In-brief: The National Institute for Standards and Technology (NIST) released a draft publication that recommends ways to improve the security of systems during the engineering phase, including so-called cyber physical systems on the Internet of Things.
The U.S. National Institute for Standards and Technology (NIST) released a draft publication that recommends ways to improve the security of systems during the engineering phase. It’s worth checking out.
From the NIST notice:
Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems—NIST Special Publication 800-160—is based on the international ISO/IEC/IEEE Standard 15288 for Systems and Software Engineering.
By incorporating security concepts into systems engineering—a discipline originally developed to protect physical infrastructure such as bridges—the researchers are providing considerations for building security from the ground up in modern versions of these complex systems and completely new ones.
NIST notes that organizations typically treat security as an add-on feature, buying “commercial components, such as operating systems and applications, and then add(ing) on security measures such as firewalls, encryption and monitoring systems” But that approach isn’t effective in reducing and managing the complexity of technology deployments (and complexity==insecurity). Nor does it move the industry in the direction of more sound security architectures based on “fundamental security design principles,” said NIST Fellow Ron Ross.
“Many of the engineering-related activities must be done by industry, as consumers can’t design or modify source code, or do the other tasks necessary for full-spectrum security,” Ross noted.
NIST’s approach has focused on creating a comprehensive, engineering-based approach that includes security considerations from the original design throughout the system’s entire lifecycle—including what might be termed “de-provisioning:” how to retire the system and its data securely.
The new NIST publication is intended for anyone who designs, develops, builds, implements, organizes or sustains any type of system from smartphones to industrial and process control systems. It adds to an initial draft that was first released two years ago and “takes things to a higher level,” Ross said. “We are bringing the cyber and physical worlds fully together.”