Revised NIST publication treats security as an “emerging system property”

0

The National Institute of Standards and Technology’s latest guidelines for engineering reliable systems treat security as an “emerging property.” The lead author of the publication says organizations can no longer treat security as an afterthought as computing devices perform increasingly vital functions in industrial control systems and other critical networks.

NIST released the draft revision of Special Publication 800-160, “Engineering Trustworthy Secure Systems,” in June. The agency will finalize the document after receiving feedback from…

READ MORE

The National Institute of Standards and Technology’s latest guidelines for engineering reliable systems treat security as an “emerging property.” The lead author of the publication says organizations can no longer treat security as an afterthought as computing devices perform increasingly vital functions in industrial control systems and other critical networks.

NIST released the draft revision of Special Publication 800-160, “Engineering Trustworthy Secure Systems,” in June. The agency will finalize the document after receiving public comments.

As organizations have begun to realize that they cannot “build” security into their systems after the fact, the new publication from NIST provides a range of security design principles that engineers can use throughout the life cycle of a system, according to Ron Ross, Senior Fellow at NIST and one of the main authors of the NIST 800-160 revision.

“You hope that after applying these security considerations, you can have a system that meets your expectations,” Ross said in an interview for Special Bulletin. “How much protection do you need?” What loss are you willing to bear? And have you designed the system appropriately so that these things actually happen at the level of confidence or assurance that you need?

Treating security as an “emergent system property” ensures that engineers don’t just think about how they want the system to work; they also think about the type of results they want to avoid.

“We build bridges and airplanes and things that need to have a high degree of reliability,” Ross said. “We can also do that with security.”

A longtime head of cybersecurity at NIST, Ross says engineering requirements are ultimately determined by the stakeholders who buy and use the systems. And in many cases, users will continue to trust their data and functionality in “untrusted” systems.

But now, Ross says increasing “cyber-physical convergence” may force a shift in the conversation. Industrial systems and operational technology are increasingly running on software, while more and more of these critical devices are interconnected via the “Internet of Things”.

“That’s what makes this conversation so much more important than it was five or ten years ago,” he said.

Updates to the NIST engineering publication suggest that considering safety as an emerging system property can facilitate “comprehensive decisions about the business space, as stakeholders continually address issues of cost, schedule, and of performance, as well as the uncertainties associated with system development efforts,” according to the agency.

Ultimately, the complexity of systems and businesses can make it “difficult to figure out how to trust these individual system components,” Ross said.

“And that’s why eliminating all unnecessary things and reducing people’s privileges to those that are only essential,” he continued. “These are the first two steps to mastering this very complicated business. . . Once these assets have been identified, you can begin to better apply these design principles and the elements needed to build a system that, when it goes through this process, can prove to you that it is trustworthy at any degree. you need.

Cybersecurity design principles and techniques are increasingly available to engineers and system owners. Earlier this year, NIST released a Secure Software Development Framework, which will help agencies guide their efforts to achieve the goals of last year’s Cybersecurity Executive Order.

Ross sees momentum building in efforts to build safety into design.

“I think it’s really what I call some kind of seismic event or sea change, because for a long time cybersecurity has been in a silo, a stovepipe,” he said. “It was a [chief information security officer’s] domain. And we need to move that to the places where you can actually affect change.

Share.

Comments are closed.