NIST Systems Security Engineering guidance urges putting security in upfront and not relying on cyber hygiene.
The government’s security adviser sounded an alarm today about the proliferation of untrustworthy and insecure technology in systems that digitally connect everything from refrigerators and cameras to dams and railways.
NIST Fellow Ron Ross called the cyber threats facing government and business “as severe as threats of terrorism or the threats we experienced during the Cold War.”
The explosion of these systems has gifted nation state and criminal hackers with a nearly endless supply of attack points, many of which aren’t secured using basic engineering principles, according to the final draft of the Systems Security Engineering guidance from the Commerce Department’s National Institute of Standards and Technology.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
“These weaknesses can only be addressed with a holistic approach based on sound systems security engineering techniques and security design principles,” Ross said in a blog post announcing the new publication. “This holistic approach will make our systems more penetration-resistant; capable of limiting the damage from disruptions, hazards and threats; and sufficiently resilient so they can continue to support critical missions and business functions after they are compromised.”
The need for sound engineering takes on added urgency for two reasons. The first reason is that the internet is increasingly connecting to critical infrastructure such as dams, railways and chemical facilities where a breach could result in death or destruction. The Justice Department charged a hacker linked to the Iranian government in March with hacking into the systems controlling a dam in upstate New York.
The second reason is the explosion of low-security internet of things devices, such as baby monitors and digital cameras. Those devices provided much of the computing power behind the Mirai botnet that took down Netflix and other major websites last month.
The key takeaway, Ross said, is that cyber hygiene—the practice of regularly patching known computer vulnerabilities and probing for malicious activity—won’t keep you safe if the underlying systems aren’t built securely.
The guidance is essentially a broad handbook that designers and manufacturers can use to assess the security of their systems.
NIST has been revising the publication for the past two years since a draft version first appeared in 2014. That’s the same year NIST released a voluntary cybersecurity framework that provides best practices for the private sector.