The rising frequency and intensity of cyberattacks on information technology systems that support the government, military, businesses, and critical infrastructure has raised awareness among senior Federal agency managers that security controls cannot be bolted on to systems as an afterthought. Security must be a core part of the design of systems from the beginning, and considered throughout the development lifecycle.
To that end, security design principles and concepts are the foundation for engineering trustworthy secure systems. As part of its ongoing cybersecurity efforts, the National Institute of Standards and Technology has issued the first update to its flagship systems security engineering guidance document, Special Publication 800-160: Systems Security Engineering, Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems. The update includes the addition of new “call out” boxes that emphasize the importance of applying a core security design principle to all systems that are part of the U.S. critical infrastructure.
NIST issued the update to SP 800-160 in advance of publishing a second systems security engineering document, which is scheduled for release in March, on cyber resiliency. The cyber resiliency publication will be the first in a series of systems security engineering specialty publications developed to support the SP 800-160 guidance. Other specialty topics for future publications include both hardware and software security and assurance.
First released in November 2016, NIST SP 800-160 serves a larger purpose than merely giving guidance to Federal system developers and engineers on how to build security into new systems and their interconnected components throughout the development lifecycle. It is also designed to help sell the security core concept to senior government and critical infrastructure managers.
“So, this document helps if you need to go to project managers or your finance departments and get approval for taking these extra steps to build security into systems from the beginning,” said Ken Durbin, senior strategist for Global Government Affairs and Cybersecurity with Symantec.
In addition to security system engineers, another target audience is any “individual with acquisition, budgeting, and project management responsibilities,” according to the document. For example, the document could be used with government acquisition managers if they want to ensure they are purchasing secure products and systems. They could theoretically ask vendors if they have followed NIST 800-160 in the development of a system as a purchasing requirement. “So, this document is absolutely geared toward helping to create a secure system, but there are other uses,” Durbin said.
“Our objective with 800-160 is to try and raise awareness about the importance of building security into systems early in the life cycle,” said Ron Ross, a computer scientist and NIST Fellow, who is a co-author of NIST 800-160. “The guidance in the document is tied to IEEE and ISO standards.”
Within the new standards, a system can be defined as anything from a small Internet of Things device like a single sensor, up to a large enterprise network of systems serving a government organization or corporation. Ross noted that the new definition works because all businesses and government entities rely on the same commercial technologies like operating systems, database management systems, and network routers, which in turn are made up of similar firmware and software components. So, they can share the same security as core design principles.
There has been great emphasis on, and a significant increase in the use of the NIST Cybersecurity Framework, the NIST Risk Management Framework, and continuous monitoring tools. However, not as much attention has been placed on the critical issues of trust technologies and assurance, which lead to the creation of the new standards, Ross said.
Some of the recently-reported flaws in system components, such as Meltdown and Spectre, are vulnerabilities that have been part of the design of systems from decades ago, Ross said. For example, Meltdown and Spectre allow processor exploits to steal passwords and other sensitive user data from almost any device that contains chips from Intel, Advanced Micro Devices, and ARM. Having a core security mindset in place might have prevented the inclusion of predictive memory techniques in processors designed for government, and prevented the accompanying vulnerabilities.
NIST 800-160 leads to greater trust in systems, because its guidance gives engineers visibility down to the component level as they develop systems. “This is about asking the right questions about security at the very point in the development of components and systems where it can make a difference,” Ross added.