, other CSIRTs, and vendors).
Copyright © 2020 Claroty Ltd. All rights reserved claroty.com
RC
Subcategories
Claroty Support
with Claroty
Support
Recovery plan execution in OT
environments requires both change
information on critical systems and
updated assessment to determine if
such systems can be put back into
production. Both are provided by CTD.
RC.RP-1
Remote access recovery will likely
include a combination of access lock-
down, followed by controlled
enablement on an as-needed basis
during recovery. Both are provided by
SRA.
Recovery lessons learned must be
informed by network segmentation
analysis and critical system
vulnerabilities and attack vectors, all of
which CTD provides.
RC.IM-1
If the incident involved remote access,
the detailed user activity logs and
recordings from SRA are fundamental to
updating recovery plans.
Claroty Cloud information sharing via
CTD drives bidirectional improved RC.CO-3
recovery planning across the industry.
1
2
CONCLUSION
About Claroty CTD About Claroty SRA

As the foundation of the Claroty Platform,
Continuous Threat Detection (CTD) grants
complete visibility into OT networks, seamless
management of all OT assets, and continuous
monitoring of all threats, vulnerabilities, and risks
relevant to those assets and networks.
Claroty's proprietary deep packet inspection
technology enables CTD to extract precise details
about each asset on the OT network, profile all
communications and protocols, generate a fine-
grain behavioral baseline that characterizes
legitimate traffic, and alert you in real-time to
baseline deviations, full-match vulnerabilities, and
known and zero-day threats.
Claroty Secure Remote Access (SRA) tackles one of
the toughest challenges facing industrial cybersecurity
practitioners today: maintaining the ability to remotely
access OT environments while minimizing the
substantial risks introduced by remote users.
Part of the Claroty Platform, SRA enables customers to
safeguard their networks from threats posed by
unmanaged and unmonitored OT remote access.
It enforces least-privilege policies, enables real-time
monitoring and full recording of all remote sessions,
and provides a single, secure, and clientless interface
through which all internal and third-party users
connect prior to performing support, audits, or related
activities within OT environments.

About Claroty
Claroty bridges the industrial cybersecurity gap between information technology (IT) and operational technology (OT)
environments. Organizations with highly automated production sites and factories that face significant security and financial
risk especially need to bridge this gap. Armed with Claroty’s converged IT/OT solutions, these enterprises and critical
infrastructure operators can leverage their existing IT security processes and technologies to improve the availability, safety,
and reliability of their OT assets and networks seamlessly and without requiring downtime or dedicated teams. The result is
more uptime and greater efficiency across business and production operations.

Backed and adopted by leading industrial automation vendors, Claroty is deployed on all seven continents globally. The
company is headquartered in New York City and has received $100 million in funding since being launched by the famed
Team8 foundry in 2015.

For more information, visit www.claroty.com.

Copyright © 2020 Claroty Ltd. All rights reserved claroty.com 18

 Copyright © 2020 Claroty Ltd. All rights reserved

Copyright © 2020 Claroty Ltd. All rights reserved