We are immersed in a cyber-physical world. Information technology is deeply embedded in traditionally non-IT systems, including automobiles, the electric grid and emergency response. But in many of these systems, security is largely incorporated as a last step, like a suit of armor over a vulnerable body.
To help bake security into the very core, a new draft NIST publication recommends ways to incorporate time-tested security design principles and concepts into these systems at every step, from concept to implementation.
Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems—NIST Special Publication 800-160—is based on the international ISO/IEC/IEEE Standard 15288 for Systems and Software Engineering.
By incorporating security concepts into systems engineering—a discipline originally developed to protect physical infrastructure such as bridges—the researchers are providing considerations for building security from the ground up in modern versions of these complex systems and completely new ones. With systems supporting critical infrastructure becoming increasingly complex, it becomes all the more challenging to ensure they are trustworthy.
Organizations currently buy commercial components, such as operating systems and applications, and then add on security measures such as firewalls, encryption and monitoring systems.
"But those things do not go far enough in reducing and managing complexity, developing sound security architectures, and applying fundamental security design principles," said NIST Fellow Ron Ross. "Many of the engineering-related activities must be done by industry, as consumers can't design or modify source code, or do the other tasks necessary for full-spectrum security."
NIST set out to create a comprehensive, engineering-based approach that includes security considerations from the original design throughout the system's entire lifecycle—including how to retire the system and its data securely. The new NIST publication is intended for anyone who designs, develops, builds, implements, organizes or sustains any type of system from smartphones to industrial and process control systems. The first draft was published in May 2014.
The second draft "takes things to a higher level," Ross said. "We are bringing the cyber and physical worlds fully together."
While the first draft spoke of "information security," the new draft discusses concepts in terms of "security" to reflect how intertwined the cyber and physical worlds have become. The publication applies security principles to all of the technical processes outlined in the ISO/IEC/IEEE standard. These include such steps as engineering design, system analysis and implementation. In addition, it applies security concepts to critical non-engineering processes involving these systems such as management and support services.
The new publication addresses the public comments submitted on the original document. It is also aligned with a major 2015 update of the ISO/IEC/IEEE standard.
The NIST SP 800-160 approach starts with mission or business owners "valuing" their assets and then uses security design principles and systems engineering processes to develop appropriate security requirements, architecture and design. The objective is to implement a security capability that can adequately protect these assets and reduce a system's susceptibility to adverse consequences from threats and other hazards—all in the context of an organization's tolerance for risk.
"The systems security engineering considerations in NIST SP 800-160 give organizations the capability to strengthen their systems against cyberattacks, limit the damage from those attacks if they occur, and make their systems survivable," Ross said.
The considerations outlined in the NIST publication apply to both modern versions of pre-existing systems, such as manufacturing, and completely new systems, such as environmental monitoring devices and sensors embedded in the physical world and connected to physical networks as part of the "Internet of Things."
Robert Bigman, a cybersecurity consultant at 2BSecure and former Central Intelligence Agency chief information security officer, thinks the value of NIST SP 800-160 is in its approach to building systems that organizations and users can trust.
"The key to reducing the risk to our critical infrastructure is to build 'trustable' systems on a foundation of systematic and accepted engineering principles," Bigman said.
"NIST SP 800-160 will become the de facto standard for integrating 'trustability' into the design, development, deployment and operation of systems used both within government and commercial critical infrastructure industries," he said.
Public comments on the current draft of Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, NIST SP 800-160, are requested. Please send comments to sec-cert [at] nist.gov no later than July 1, 2016.