Email this Article Email   

CHIPS Articles: Cyber Resiliency: engineering systems to anticipate, recover and adapt to advanced persistent threats

Cyber Resiliency: engineering systems to anticipate, recover and adapt to advanced persistent threats
By CHIPS Magazine - March 21, 2018
The robust economy and national security of the United States relies on the cybersecurity of information technology deployed in critical infrastructure systems and applications in both the public and private sectors. From the electric grid to voting and financial systems to internet of things consumer products, the U.S. is highly vulnerable to sophisticated, well-resourced cyber-attacks from hostile nation-states, criminal and terrorist groups and rogue individuals. Certain types of advanced threats have the capability to breach critical systems, establish a presence within those systems (often undetected), and inflict immediate and long-term damage to the economic and national security interests of the United States, according to a NIST release.

Because IT and the internet dominate every aspect of American life, the U.S. must develop trustworthy, secure IT components, services and systems that are cyber resilient. To survive and flourish in the 21st century, the U.S. must engineer cyber resilient systems with strong security safeguards that are "baked in" as a foundational part of the system architecture and design. IT systems must be able to withstand an attack and continue to operate — even in a degraded state — to carry out essential functions, NIST said.

To this end, the National Institute of Standards and Technology released the initial public draft of NIST Special Publication 800-160 Volume 2, Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems, which provides guidelines to help organizations prevent advanced persistent threats. APTs are threats to IT infrastructure that target organizations with the purpose of exfiltrating information, undermining or impeding critical aspects of a mission, program or organization.

The publication is intended to be used in conjunction with NIST Special Publication 800-160 Volume 1, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, an update to SP 800-160 which was also released, according to a NIST release.

Draft Special Publication 800-160 Volume 2 is designed as a handbook for achieving cyber resiliency, which is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cybersecurity resources. Organizations can select, adapt and use some or all of the cyber resiliency models described in the publication and apply them to the technical, operational and threat environments for which systems need to be engineered.

Systems engineers and security and risk management professionals are encouraged to apply the guidance and cyber resiliency considerations outlined in this publication to help ensure that the component products, systems, and services that they need, plan to provide, or have already deployed, can survive when confronted by an APT. The guidance can also be used to guide and inform any investment decisions regarding cyber resiliency. The ultimate objective is to achieve trustworthy secure systems nationwide that are fully capable of supporting critical missions and business operations while protecting stakeholder assets, and to do so with a level of assurance that is consistent with the risk tolerance of those stakeholders, NIST said.

NIST Special Publication 800-160 Volume 2:
https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/draft

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer