NIST Launches New Information Technology Security Effort
For Immediate Release: October 2, 2001
The Department of Commerce's National Institute of Standards and Technology today awarded $5 million total in funding for nine research grants that will enhance security for critical infrastructures such as electrical grids and air traffic control systems.
Awards under the Critical Infrastructure Protection Grants Program will accelerate efforts to make the computer and telecommunications systems that support our essential services more secure. These efforts are necessary because many critical infrastructures—the physical and cyber-based systems that are essential to the nation's economy—are increasingly automated and interdependent.
NIST awarded the nine grants to five companies, three universities and two commercial/academic partnerships. The agency received 133 applications (totaling more than $73 million in requests) for the available $5 million in funding under the CIPGP. Proposal reviews were conducted by scientists at NIST, including those in the agency's Information Technology, Manufacturing Engineering, and Electronics and Electrical Engineering laboratories. Additionally, 98 reviewers from eight federal agencies—including the Department of Defense, the Department of Justice and the National Security Agency—also participated in the selection process.
Richard A. Clarke, national coordinator for security, critical infrastructure and counter-terrorism at the National Security Council, applauded the grant awards. "These research grants will make an important down payment toward addressing the many cyber challenges we need to surmount to protect America's critical infrastructures," Clarke said. "We look forward to the technical progress that the awardees will be making."
A list of the 2001 CIPGP awards is attached. More details on the CIPGP, the first-year competition process and the 2001 grants are available on the program's web site: http://csrc.nist.gov/grants.
As a non-regulatory agency of the U.S. Department of Commerce's Technology Administration, NIST develops and promotes measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
For more information on NIST, see our web site at www.nist.gov. To explore a century of NIST partnerships with U.S. industry, benefits to the public and impacts on economic growth, go to the NIST centennial (1901-2001) web site at www.100.nist.gov.
Note: Dollar amounts listed are fiscal year 2001 funding from the government. Additional funding requested for some of the projects is contingent on Congressional approval.
The merging of the Internet and other data networks with traditional voice telephone networks brings with it new safety concerns and vulnerabilities. This research will address interactions and interdependencies in the protocol layers and examine the emerging interconnection architectures to identify and mitigate the consequent vulnerabilities and security dependencies.
The growing dependency of critical infrastructures upon wireless communication introduces many new— and often misunderstood—security risks. This work will look at ways to conduct security testing of the technology in a realistic environment by creating a secure wireless test bed. Initial focus will be on the IEEE 802.11 wireless standard, security in intra-domain and intra-service provider roaming, and other security issues in wireless area networks.
Before attacking a system, hackers often use probes to assess the security, operational characteristics and likely vulnerabilities of a system. The Sensilla project being funded will use novel intrusion detection techniques to address the problem of attackers using surveillance or probing techniques and then launching denial of service attacks. The results are likely to enhance our ability to detect these intrusions, especially on high bandwidth Internet connections used by the public and private sectors to deliver essential services.
When a large complex network is under attack, it is nearly impossible to get a good picture of the scope and severity of the incursion. Therefore, managing the attack can be problematic. This research will create a way to map converged networks (those that use data, voice and broadband) and develop sophisticated attack management systems for those networks. The work also will exploit computer modeling and visualization of the attacks to better respond and mitigate such attacks.
$691,362 (includes a $500,000 contribution from the National Security Agency)
Modern electrical power distribution is managed by complex automated controls which may be vulnerable to attack. To better understand the risk and develop appropriate security controls, this project focuses on cybersecurity for the electrical power grid by developing a prototype secure information architecture for substations and control centers. Included are security and survivability assessments of actual configurations.
This research effort is centered on survivability and security of wireless networks. Specifically, it has three main areas of investigation: survivable networks and protocol design, development and evaluation of a security architecture for wireless access networks, and the interaction between survivability and security.
Many system outages and security incidents result from poorly developed or tested computer programs. This work proposes to use compiler and certain pre-processing techniques aimed at detecting, correcting and repairing conditions such as buffer overflow that introduce vulnerabilities into the development of systems and applications. Correcting these conditions before they are introduced into operational systems promises significant cost savings over retroactive detection and patching.
This work will develop ways to assess the effectiveness of computer intrusion detection systems—a measure not always well understood—to help improve the security of these systems. While addressing computer intrusion, this work is aimed primarily at addressing metrics and testing capabilities.
Engineered Compositions for Infrastructure Design
Today, there is no easy way to understand the security risks and protections provided when two or more information technology components are connected. This research will develop ways to evaluate the security of computer systems, focusing both on the security of individual components and larger systems. The results should be more secure systems built from individually tested components.