With advanced persistent threats becoming more common, the National Institute of Standards and Technology offers guidance on creating more secure systems.
From the Office of Personnel Management data breach to the Russian hacking of the 2016 elections, cyberattacks from hostile nation-states, criminal and terrorist groups and rogue individuals are becoming more frequent. The National Institute of Standards and Technology’s most recent draft publication aims to help organizations address vulnerabilities and create more “defensible and survivable systems.”
“Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems” provides guidance on addressing advanced persistent threats that target IT infrastructure to impede critical aspects of an organization's mission. It is applicable to new systems, but also addresses engineering considerations when improving resiliency in legacy systems.
NIST defines cyber resilience as "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source."
The publication breaks down elements of cyber resiliency to provide a conceptual framework of goals, objectives, techniques and design principles.
By creating a structured understanding of the set of systems engineering needs and tasks, the draft document seeks to guide development of “trustworthy secure systems that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders,” NIST fellow and lead author Ron Ross wrote in the publication's forward.
The publication can be viewed as a handbook, and organizations can use some or all of the cyber resiliency principles described and apply them to their own technical, operational and threat environments, NIST officials said.
To specifically target the cyber resiliency threat, organizations should:
- Focus on the mission or business needs that are critical to success.
- Focus on the effects of advanced persistent threats to produce systems that can anticipate, withstand, recover and adapt to different conditions and stresses.
- Assume the adversary will compromise or breach the system or organization to target flaws in operational environments and supply chains.
- Assume the adversary will be able to maintain a presence in the system or organization, with some threats more difficult to eradicate over time.
To help organizations build cyber resiliency into system life cycle processes, the guide includes sections on implementation, integration, verification, transition, validation, operation, maintenance and disposal.
Public comments for the draft cyber resiliency document are due on May 18.