NIST Cybersecurity SP 800-160 in final draft stage

Industrial CyberSecurity

The Computer Security Reserach Center of the Information Technology laboratory of  NIST (US National Institute of Standards and Technology)  has published the final draft of its SP 800-160, Volume 2, which deals with cyber resiliency engineering framework that can be used, among other measures to protect Industrial Safety and Control Systems from cyber threats. This final draft is open for comments from the public until 1st November 2019.

Draft NIST SP 800-160, Volume 2 presents the cyber resiliency engineering framework (conceptual framework) for understanding and applying cyber resiliency, a concept of use for the conceptual framework, and specific engineering considerations for implementing cyber resiliency in the system life cycle.

This is very important from an Industrial Safety point of view, since today we have to consider the possibility of all kinds of malicious attacks on industrial plants that may have an adverse effect of plant safety.

The document is not just a theoretical construct but also has a real world case study of the infamous Ukraine Power grid attack, that brought down the electrical power disyribution network of an entire country down.

Exceprts from the document below:
“In December 2015, three power distribution companies in the Ukraine were unable to provide electrical power to approximately 225,000 customers due to coordinated cyber-attacks. The cyber campaigns, of which the outages were the culmination, involved two phases. In the first phase, the attackers compromised the enterprise IT of each company. This phase followed a conventional cyber kill chain [Hutchins11], using a set of ATT&CK tactics [MITRE18] to achieve adversary objectives [NSA18]. In the second phase, attackers exploited connectivity between each company’s IT and operational technology (OT). Attackers then used a set of tactics specific to industrial control systems (ICS) following an ICS kill chain [Assante15] and using a set of tactics for ICS rather than IT [Alexander17]. To achieve their desired effects, the attacker used stolen credentials to open breakers, disrupting power distribution; delivered a malicious firmware update to Ethernet-to-serial converters to sever communications between the control station and substations; initiated a DoS attack on a telephone call center; triggered an outage of the Universal Power Supply (UPS) to the call center and to data centers; locked operators out of the human-machine interface (HMI) on the OT network; and ran the KillDisk wiper software, which erases master boot records and deletes system log records, to destroy critical system data. While the Ukrainian operators were able to restore power to customers using manual procedures within six hours, they were left without automated control for more than a year in some locations”

The case study then further discusses how the newly proposed cyber resiliency framework could have been used to mitigate the attack.

This publication is used in conjunction with NIST Special Publication 800-160, Volume 1, Systems Security Engineering—Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems and NIST Special Publication 800-37, Risk Management Framework for Information Systems and Organizations—A System Life Cycle Approach for Security and Privacy. It can be viewed as a handbook for achieving the identified cyber resiliency outcomes based on a systems engineering perspective on system life cycle processes in conjunction with risk management processes, allowing the experience and expertise of the organization to help determine what is correct for its purpose. Organizations can select, adapt, and use some or all of the cyber resiliency constructs (i.e., objectives, techniques, approaches, and design principles) described in this publication and apply the constructs to the technical, operational, and threat environments for which systems need to be engineered. The system life cycle processes and cyber resiliency constructs can be used for new systems, system upgrades, or repurposed systems; can be employed at any stage of the system life cycle; and can take advantage of any system or software development methodology including, for example, waterfall, spiral, or agile. The processes and associated cyber resiliency constructs can also be applied recursively, iteratively, concurrently, sequentially, or in parallel and to any system regardless of its size, complexity, purpose, scope, environment of operation, or special nature. The full extent of the application of the content in this publication is guided and informed by stakeholder protection needs, mission assurance needs, and concerns with cost, schedule, and performance. The tailorable nature of the engineering activities and tasks and the system life cycle processes ensure that systems resulting from the application of the security and cyber resiliency design principles, among others, have the level of trustworthiness deemed sufficient to protect stakeholders from suffering unacceptable losses of their assets and associated consequences. Trustworthiness is made possible, in part, by the rigorous application of the security and cyber resiliency design principles, constructs, and concepts within a structured set of systems life cycle processes that provides the necessary traceability of requirements, transparency, and evidence to support risk-informed decision-making and trades.

If all this sounds too complex, then perhaps you should take the easy to understand ICS Cybersecurity training course offered by Abhisam, which cuts through all the jargon and clutter and helps you understand this important subject.