Implications of NIST Special Publication 800-160, for “Systems Security Engineering”
The second draft of NIST sp800-160 was released this month. The full title of the document is,
Systems Security Engineering: Consideration for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
This version is apparently quite an extensive update to draft one, and NIST is receiving public commentary on it until July 1, with a goal for final release by year end. It’s worth a look if you are serious about improving cyber security. For some in the new ADD world order, the 307 pages wouldn’t qualify as a quick skim, but it is important enough that one should understand the purpose behind the report.
William Jackson writes in “Bringing cybersecurity to all things” that,
“NIST’s draft Special Publication 800-160 offers a systems-oriented approach for engineering trustworthy secure systems—not just in smartcars, but in everything.”
He points out,
“NIST does not break new ground in this document. It applies security principles already defined in ISO/IEC/IEEE 15288, a standard for systems security engineering, and provides systems security engineering techniques for developers. The idea is to start the engineering process with both the functional and security requirements of stakeholders, and ensure that these requirements are addressed throughout.”
Getting all stakeholders to the table and applying holistic processes to systems engineering standards that form the foundation of systems security engineering is a good thing. It’s also a necessary thing.
In response to NIST releasing the second draft, the Institute for Critical Infrastructure Technology (ICIT), which is a cyber security think tank, released a jargon-free overview resource document so non-technical folks can also benefit. It explains what trustworthy systems provide in reducing attack surface and delivering resilience in the face of resourceful adversaries.
This is important as their paper reminds us that,
“The complete dependence of the public and private sector upon foundationally insecure systems jeopardizes the mission and business success of individual organizations, and it jeopardizes the stability of the United States as a nation,”
“After decades of constructing systems without incorporating security through the life cycle of the system, the United States is underprepared for the threats that arose in the age of information.”
“The colloquial definition of insanity is doing the same thing over and over and expecting a different result. Scientifically speaking, nothing changes without an application of will and force. The incessant barrage of cyber-attacks, service disruptions, and critical failures experienced by every level of government, the military, the private sector, critical infrastructure facilities, and private individuals, confirms the notion that adhering to the same old information security practices will not alter the inevitable result. In order for different results to materialize, we must adjust our approach to the development of information security systems.”
At 25 pages, it’s worth a look as it provides a good discussion of the intent and purpose of NIST sp800-160 with a more reasonable investment of one’s time. (Link below)
Why Trustworthiness is the goal
The ICIT paper authors write,
“…(NIST) recognizes the necessity for improvement upon established best practices in order to address the modern threat landscape. In particular, NIST recognizes the need for trustworthy and secure systems that are dependable and resilient against compromise. Failure to adopt trustworthy and secure systems will leave the Nation susceptible to the potentially catastrophic consequences of complex incidents…”
“In many ways, information security remains, at best, a soft science. NIST SP 800- 160 introduces the rigor of the natural sciences to cybersecurity. The publication applies more methodical, Engineering-based approaches to information security solutions to address the dynamic, complex, and interconnected systems and systems-of-systems, such as the Internet of Things, that run the modern world. ”
“A trust-driven model, such as that proposed in NIST SP 800-160, will preclude many breaches by removing vulnerabilities before adversaries can exploit them. In typical security models, information security is either predictive or reactive. In either case, information about the threat must be known before action can be taken. Trusted systems ignore that constraint. A trusted system is not impervious to compromise; rather, it is developed from initiation to preclude vulnerabilities that result from design and to withstand attacks.”
Indeed, both the article by Mr. Jackson and the ICIT paper note that NIST Senior Fellow Ron Ross has called for significant investment in the development of information security systems;
“Increasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in the requirements, architecture, design, and development of systems, components, applications, and networks,”
“This requires a fundamental change to the current “business as usual” culture.”
Implications and Significance
One doesn’t even have to read between the lines to see that NIST has realized that more of what is failing now, could eventually and likely lead to catastrophic failure. It is an admission that past approaches, models and efforts have, and are still failing. One can’t fix internet security, but one must strive to secure to a higher degree than is done presently, anything one connects to it. The building blocks for interwoven dependent networks must be secure to design chains of trust for interactive processes. This is easily visualized in light of the Internet of Connected Things and embedded medical devices. A degree of inherent security is required. This is the point of NIST sp800-160.
Recognition of this need is a first step. However, does anyone really think an IoT device vendor is going to read the document and declare that from how on they are to start designing for trustworthiness? Developers are under deadline to get product to market fast and they are not security gurus. Usually they don’t want to be either.
While one can see that all of this is good, and necessary, this won’t be easy to transition. The need for this has been known for decades. If it was easy, wouldn’t this road would already be more travelled? Look around you, are you seeing discussions about this? Because to do this has always been complex and hard, people have usually just ignored the issue and retreated back to herd consensus group think of the “Cult of the Difficult Problem”.
So this is all good “in theory“. Unless it’s mandated by government, how much will secure systems engineering be adopted and applied, voluntarily, and how quickly? The good news is that this is exactly what Trustifier has been doing since 2003. A quick follow up to this post will explain how Trustifier KSE technology attains the goals of NIST sp800-160 now, and how it can enable and facilitate it for you as well.