Insight by LookingGlass

Revised NIST publication treats security as ‘emergent system property’

For a long time, cybersecurity has been treated as an afterthought by system engineers. But a revised National Institute of Standards and Technology publication...

The National Institute of Standards and Technology’s latest guidelines for engineering trustworthy systems treats security as an “emergent property.” The lead author on the publication says organizations can no longer treat security as an afterthought, as IT devices perform increasingly vital functions in industrial control systems and other critical networks.

NIST released the draft revision of Special Publication 800-160, “Engineering Trustworthy Secure Systems,” in June. The agency will finalize the document after receiving comments from the public.

While organizations have started to realize that they can’t “bolt on” security into their systems after the fact, the new NIST publication provides a range of security design principles engineers can use throughout the lifecycle of a system, according to Ron Ross, senior fellow at NIST and one of the principal authors of the NIST 800-160 revision.

‘You hope that after you apply these security considerations, you can have a system that meets your expectations,” Ross said in an interview for a Special Bulletin Review. “How much protection do you need? How much loss are you willing to sustain? And have you engineered the system appropriately to get those things actually to occur at the level of confidence or assurance that you need?

Treating security as an “emergent system property” ensures engineers aren’t just thinking about how they want the system to function; they’re also thinking about what kind of results they want to avoid.

“We build bridges and airplanes and things that have to have a high degree of reliability” Ross said. “We can do that with security as well.”

A longtime cybersecurity leader at NIST, Ross says engineering requirements are ultimately driven by the stakeholders who buy and use the systems. And in many cases, users will still trust their data and functionality in “untrustworthy” systems.

But now, Ross says increasing “cyber-physical convergence” may force a change in the conversation. Industrial systems and operational technology are increasingly run on software, while more of these critical devices are being interconnected through the “Internet of Things.”

“That’s what makes this conversation so much more important than it was even five or 10 years ago,” he said.

The updates to the NIST engineering publication suggests that viewing security as an emergent system property can facilitate “comprehensive trade space decisions as stakeholders continually address cost, schedule, and performance issues, as well as the uncertainties associated with system development efforts,” according to the agency.

Ultimately, the complexity in systems and enterprises can make it “it difficult to understand how to trust those individual system components,” Ross said.

“And that’s why eliminating all the unnecessary things, and reducing the privileges that people have to those that are only essential,” he continued. “Those are the first two steps of getting your arms around that very complicated enterprise. . . Once those assets are identified, then you can start moving to do a better job of applying those design principles and the things that are necessary to build a system that when it goes to that process can give you the evidence that it is trustworthy to whatever degree you require.”

Cybersecurity design principles and techniques are increasingly available for system engineers and owners. Earlier this year, NIST published a Secure Software Development Framework, which will help guide agencies as they work to meet the goals of last year’s cybersecurity executive order.

Ross sees momentum building in the effort to move security into design.

“I think this is really what I call a kind of a seismic event or a sea change, because for a long time, cybersecurity has been in a silo, a stovepipe,” he said. “It’s been a [chief information security officer’s] domain. And we’ve got to move that out into the places where you can actually affect change.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories