Last week, the National Institute of Standards and Technology (NIST) revealed the initial public draft of its Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems. The new guidelines are for organizations operating legacy systems or developing new IT component products systems and services. They recommend measures that can help avert or limit damage from advanced persistent threats (APTs), which can breach and establish an undetected presence in critical IT systems.
“The cyber-resiliency guidelines are intended to help extend the single dimension protection strategy of penetration resistance–or penetrate-and-patch approaches for systems–and include additional dimensions of damage limitation, resiliency, and survivability,” said NIST Fellow Ron Ross, a co-author of the publication.
Seatbelts, Airbags, or Both?
Volume 2’s cyber-resiliency guidelines enable agencies to determine what measures are best for their organization’s mission, experience and expertise. They can select and partially or fully apply NIST’s cyber-resiliency constructs to their organization’s technical, operational and threat environments.
The system life cycle processes and cyber resiliency constructs can be used for new systems, system upgrades, or systems that are being repurposed. These processes and constructs can be employed at any stage of the system life cycle and take advantage of any system and/or software development methodology, Ross explained.
“Cyber resiliency techniques and approaches can do for systems and critical assets what industry did for automobiles,” Ross added. “Manufacturers provide built-in safety features like seatbelts, airbags, steel-reinforced doors, navigational sensors and warning devices. These do not guarantee an accident-free trip, but should an accident occur, the objective is to limit damage to the vehicle and make an accident survivable, reducing driver and passenger injuries and deaths.”
Resiliency Is Under the Hood
NIST defines a cyber-resilient system as one that builds in required security safeguards as a foundational part of the system architecture and design, enabling it to withstand an attack and continues to operate even in a degraded or debilitated state.
Cyber-resiliency techniques “take away the tactical advantage from the advanced persistent threat and force the adversaries to operate on your terms, not theirs,” Ross said. “The enormous complexity of today’s systems demands a multidimensional protection strategy that extends traditional boundary defenses with strategies for ‘damage limitation’ and ‘system resiliency’ implemented through rigorous architectural and design principles.”
NIST Is Accepting Comments
NIST posted the draft cyber-resiliency guidelines online and set May 18 as the deadline for public comment.