The National Institute of Standards and Technology (NIST) has published what it called a “groundbreaking new security guideline that addresses the longstanding problem of how to engineer trustworthy, secure systems.”
Special Publication 800-160, Systems Security Engineering, is geared towards strengthening the security of connected devices. Ron Ross, a fellow at NIST who co-authored the guidelines called it “the most important publication” that he has been associated with in his two decades of service with NIST.
The United States, and every other industrialized nation, is experiencing explosive growth in information technology. These technological innovations have made access to computing and communications capabilities unparalleled in the history of mankind, said Ross.
These rapid advancements, and the dramatic growth in consumer demand for them, are occurring alongside a revolutionary convergence of cyber and physical systems, or cyber-physical systems (CPS). The worldwide distribution of these technologies has resulted in a highly complex information technology infrastructure of systems and networks that are difficult to understand and even more difficult to protect, according to Ross.
“Today, we are spending more on cybersecurity than ever before. At the same time, we are witnessing an increasing number of successful cyberattacks by nation states, terrorists, hacktivists, and other bad actors who are stealing our intellectual property, national secrets, and private information,” Ross said. “Unless we make some kind of radical change to the way we think about and fight these attacks, they are going to have an increasingly debilitating—and potentially disastrous—effect on the economic and national security interests of the United States.”
Ross mentioned increased complexity as a factor resulting in an increased attack surface, allowing adversaries to exploit vulnerabilities resulting from inherent deficiencies and weaknesses in the components and underlying systems already built and deployed.
Cybersecurity efforts today are largely focused on what is commonly referred to as “cyber hygiene.” Cyber hygiene includes such activities as inventorying hardware and software assets; configuring firewalls and other commercial products; scanning for vulnerabilities; patching systems; and monitoring.
This, Ross said, is not enough because these activities don’t affect the basic architecture and design of the system.
According to Ross, “NIST Special Publication 800-160 is the first step we need to take toward securing the things that matter to us. It will be a grand challenge, but we Americans have a long history of achieving the impossible.”