NIST Updates Cyber Resiliency Guidance for Critical Systems
Why is cyber resiliency important??It's important because you can’t stop cyber-attacks. Even with “the right” safeguards and countermeasures in place, some attacks will be successful.?Cyber resiliency is part of an overarching systems security engineering approach to protecting critical and mission-essential systems—whether those systems are controlling power distribution in the electric grid, providing patient services in a healthcare facility, or protecting the nation’s transportation entities.
It’s all the same problem—a total dependence on computing technology and software that is complex, ubiquitous, and in many cases, not all that trustworthy. The old ways of defending systems and networks at the perimeter are no longer sufficient to stop the exploitation of vulnerabilities by adversaries. The effect of these cyber-attacks across all sectors of the critical infrastructure has been extremely serious and the impact unsustainable. We must reduce the nation’s susceptibility to destructive cyber-attacks in both the public and private sectors.
The limitation of the traditional one-dimensional protection strategy—that is, establishing penetration resistance at the entry points to systems and networks—is widely understood. To address this problem, NIST is introducing a next generation protection strategy that includes a multidimensional approach that builds on penetration resistance and incorporates damage limiting architectures and other security design principles to achieve cyber resiliency and ultimately,?system resilience. Systems security engineering is at the heart of this “next gen” multidimensional protection strategy.
Traditional cybersecurity and risk management frameworks and their supporting security and privacy controls, can only be effectively employed when guided and informed by system and security architectures. Architectures provide context and structure. For example, the same identity and access management (IDAM) controls implemented solely at the external boundary of an organizational system will be much less effective than those same IDAM controls implemented as part of a zero-trust architecture (ZTA).?ZTA is an example of a damage limiting architecture that employs important security design principles such as segmentation, least functionality, and least privilege.
The draft update to?NIST SP 800-160, Volume 2, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,”?turns the traditional perimeter defense strategy on its head and moves organizations toward a cyber resiliency strategy that facilitates defending systems from the inside out instead of from the outside in. This guidance helps organizations anticipate, withstand, recover from, and adapt to a variety of adverse conditions, stresses, or compromises on systems—including hostile and increasingly destructive cyber-attacks from nation states, criminal gangs, and disgruntled individuals.
领英推荐
NIST’s flagship cyber resiliency publication offers significant new content and support tools for organizations to defend against cyber-attacks, including the ever-growing and destructive ransomware attacks. The guideline provides suggestions on how to limit the damage that adversaries can inflict by impeding their lateral movement, increasing their work factor, and reducing their time on target—reducing the likelihood of a successful attack and making the system more resilient.
SP 800-160, Volume 2 is a significant down payment on the next generation of cybersecurity guidance designed to help protect critical and mission-essential systems. Other updates coming later this year include a major overhaul to NIST’s flagship systems security engineering publication,?SP 800-160, Volume 1?and guidance on DevSecOps.
A systems security engineering approach to designing and building systems and achieving the ultimate objective of true “system resilience” is not just something that is nice to do. It is essential to keeping the lights on, ensuring patients are safe, and defending the homeland.
A special note of?thanks to?Victoria Pillitteri, long-time cybersecurity and SSE colleague, who graciously reviewed and provided sage advice for this article.
President and Manager at Beehive Technology Solutions LLC Service-Disabled Veteran Owned Business (SDVOB) Federal and State Small Certified Business; Microsoft Partner Risk Digital Services
3 年Thanks, Ron, for sharing with us; it's tough, but NIST keeps its very dynamic promise! CISA has identified 85% of the critical infrastructure is supplied by private companies, which now brings GRC, RMF, CMMC to the American citizen population. NIST is no longer a "federal systems" check off the box approach. We must bring compliance, frameworks, and standards to state, regional, county, local, and education levels. Critical infrastructure is architected into neighborhoods we are now cyber-risk vulnerable at local gov level.???We are now actively attacked by nation-state adversaries who have new health care targets.??This is beyond a "just a firewall" will do situation. It's time to reimagine our DevSecOps approach and its convergence with public safety.?Companies (American Supply Chain) and local, state governments are all responsible for public safety.? The past two executive orders on national cyber reinforce this, but risk runs very deep with no legal teeth or mandated legislation. We are all responsible and accountable, and NIST 800-160 Vols 1 and 2 do not operate in a FISMA-CISA-NIST silo. NIST also released 800-53Arev5 for comments now we have the top 5 NIST pubs aligned with OSCAL. Coming to your neighborhood soon?
Helping clients improve Cyber Resilience, Data Lifecycle Management, and Storage TCO
3 年Thanks for this update and the links to NIST doc resources.
Cybersecurity Leader /Career Mentor and Inspirer /Proud Navy Veteran
3 年Great read and just downloaded the new NIST pub to read it.
Cyber Systems Security Engineer at Lockheed Martin
3 年Thanks for posting!
Retired - really tired Information Security Evangelist/Curmudgeon!! Make Security Part of your DNA!
3 年Thanks for posting, always keeping the good information and positive impact on our industry.