Analysis
Attacks and Vulnerabilities
Critical infrastructure
News
NIST
Risk & Compliance
Technology & Solutions
Threat Landscape
Vulnerabilities

NIST SP 800-160 focuses on plugging security into systems engineering to develop defensible, survivable systems

June 09, 2022
NIST SP 800-160 focuses on plugging security into systems engineering to develop defensible, survivable systems

The National Institute of Standards and Technology (NIST) released the final public draft that includes a certain amount of noteworthy content and design changes that include a renewed emphasis on the importance of systems engineering. It also focuses on the need to view systems security engineering as a critical subdiscipline necessary to achieve trustworthy secure systems.

Titled, ‘Engineering Trustworthy Secure Systems,’ the final public draft of SP 800-160 Volume 1, Revision 1 provides a renewed focus on the design principles and concepts needed for engineering trustworthy secure systems, distributing the content across several redesigned initial chapters. The document relocates the detailed system life cycle processes and security considerations to separate appendices for ease of use and streamlines the design principles for trustworthy secure systems by eliminating the two previous design principle categories. 

The NIST SP 800-160 document includes a new introduction to the system life cycle processes and describes key relationships among those processes, and clarifies key systems engineering and systems security engineering terminology. It also simplifies the structure of the system life cycle processes, activities, tasks, and references, and offers additional references to international standards and technical guidance to better support the security aspects of the processes. 

The agency is calling for feedback by Jul. 8, on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.

“Bringing security out of its traditional stovepipe and viewing it as an emergent system property helps to ensure that only authorized behaviors and outcomes occur, much like the engineering processes that address safety, reliability, availability, and maintainability in building spacecraft, airplanes, and bridges,” Ron Ross, project leader for systems security engineering and a fellow at NIST, wrote in the document.

“Treating security as a subdiscipline of systems engineering also facilitates making comprehensive trade space decisions as stakeholders continually address cost, schedule, and performance issues and the uncertainties associated with system development efforts,” he added.

The NIST SP 800-160 document presents an overview and the fundamental concepts associated with engineering trustworthy secure systems. It covers basic concepts that address the structure and types of systems; systems engineering foundations; and the concepts of trust and trustworthiness of systems and systems components. 

The document also describes foundational system security concepts and an engineering perspective on building trustworthy secure systems. It includes the concepts of security and system security, nature and character of systems, the concepts of assets and asset loss, reasoning about asset loss, defining protection needs, system security viewpoints, demonstrating system security, and provides an introduction to systems security engineering.

The NIST document also provides a Systems Security Engineering Framework that includes a problem context, solution context, and trustworthiness context.

The NIST SP 800-160 document addresses the conditions laid down in U.S. President Joe Biden’s Executive Order 14028, issued in May last year, which recognized a need to identify stakeholder assets and protection needs, and provide protection commensurate with the criticality of stakeholder assets, needs, and the consequences of asset loss, and correlated with the modern threat and adversary capability. 

It also aims to develop scenarios and model the complexity of systems to provide a rigorous basis to reason about, manage, and address the uncertainty associated with that complexity, and adopt an engineering-based approach that addresses the principles of trustworthy secure design and applies those principles throughout the system life cycle.

In April, the NIST released an initial public draft that guides how to improve the security of operational technology (OT) systems while addressing their performance, reliability, and safety requirements. Additionally, it provides updates to current activities in OT security, along with updates to security capabilities and tools for OT. The agency has called for opinions by Jul. 1, using the comment template when preparing and submitting comments.

Earlier this week, the NIST released an initial summary analysis of responses to its Request for Information (RFI) on evaluating and improving the NIST Cybersecurity Framework (CSF), use of the framework in conjunction with other resources, and improving supply chain cybersecurity risk management.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation