Using NIST 800-171 to measure and mitigate APT risk in critical infrastructure

Home

Blogs

Using NIST 800-171 to measure and mitigate APT risk in critical infrastructure

Prayukth K V

March 20, 2026

Two things have come to define the threat landscape changes logged in the last three weeks.

· State backed threat actors are now attacking most targets

· Attackers are not using malware but are logging in using stolen credentials and weaponizing apps and services

The year 2026 has essentially redefined the "Advanced" in APT. We are no longer just fighting malware; we are fighting living-off-the-land (LotL) techniques where state-sponsored actors use legitimate administrative tools to blend into the background noise of a manufacturing or utility environment. This camouflage is usually so successful that APT groups are able to strike at a time of their choosing, after harvesting credentials from data brokers.

In this landscape, NIST SP 800-171 becomes a go-to standard for securing your infrastructure. If you look past the auditor’s spreadsheet, 800-171 is a blueprint for reducing the operational entropy that APTs require to hide. It also has controls that can provide a very high level of deterrence against hackers and confidence for defenders to ramp up their security posture in a measurable manner.

NIST SP 800-171 was originally designed to offer a standardized set of cybersecurity requirements for securing Controlled Unclassified Information (CUI) that resides in non-federal systems and organizations. It was developed to ensure contractors, subcontractors, and researchers safeguarding government data maintain consistent security practices without having to implement complex federal agency-level controls.

One of the key advantages is this: NIST SP 800-171 also offers a subset of the more stringent controls that are listed in NIST SP 800-53. This helps make compliance more feasible and timely for smaller businesses and non-federal organizations.

In the US, NIST SP 800-171 helps contractors comply with Defense Federal Acquisition Regulation Supplement (DFARS) and turn eligible to win government contracts that are financially rewarding and reputation boosting.

In today's blog post, we do a deep dive into the fundamentals of NIST SP 800-171 and how to go about complying with this key standard. We also provide a checklist that you can use to defend your infrastructure utilising this standard.

Before we move forward, don’t forget to check out our previous blog post on “Deconstructing the Intuitive Surgical data breach” here.

The Access Control (AC) moat: Dismantling the lateral pivot

It is rare to see an APT actor land directly on a Human Machine Interface (HMI). They instead land on an IT workstation and pivot. 800-171’s Access Control (3.1) family can be your primary tool for breaking that chain.

Tactical shift: Don't just manage users; manage flows and gaps. Use Control 3.1.3 (Control CUI flow) to strictly define "conduits" between your IT and OT zones. If a workstation doesn't absolutely need to talk to the PLC subnet, that path should not exist, not even for administrators.
The APT Friction: By enforcing Least Privilege (3.1.5), you force an attacker to perform "noisy" actions (like credential dumping or privilege escalation) that trigger alerts and expose their activities.

Configuration management (CM): Denying the "Living off the Land" strategy

Modern APTs like APT 41 don't bring their own tools. Instead, they use yours (PowerShell, WMI, SSH). If your environment is a "choose your own adventure" of different OS versions and open ports, you are providing the attacker with a massive toolkit. Using your infrastructure against you makes the task of controlling a cyberattack or incident more challenging. Which is why acting early is recommended.

Tactical shift: Use Control 3.4.1 linked to establishing baseline configurations as a defensive weapon. In an OT environment, a baseline isn't just a document; it is a known state. If a Windows-based Engineering Workstation (EWS) suddenly has a new service running or an unauthorized port open, that is an Indicator of Compromise (IoC). While IOCs may not always be loud, you will at the very least be able to narrow down the targets that could be potentially compromised. This gives you more bandwidth to focus on other processes or assets that may remain at risk after you have secured most of your infrastructure against unauthorized changes.
The outcome: You transition from "searching for bad files" to "detecting unauthorized changes."

Incident Response and Monitoring (IR/SI): Finding the ghost

The greatest strength of an APT is dwell time. They stay in the system for months waiting to strike with patience. 800-171’s System and Information Integrity (3.14) and Audit and Accountability (3.3) families are designed to shorten that window.

Tactical shift: Focus on Control 3.14.6 (Monitor the information system). In OT, this means monitoring for anomalies in industrial protocols (Modbus, DNP3, S7). An APT might not trigger a traditional virus scan, but they will trigger an alert if they start polling registers they have never touched before. You can also conduct specific audits to target APTs that are potentially dwelling in your environment
Outcome: In addition to exposing any APT activity, you gain time. Which means that you can actually prevent an incident by eliminating the APT presence more surgically.

NIST SP 800-171 metrics that matter (KPIs)

Stop tracking "number of blocked attacks." That is a vanity metric. To measure your resilience against an APT, track these outcomes:

Mean Time to Detect (MTTD) unauthorized configuration changes

The Goal: Detect a change to a baseline (3.4.1) within minutes, not weeks.
KPI: Time elapsed from a configuration change on a critical OT asset to an alert appearing in the SOC/dashboard.

Segment "bypass" attempt rate

The Goal: Ensure your "Zones and Conduits" are holding/remain enforced.
KPI: Number of denied connection attempts from the IT zone to the OT zone that do not match the authorized "flow" defined in 3.1.3.

Credential "blast radius"

The Goal: Limit how far a compromised account can go.
KPI: The percentage of administrative accounts that have access to both IT and OT environments. (This should ideally be 0).

Audit log integrity

The Goal: Ensure that when an attack happens, the "black box" recorder hasn't been tampered with.
KPI: Success rate of automated log integrity checks (Control 3.3.1/3.3.2).

Last but not least: Compliance is the floor, not the ceiling

An APT group wins when they find a gap between your policy and your reality. Using NIST SP 800-171 to ward off APTs isn't about the paperwork or training alone; it’s about creating a high-fidelity environment. When your network is clean, segmented, and monitored according to a strict baseline, the "Advanced" techniques of a state-sponsored actor become glaringly obvious anomalies.