After four years of research and development, NIST has published a groundbreaking new security guideline that addresses the longstanding problem of how to engineer trustworthy, secure systems—systems that can provide continuity of capabilities, functions, services, and operations during a wide range of disruptions, threats, and other hazards. In fact, I think that Special Publication 800-160, Systems Security Engineering, is the most important publication that I have been associated with in my two decades of service with NIST.
I want to share what led me to this conclusion.
The United States, and every other industrialized nation, is experiencing explosive growth in information technology. These technological innovations have given us access to computing and communications capabilities unparalleled in the history of mankind.
These rapid advancements, and the dramatic growth in consumer demand for them, are occurring alongside a revolutionary convergence of cyber and physical systems, or cyber-physical systems (CPS). The worldwide distribution of these technologies has resulted in a highly complex information technology infrastructure of systems and networks that are difficult to understand and even more difficult to protect.
Today, we are spending more on cybersecurity than ever before. At the same time, we are witnessing an increasing number of successful cyberattacks by nation states, terrorists, hacktivists, and other bad actors who are stealing our intellectual property, national secrets, and private information. Unless we make some kind of radical change to the way we think about and fight these attacks, they are going to have an increasingly debilitating—and potentially disastrous—effect on the economic and national security interests of the United States.
Our fundamental cybersecurity problem can be summed up in three words—too much complexity. There are simply too many bases—all the software, firmware, and hardware components that we rely on to run our critical infrastructure, business, and industrial systems—for us to cover as it is, and we’re adding to the number of bases all the time.
Increased complexity translates to increased attack surface—providing adversaries a limitless opportunity to exploit vulnerabilities resulting from inherent weaknesses and deficiencies in the components of the underlying systems that we have built and deployed. We can characterize this predicament as the N+1 vulnerabilities problem.
According to the Defense Science Board 2013 study done for the U.S. military, there are vulnerabilities that are known; those that are unknown; and those created by your adversaries after they have taken control of your system. Given this reality, there are vulnerabilities that we can find and fix, and a growing number of vulnerabilities that we cannot detect and therefore, remain unmitigated.
While we are making significant improvements in our reactive security measures, including intrusion detection and response capabilities, those measures fail to address the fundamental weaknesses in system architecture and design. These weaknesses can only be addressed with a holistic approach based on sound systems security engineering techniques and security design principles. This holistic approach will make our systems more penetration-resistant; capable of limiting the damage from disruptions, hazards, and threats; and sufficiently resilient so they can continue to support critical missions and business functions after they are compromised.
We have a high degree of confidence our bridges and airplanes are safe and structurally sound. We trust those technologies because we know that they were designed and built by applying the basic laws of physics, principles of mathematics, and concepts of engineering. If bridges were routinely collapsing and airplanes were frequently crashing, the first people we would call would be the scientists and engineers. They would do root-cause failure analysis, find out what went wrong, and fix the problem.
Cybersecurity efforts today are largely focused on what is commonly referred to as “cyber hygiene.” Cyber hygiene includes such activities as inventorying hardware and software assets; configuring firewalls and other commercial products; scanning for vulnerabilities; patching systems; and monitoring.
While practicing good cyber hygiene is certainly necessary, it’s not enough. This is because these activities don’t affect the basic architecture and design of the system. Even if we were to achieve perfection above the water line, we would still be leaving our most critical systems highly vulnerable due to our inability to manage and reduce the complexity of the technology.
The only way to address the N+1 vulnerabilities problem is to incorporate well-defined engineering-based security design principles at every level, from the physical to the virtual. These principles should be driven by mission and business objectives, stakeholder protection needs, and security requirements of the individual organization. While those solutions may not be appropriate in every situation, they should be available to those entities that are critical to the economic and national security interests of the United States including, for example, the electric grid, manufacturing facilities, financial institutions, transportation vehicles, medical devices, water treatment plants, and military systems.
Today, the cybersecurity threats to our government, businesses, critical infrastructure, industrial base, and people are as severe as threats of terrorism or the threats we experienced during the Cold War.
Overcoming these threats will require a significant investment of resources and the involvement of government, industry, and the academic community. It will take a concerted effort on a level we haven’t seen since President Kennedy dared us to do the impossible and put a man on the moon over a half-century ago.
We can do it again, but the clock is ticking and the time is short. Creating more trustworthy, secure systems requires a holistic view of the problems, the application of concepts, principles, and best practices of science and engineering to solve those problems, and the leadership and will to do the right thing—even when such actions may not be popular.
I think that NIST Special Publication 800-160 is the first step we need to take toward securing the things that matter to us. It will be a grand challenge, but we Americans have a long history of achieving the impossible.
I applaud NIST for all its hard work to protect our well being, the economy and national security. Excellent strategy to initially focus on incorporating well defined security-engineering principles within critical infrastructure organizations first.This approach will ensure products are designed and manufactured with robust security architectures and management capabilities. Ultimately, market demand will propel these highly secure systems into the open marketplace.
Very helpful post and great article. Thanks author your Awesome tropic and Valuable information. Truly I appreciate it.
The JS J6 DDC5I/CCD is the Requirements Manager for Joint C2 requirements. By definition, Joint C2 requirements are for National Security Systems. I was reading through NIST SP 800-160, Volume 1 when I came across the following statement:
"The considerations set forth in this publication are applicable to all federal systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542."
Given this, can you tell me why SP 800-160 is not applicable, and where I may find systems engineering guidance that is applicable to National Security Systems? Thanks for your help.
Dear Mr. Carlson,
NIST cybersecurity authorities do not extend to national security systems. However, NIST standards and guidelines can be adopted and used voluntarily by the national security community at any time. For example, under the Joint Task Force, the DOD, Intelligence Community, and CNSS have adopted several NIST publications through individual policy directives. Thus, publications such as NIST 800-53, NIST 800-53A, NIST 800-37, NIST 800-39, and NIST 800-37 are widely used throughout the national security community. While NIST 800-160 is not a Joint Task Force publication, the national security community can use the systems security engineering guidance on a voluntary basis.