NIST Offers Tools to Help Defend Against State-Sponsored Hackers
February 4, 2021 | NISTEstimated reading time: 3 minutes
Nations around the world are adding cyberwarfare to their arsenal, employing highly skilled teams to launch attacks against other countries. These adversaries are also called the “advanced persistent threat,” or APT, because they possess the tools and resources to pursue their objectives repeatedly over an extended period, adapting to defenders’ efforts to resist them.
Vulnerable data includes the sensitive but unclassified information managed by government, industry and academia in support of various federal programs. Now, a finalized publication from the National Institute of Standards and Technology (NIST) provides guidance to protect such “controlled unclassified information” (CUI) from the APT. NIST’s Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171, offers a set of tools designed to counter the efforts of state-sponsored hackers and complements another NIST publication aimed at protecting CUI.
“Cyberattacks are conducted with silent weapons, and in some situations those weapons are undetectable,” said Ron Ross, a computer scientist and a NIST fellow. “Because you may not ‘feel’ the direct effects of the next hack yet, you may think it is coming someday down the road; but in reality, it’s happening right now.”
The federal government relies heavily on nonfederal service providers to help carry out a wide range of missions using information systems — a term that includes computers, but also a range of other specialized technologies such as industrial control systems and the Internet of Things. The protection of sensitive federal information that resides in nonfederal systems — such as those used by state and local governments, colleges and universities, and independent research organizations — is of paramount importance, as it can directly impact the federal government’s ability to carry out its operations. A hack in 2018 that compromised sensitive information directly inspired the NIST team’s work on SP 800-172.
Formerly numbered SP 800-171B during its draft stages, SP 800-172 offers additional recommendations for handling CUI in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.
“We developed SP 800-171 in response to major cyberattacks on U.S. critical infrastructure, and its companion document SP 800-172 is designed to mitigate attacks from advanced cyber threats such as the APT,” Ross said. “Implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property, the revelation of which could compromise our economy and national security.”
The enhanced security requirements are to be implemented in addition to those in SP 800-171, since that publication is not designed to address the APT. The requirements in SP 800-172 apply to the components of nonfederal systems that process, store or transmit CUI or that provide protection for such components. To further narrow the scope, the requirements are applied only when the designated CUI is associated with a critical program or high-value asset — the highest priority for protection.
Developed primarily for administrators such as program managers, CIOs and system auditors, the publication addresses the protection of CUI for system components by promoting penetration-resistant architecture, damage-limiting operations, and designs to achieve cyber resiliency and survivability. Its tools, divided into 14 families, are not intended to be implemented en masse, but selected according to the needs of the organization.
“Most likely an organization implementing this guidance will not want to use all of the enhanced security requirements we offer here,” Ross said. “The decision to select a particular set of enhanced security requirements will be based on your mission and business needs — and then guided and informed by ongoing risk assessments.”
In response to feedback received during the public comment period, the final draft includes updated scoping and applicability guidance and a more flexible requirements selection approach to allow organizations to customize their security solutions.
Ross said that the tools in the new publication should offer hope to anyone seeking to defend against hacks, even by as intimidating a threat as the APT.
“The adversaries are bringing their ‘A-game’ in these cyberattacks 24 hours a day, 7 days a week,” he said. “You can start making sure the damage is minimized if you use SP 800-172’s cyber safeguards.”
Suggested Items
Reducing Nitrogen Consumption in Convection Soldering with Rehm Thermal Systems' Patented Mechatronic Curtain
03/28/2024 | Rehm Thermal SystemsCurrent developments indicate a need for larger throughput heights due to the trend towards e-mobility, which in turn increases nitrogen consumption for process inertization. Rehm Thermal Systems responds to this issue with an innovative solution: the mechatronic curtain.
CentraTEQ to Showcase Wide Range of Vibration & Environmental Test Systems at Battery Tech Expo 24
03/26/2024 | CentraTEQEnvironmental and vibration test specialists CentraTEQ are excited to be exhibiting at the upcoming Battery Tech Expo, scheduled to take place at Silverstone on April 25, 2024.
SEMI 3D & Systems Summit To Spotlight Trends In Hybrid Bonding, Chiplet Design And Environmental Sustainability
03/26/2024 | SEMILeading experts in 3D integration and systems for semiconductor manufacturing applications will gather at the annual SEMI 3D & Systems Summit, 12-14 June, 2024,
iNEMI/IPC White Paper on Complex Integrated Systems Highlights Future Technology and Manufacturing Ecosystem Needs
03/25/2024 | IPCToday’s system solutions combine more varied functionality, such as digital, analog, optical, micro-mechanical, etc., packed into smaller form factors. As a result, electronics manufacturing has to deliver increasingly complex integration of diverse technologies with system designs that blur the distinction between chip, package, board, and assembly.
Synopsys Announces New AI-Driven EDA, IP and Systems Design Solutions At SNUG Silicon Valley
03/25/2024 | PRNewswireSynopsys, Inc. kicked off its annual flagship Synopsys User Group (SNUG) conference in Silicon Valley at the Santa Clara Convention Center with a keynote presentation by Synopsys president and CEO Sassine Ghazi. Ghazi discussed the unprecedented innovation opportunities and challenges that technology R&D teams face in this era of pervasive intelligence.