New NIST Guidance Takes Engineering Approach to InfoSecAdopting a Multidisciplinary Approach to Challenges Presented by Internet of Things
The National Institute of Standards and Technology has issued long-awaited guidance on how to approach IT security as an engineering discipline.
See Also: Modern Application Development Security
NIST Special Publication 800-160, "Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems," emphasizes a methodical engineering approach to information security as IT grows more complex, dynamic and interconnected, such as through the growth of the internet of things.
"We're all relying on the same commercial products today; we're building systems and the attack surface is growing," the guidance lead author, NIST Fellow Ron Ross, said in an interview earlier this year with Information Security Media Group (see How to Bake Security Into IT From the Start). "And this [guidance] is going to give us the opportunity to take a step back and see how we can actually build security in from the start."
NIST began working on the guidance five years ago. "We've been talking about that forever, but now we do have an approach that actually can work to help us do the things that we've been saying for years," Ross said.
According to its abstract, the guidance addresses the engineering-driven perspective and actions necessary to develop more defensible systems.
The guidance builds on a set of well-established international standards for systems and software engineering, which Ross contends should help win acceptance. The objective is to address stakeholder protection needs and to use established engineering processes to ensure those needs are addressed with fidelity and rigor throughout the life cycle of the system.
No Longer 'Victims'
U.S. CISO Tony Scott said he sees the new guidance as a game-changer in the approach to safeguarding digital assets, The Hill reports. "This will change the national dialogue from one of victims to one of a group of people who can do something about this," Scott said.
Among the objectives of the guidance is to build trustworthy, secure systems.
"Trustability is the capability to ensure that those security mechanisms work in a computer system ... as they're intended by the vendor and by you - via your security policy - and can't be modified or changed to do something they're not allowed to do," security consultant and former CIA CISO Robert Bigman said in an interview with ISMG earlier this year (see Making Information Systems 'Trustable'). "And, if they're changed, you'll see it, as part of the trustability matrix."