How FortiSOAR Enhances Governance Across All Phases of NIST XFC (NIST IR 8473)

The rapid growth of electric vehicles (EVs) and the corresponding need for extreme fast charging (XFC) infrastructure have highlighted the importance of robust cybersecurity measures. The NIST Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure (NIST IR 8473) offers a detailed, risk-based approach to managing cybersecurity in this complex ecosystem. FortiSOAR, with its advanced capabilities, is ideally positioned to help organizations comply with this profile. Here's how FortiSOAR can enhance compliance across the various phases of the NIST framework: 

 

Introduction to NIST IR 8473 

 

Electric vehicle (EV) charging stations are critical to the growth of the EV industry, much like gas stations are for traditional vehicles. Countries worldwide are setting ambitious targets to ensure widespread availability of these charging points. For instance, the EU aims for 3 million public charging points by 2030, and the US targets at least 500,000 public chargers by the same year.  

Charging systems are connected to service clouds, power grids, EVs, and third-party service providers, making them susceptible to breaches that could result in significant economic losses, service disruptions, or data breaches. Malicious attacks on these systems could impact the power grids, potentially causing blackouts. In response to safety concerns, several countries have established cybersecurity standards and regulations for EV charging systems. 

The NIST IR 8473 report, finalized in October 2023, shifts focus from individual chargers to the entire charging infrastructure, emphasizing a comprehensive, industry-level risk-based approach to cybersecurity. 

 

Enhancing Compliance with FortiSOAR: An Overview 

FortiSOAR provides extensive support across the phases defined in the NIST Cybersecurity Framework, enhancing compliance and strengthening the cybersecurity posture of EV XFC infrastructure. Here are a few examples on how FortiSOAR can enhance compliance across the various phases of the NIST framework.  Please note that while events/data can be coming from different sources and sensors, integration with Fortinet Security Fabric will bring unique benefits such as deep visibility over charging transactions and other ecosystem specific protocols. 

 

1. Identify 

 

- Asset Management: FortiSOAR maintains a comprehensive repository of all EV charging points, including metadata such as location, charging station details, firmware version, vulnerabilities, network conditions, brand of EV charger, and vendor information. This thorough inventory management aligns with the Identify function by ensuring all assets are documented and their security status is monitored. 

- Risk Assessment: By correlating threat intelligence, vulnerabilities and incident data, FortiSOAR automates risk assessment, identifying potential security gaps and prioritizing remediation efforts. This helps organizations understand and manage their cybersecurity risks effectively, which is crucial for the Identify function. A video demonstration that takes through how Risk is accounted for in this context, can be found here.  

 

 

2. Protect 

 

- Access Control: FortiSOAR enforces access control policies across the EV XFC infrastructure, ensuring that only authorized users can access critical systems and data. Integration with identity and access management (IAM) solutions enhances this capability, supporting the Protect function. 

- Data Security: The platform supports encryption and other data protection mechanisms to secure sensitive information both in transit and at rest. This aligns with the Protect function by ensuring the confidentiality and integrity of data within the EV XFC ecosystem.  

- Protective Technologies: The platform orchestrates the deployment and management of protective technologies like firewalls and IPS, ensuring they are up-to-date and configured correctly to maintain a robust security posture. FortiSOAR, can be used to manage the deployment lifecycle of Firewalls for example, FortiGate Firewalls - a very good solution pack for the same and good read along with it for ZTP of FortiGates using FortiSOAR is available here. 

 

3. Detect 

 

- Continuous Monitoring: FortiSOAR provides continuous monitoring of alerts generated by the ecosystem, detecting anomalies and potential security incidents in real-time. This capability is essential for the Detect function, enabling early identification of threats. 

- Error Code Library: FortiSOAR includes a library of common EVCS error codes and allows customization and addition of new codes. This helps in quickly diagnosing issues, enhancing the Detect function by ensuring anomalies are accurately recognized and categorized. 

- Alert Correlation: FortiSOAR excels at receiving and correlating alerts from detection sources at charging points/stations. It correlates these alerts with various factors such as network conditions, SLAs, location details, similar alerts, and known vulnerabilities. This comprehensive correlation helps in identifying common threat patterns and relationships with error codes, enhancing the Detect function. 

 

4. Respond 

 

- Incident Response Planning: FortiSOAR enables the creation and automation of incident response playbooks tailored to the EV XFC environment. This ensures a consistent and effective response to incidents, supporting the Respond function. 

- Mitigation Strategies: The platform facilitates rapid isolation and mitigation of threats by orchestrating actions across various security tools. This helps contain and neutralize incidents swiftly, aligning with the Respond function. 

 

5. Recover 

 

- Recovery Planning: FortiSOAR supports the development of comprehensive recovery plans, ensuring that normal operations can be restored quickly after an incident. This includes procedures for data recovery and system restoration, supporting the Recover function. 

- Improvement and Post-Incident Analysis: Conducting post-incident reviews using FortiSOAR helps organizations learn from incidents and improve their cybersecurity posture. This fosters a cycle of continuous improvement, enhancing the Recover function. 

 

6. Govern 

 

- Policy Enforcement: FortiSOAR ensures consistent enforcement of cybersecurity policies and procedures across the organization. It provides visibility into policy compliance and helps manage deviations effectively, supporting the new Govern function. 

- Metrics and Reporting: The platform offers robust reporting and dashboard capabilities, providing key metrics and insights into the effectiveness of cybersecurity controls. This aids in governance and compliance tracking, aligning with the Govern function. 

 

Practical Application Examples of FortiSOAR in Each Phase 

1. Identifying Assets and Risks 

AM-1: Physical devices and systems within the organization are inventoried. 

• FortiSOAR Solution: FortiSOAR maintains a comprehensive repository of all EV charging points, including metadata such as location, charging station details, vulnerabilities, network conditions, brand of EV charger, and vendor information. This ensures that all critical assets are accurately tracked and monitored, aligning with the Identify function by ensuring all assets are documented and their security status is monitored. 
   

AM-2: Software platforms and applications within the organization are inventoried. 

• FortiSOAR Solution: FortiSOAR provides an inventory of software platforms and applications, including developer and version information, associated hardware, update history, and known bugs. This helps manage software vulnerabilities and ensures all software is up to date, supporting the Identify function. 

 

2. Protecting Critical Infrastructure 

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes. 

• FortiSOAR Solution: FortiSOAR enforces access control policies across the EV XFC infrastructure, ensuring that only authorized users can access critical systems and data. Integration with identity and access management (IAM) solutions enhances this capability, supporting the Protect function. 

PR.DS-1: Data-at-rest is protected. 

• FortiSOAR Solution: The platform supports encryption and other data protection mechanisms to secure sensitive information both in transit and at rest. For data in rest, FortiSOAR offers selective field-level encryption to ensure the encryption can stay with the data fields of choice. This aligns with the Protect function by ensuring the confidentiality and integrity of data within the EV XFC ecosystem. 

 

3. Detecting Threats in Real-Time 

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. 

• FortiSOAR Solution: FortiSOAR integrates with various detection technologies (SIEM/UEBA/XDR/EDR/NDR) to receive alerts and enrich them with contextual data. This includes correlating anomaly related alerts with network conditions, SLAs, site details, and known vulnerabilities, enabling early identification of potential threats. Integration with Fortinet Security Fabric allows deep visibility into charging transactions with baselines that reflect the charging behavior. 

DE.CM-1: The network is monitored to detect potential cybersecurity events. 

• FortiSOAR Solution: FortiSOAR receives cybersecurity alerts from threat/anomaly detection sensors positioned at different parts of the charging ecosystem. These alerts are enriched, then correlated, producing a cybersecurity incident or considered normal. In addition, FortiSOAR includes a library of common OCPP EV error codes and allows customization and addition of new codes (and related details and mitigation recommendations). By integrating alerts from detection systems, FortiSOAR helps in quickly diagnosing issues, enhancing the Detect function by ensuring anomalies are accurately recognized and categorized. 
   

4. Responding to Incidents Effectively 

RS.RP-1: Response plan is executed during or after a cybersecurity incident. 

• FortiSOAR Solution: FortiSOAR enables the creation and automation of incident response playbooks tailored to the EV XFC environment. This ensures a consistent and effective response to incidents, supporting the Respond function. 
   

RS.CO-2: Incidents are reported consistent with established criteria. 

• FortiSOAR Solution: The platform facilitates rapid isolation and mitigation of threats by orchestrating actions across various security tools. This helps contain and neutralize incidents swiftly, aligning with the Respond function. 
  
  

5. Recovering from Cybersecurity Incidents 

RC.RP-1: Recovery plan is executed during or after a cybersecurity incident. 

• FortiSOAR Solution: FortiSOAR supports the development of comprehensive recovery plans, ensuring that normal operations can be restored quickly after an incident. This includes procedures for data recovery and system restoration, supporting the Recover function. 

RC.IM-1: Recovery planning and processes are improved by incorporating lessons learned into future activities. 

• FortiSOAR Solution: Conducting post-incident reviews using FortiSOAR helps organizations learn from incidents and improve their cybersecurity posture. This fosters a cycle of continuous improvement, enhancing the Recover function. 
  
  

6. Ensuring Governance and Compliance 

GV-1: Organizational cybersecurity policy is established and communicated. 

• FortiSOAR Solution: FortiSOAR ensures consistent enforcement of cybersecurity policies and procedures across the organization. Its robust reporting and dashboard capabilities provide key metrics and insights into the effectiveness of cybersecurity controls, aiding governance and compliance tracking. This supports the new Govern function added in NIST CSF 2.0, emphasizing the importance of cybersecurity as an enterprise risk.
  

 

Conclusion 

FortiSOAR’s capabilities in managing EV assets, correlating alerts, and automating incident responses make it an invaluable tool for achieving compliance with the NIST Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. By leveraging FortiSOAR and its integration with Fortinet Security Fabric, organizations can enhance their cybersecurity posture, manage risks more effectively, and ensure the resilience of their EV XFC infrastructure. 

Contributions/Co-authored by: @Roshanak Partovi ( Enterprise Architect )