The National Institute of Standards and Technology (NIST) has issued a Special Publication that details the actions that systems engineers should take to develop more defensible and survivable systems. The publication provides best practices for building secure systems from the ground up, detailing a new design approach in light of recent widespread cyber attacks targeting the Internet of Things.
Among other recommendations, it urges organizations to consider and implement security at every level of the engineering and system design process, instead of “bolting on” firewalls, encryption, and other defensive mechanisms after the fact. The goal – equal parts important and ambitious – is to get IoT device manufacturers to eliminate security weaknesses from internet-facing devices during product design, instead of relying on consumers and businesses to secure them after purchase.
This publication comes in the wake of the flurry of Distributed Denial of Service (DDoS) attacks that have occurred over the past few months – most notably the October 21st attacks on the servers of a major DNS provider that disrupted the internet traffic and business operations of several major websites. These attacks, and many others like them, are being made possible due to the lack of security measures in IoT devices, which are being hijacked and used in synchronized armies (known as a botnet) to generate crippling DDoS attacks against websites and servers.
Attacks like these can have dramatic economic ramifications. When the websites of major online retailers are taken offline for an entire day, millions of dollars in potential revenue are lost, in addition to the large amount of business, personnel, and technological resources these companies must divert in order to diagnose and fix the problem.
“Introducing a disciplined, structured, and standards-based set of systems security engineering activities and tasks provides an important starting point and forcing function to initiate needed change,” said Dr. Ron Ross, NIST Fellow.
The publication seeks to accomplish the following 5 goals:
- To provide a basis to formalize a discipline for systems security engineering in terms of its principles, concepts, and activities;
- To foster a common mindset to deliver security for any system, regardless of its scope, size, complexity, or stage of the system life cycle;
- To provide considerations and to demonstrate how systems security engineering principles, concepts, and activities can be effectively applied to systems engineering activities;
- To advance the field of systems security engineering by promulgating it as a discipline that can be applied and studied; and
- To serve as a basis for the development of educational and training programs, including the development of individual certifications and other professional assessment criteria.
With the release of these guidelines, NIST is stepping forward to provide much needed standardized guidance with respect to the threats and vulnerabilities that are too easily exploited to assume control of our connected devices. As the world becomes more interconnected, the likelihood and severity of potential breaches will rise. This publication comes at a critical time, as botnets have never been more prominent and destructive, and the need for a well-orchestrated effort to combat them has never been greater.
As a leader in cyber risk management services, Focal Point remains committed to the development, education and proliferation of security principles and initiatives, and is closely tracking NIST’s guidance in this area.
For more information on how Focal Point can help secure your networks, infrastructure, and critical processes, request a conversation with a Focal Point cyber security expert.