NIST issues draft guidance for securing legacy IT systems, more

The National Institute of Standards and Technology issued draft guidance Wednesday to help agencies better secure older legacy IT systems.

The second volume of NIST’s Systems Security Engineering guide SP 800-160 addresses advanced cybersecurity concerns for organizations “conducting new development of IT component products, systems, and services,” and those “with legacy systems (installed base) currently carrying out day-to-day missions and business functions.”

Ron Ross, NIST fellow and one of the agency’s cybersecurity experts, spoke with CyberScoop about the needed update.

“We’ve been too focused on penetration resistance, hardening the systems, trying to keep the bad guys out,” he said, “The problem is, with the incredibly complex IT systems we have today, there will always be an [effectively] unlimited supply of vulnerabilities that we can’t know about.”

Volume two focuses on cyber resilience engineering, which it defines as having the following four characteristics:

• Focus on the mission: “Maximiz[ing] the ability of organizations to complete critical or essential missions or business functions despite an adversary presence in their systems and infrastructure.”

• Focus on the adversary: “These guys are high end and and well resourced,” said Ross. “You have to understand how they operate.”

• Assume compromise: “A fundamental assumption of cyber resiliency.” No matter “the quality of the system design, the functional effectiveness of the security components, and the trustworthiness of the selected components,” a determined and skilled adversary will get in.

• Assume persistence:  “The stealthy nature of the APT makes it difficult for an organization to be certain that the threat has been eradicated.”

Read more about the new draft guidance on CyberScoop.