On November 15, 2016, the National Institute of Standards and Technology (NIST) released its final guidance providing engineering-based solutions to protect cyber-physical systems and systems-of-systems, including the Internet of Things (IoT), against a wide range of disruptions, threats, and other hazards.  NIST Special Publication 800-160 (the “Guidance”) is the result of four years of research and development and builds upon well-established international standards for systems and software engineering.

As more and more of our appliances, cars, devices, and other “things” are connected to the Internet and to each other, participants in the IoT manufacturing ecosystem, consumers, and the government are focusing on how best to harness the power of this rapid technological advancement, while understanding and mitigating new cyber threats. According to NIST, the purpose of the Guidance is to address “fundamental weaknesses in system architecture and design” that “can only be addressed with a holistic approach based on sound systems security engineering techniques and security design principles.”  Thus, the Guidance provides a first set of standards for “engineering-driven” activities that assist contributors within the entire product lifecycle — including software developers, hardware suppliers, manufacturers, and cloud services providing aggregation and analytic platforms — in achieving integrated security by design and building trustworthy systems.

One of the stated purposes of the Guidance is to “formalize a discipline” around security engineering and “foster a common mindset to deliver security for any system.” Accordingly, the NIST principles are aligned with (or extensions of) the thirty system life cycle processes identified in the international systems and software engineering standard (ISO/IEC/IEEE 15288) published last year.  The Guidance notes that the system life cycle processes are designed to be adaptable and may be applied concurrently, iteratively, or recursively at any level in the structural hierarchy of a system and at any stage in the system life cycle, from concept through retirement.  The appendices provide additional information for the effective application of the systems security engineering activities and tasks described in the Guidance, including a summary of the security engineering activities and tasks associated with the system life cycle processes; an explanation of the roles, responsibilities, and skills associated with systems security engineering; a summary of security design principles; and an explanation of foundational engineering and security concepts.

The Guidance recognizes, however, that engineering solutions alone are not enough.  Addressing the increased technological complexity of our society also requires: (1) an understanding of the threat landscape; (2) identifying protections that are commensurate with the particular risks; and (3) increased education regarding the complexity of our systems in order to manage the benefits, risks, and uncertainty of stakeholders’ needs.  To this point, the Guidance emphasizes that “[i]ncreasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in [all aspects of system and device design] and a fundamental cultural change to the current ‘business as usual’ approach.”

Tags: Cybersecurity, Data Security, Internet of Things (IoT), NIST
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Read more about Ashden FeinEmail
Show more Show less