As the number of devices connecting to the internet increases exponentially every day, cybersecurity experts have grown concerned about the varying degrees of digital protections each offer.
The National Institute of Standards and Technology sought to clarify that quandary on Nov. 15 by announcing new guidance on how to judge the cybersecurity of devices in the Internet of Things.
The final draft of the new guidance, Special Publication 800-160, debuted at the Splunk GovSummit 2016, with co-author and NIST fellow Ron Ross outlining its benefits for the cybersecurity environment in helping determine the security of an estimated six to eight billion devices connected to the web.
"If we look at the Internet of Things and this vast productivity, [the guidance] will allow us then, for all of those devices, to assign a level of trustworthiness to each one of those components," he said.
"Some of them are going to be highly trustworthy and some of them not so trustworthy, and that's okay. But ultimately we need to bring to our systems a greater level of penetration persistence, making it harder for our adversaries to attack us and for those attacks to be successful."
The guidance, co-authored with Michael McEvilley and Janet Carrier Oren, began with an initial draft in 2014 and saw its release moved up a month in the wake of last month’s Dyn denial-of-service attack, which temporarily disabled large swaths of the web.
The guidance is centered around assessing the trustworthiness of a myriad of connected devices, but also gauges their impacts for different stakeholders through a series of processes governed by the life cycle of each device.
NIST Special Publication 800-160 breaks those processes into four categories:
- Agreement processes
- Organization-project enabling processes
- Technical management processes
- Technical processes
In each of those categories, Special Publication 800-160 uses international system engineering standards and maps out processes and qualifications needed for any stakeholder to apply when designing their systems.
"What we did is we built every activity and task and all of those system life cycle processes — from the requirements definition to the business or mission analysis, all the way through the life cycle — we developed all of the essential security activities, which we have to choose from if you are building a system," Ross said.
He added that while systems can be designed to prevent attacks, the goal will be limiting the damage of an inevitable, successful cyber breach.
"Ultimately we want to make those systems — and all of their components — as resilient [as] they need to be," he said. "We can’t have high assurance of every system and every component, but we can definitely have that level of assurance where we need it and where we are deploying those things in very critical areas."
Federal Chief Information Officer Tony Scott applauded the development of NIST Special Publication 800-160 and noted that alongside advancements in applying the Baldrige Framework for program management to agency networks, the federal government is developing a stronger cyber resiliency.
"This is important in changing the dialogue from one of victims to where a group of people and a society ... can do something about this big issue and make positive progress," he said.