On November 15, 2016, the National Institute of Standards and Technology (NIST) released its final guidance providing engineering-based solutions to protect cyber-physical systems and systems-of-systems, including the Internet of Things (IoT), against a wide range of disruptions, threats, and other hazards.  NIST Special Publication 800-160 (the “Guidance”) is the result of four years of research and development and builds upon well-established international standards for systems and software engineering.

As more and more of our appliances, cars, devices, and other “things” are connected to the Internet and to each other, participants in the IoT manufacturing ecosystem, consumers, and the government are focusing on how best to harness the power of this rapid technological advancement, while understanding and mitigating new cyber threats. According to NIST, the purpose of the Guidance is to address “fundamental weaknesses in system architecture and design” that “can only be addressed with a holistic approach based on sound systems security engineering techniques and security design principles.”  Thus, the Guidance provides a first set of standards for “engineering-driven” activities that assist contributors within the entire product lifecycle — including software developers, hardware suppliers, manufacturers, and cloud services providing aggregation and analytic platforms — in achieving integrated security by design and building trustworthy systems.

One of the stated purposes of the Guidance is to “formalize a discipline” around security engineering and “foster a common mindset to deliver security for any system.” Accordingly, the NIST principles are aligned with (or extensions of) the thirty system life cycle processes identified in the international systems and software engineering standard (ISO/IEC/IEEE 15288) published last year.  The Guidance notes that the system life cycle processes are designed to be adaptable and may be applied concurrently, iteratively, or recursively at any level in the structural hierarchy of a system and at any stage in the system life cycle, from concept through retirement.  The appendices provide additional information for the effective application of the systems security engineering activities and tasks described in the Guidance, including a summary of the security engineering activities and tasks associated with the system life cycle processes; an explanation of the roles, responsibilities, and skills associated with systems security engineering; a summary of security design principles; and an explanation of foundational engineering and security concepts.

The Guidance recognizes, however, that engineering solutions alone are not enough.  Addressing the increased technological complexity of our society also requires: (1) an understanding of the threat landscape; (2) identifying protections that are commensurate with the particular risks; and (3) increased education regarding the complexity of our systems in order to manage the benefits, risks, and uncertainty of stakeholders’ needs.  To this point, the Guidance emphasizes that “[i]ncreasing the trustworthiness of systems is a significant undertaking that requires a substantial investment in [all aspects of system and device design] and a fundamental cultural change to the current ‘business as usual’ approach.”