NIST bumps up release of security guidance
- By Matt Leonard
- Nov 08, 2016
The National Institute of Standards and Technology is releasing its updated guidance on secure systems ahead of schedule, just a few weeks after a distributed denial of service attack raised question about security in IoT devices.
The Nov. 15 release of the latest version of Special Publication 800-160 will urge organizations to address security in the design of devices throughout the systems engineering process, rather than adding firewalls, encryption and monitoring systems to already-purchased operating systems and applications.
After thousands of IoT devices were used by Mirai malware to flood Dyn’s infrastructure with traffic, security experts pointed to a number of design flaws, such as the fact that devices can operate without users changing the preset passwords. That means the days of a putting up a firewall and calling it a job well done are over, Anup Ghosh, the CEO and founder of Invincea, recently told reporters. NIST Fellow Ron Ross made similar points last May, saying tools like firewalls, encryption and monitoring systems won’t be enough.
"Those things do not go far enough in reducing and managing complexity, developing sound security architectures and applying fundamental security design principles," Ross said. "Many of the engineering-related activities must be done by industry, as consumers can't design or modify source code, or do the other tasks necessary for full-spectrum security."
SP 800-160 -- which has the full title of Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems -- has been in development for more than four years. The initial public draft was released in May 2014, while the second draft was in a public comment period between May and July 2016.
The new NIST publication is intended for anyone who designs, develops, builds, implements, organizes or sustains any type of system -- from smartphones to industrial and process control systems.
Final release originally was scheduled for mid-December, Ross told GCN. "We decided to move up the final publication date ... in part because of the recent wave of IoT-based cyberattacks. We wanted to get this critical systems security engineering guidance out to our customers as soon as possible."
The publication now will be released at the Nov. 15 Splunk GovSummit.
“If you go into the average federal agency and ask, ‘How are your security controls doing for access control, or identification, authentication or encryption?’ they can’t tell you,” Ross recently told reporters. “It’s buried in the software, the hardware and the firmware. We have to be able to provide the fundamentals, and that’s what we did in [SP 800-]160. We gave them the engineering, computer security fundamentals.”
Matt Leonard is a former reporter for GCN.