NIST calls for holistic approach to security

NIST calls for holistic approach to security

As internet-enabled devices proliferate in both physical and cyber systems, the National Institute of Standards and Technology has started a national conversation on the security of connected devices, with the release of updated guidance on how to build secure systems.

“Systems Security Engineering: Considerations for a Multidisciplinary Approach in the  Engineering of Trustworthy Secure Systems” (Special Publication 800-160)  urges organizations -- including federal agencies and commercial equipment and service providers -- to address security throughout the systems engineering process rather than "bolting on" firewalls, encryption and monitoring systems to operating systems and applications after they are purchased.

The goal is to build security into IoT devices in the way that safety features, such as seat belts and air bags, have been engineered into automobiles.

The publication was announced by NIST Fellow Ron Ross, U.S. CIO Tony Scott and U.S. Chief Information Security Officer Greg Touhill at the Splunk GovSummit on Nov. 15 – weeks earlier than originally scheduled. NIST bumped up the release date for the publication in the wake of the Mirai malware attack that used IoT devices to overwhelm internet infrastructure provider Dyn with a flood of traffic.

Scott said the NIST publication sets the stage for future cybersecurity development to eliminate basic design flaws in internet-facing devices, which include consumer goods and critical infrastructure systems.Touhill said the document marks the beginning of a shift in thinking for federal agencies, product and system manufacturers as well as the public, which will go from being victims reacting to cyberattacks to taking a new proactive approach backed by baked-in security for the billions of existing and future devices on the IoT.

During a press conference after the announcement, Ross said NIST officials are eager to talk with the incoming Trump administration about the guidance.

"The election transition is going on now," he said. "We've been through this before. We'll give the new administration time to settle in and then we will engage."

Ross added that "it's always a new dialogue" whenever a new presidential administration comes in, "but in 20 years, computer security has always been a bipartisan issue."

IoT cybersecurity "should be high on the agenda" for the incoming administration, just as it was during the Obama administration, Scott said.

Officials hope device, hardware and software engineers will incorporate the guidance into their work, Ross said, adding that the techniques can be adapted to waterfall or agile development.

NIST designed the guidance to be as welcoming as possible and avoided making it mandatory for federal agencies, along the lines of Federal Information Processing Standard 140-2, the official U.S. government computer security standard used to accredit cryptographic modules. Ross said that given the diverse community of users, a mandatory approach would have been difficult to implement.

The guidance "should be the start of a national dialogue" about deeper cybersecurity for IoT devices and how those devices are used, and "win hearts and minds" of engineers and users along the way, he said.

This article was first posted to FCW, a sister site to GCN.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected