NIST engineering guide update provides advice for securing legacy IT systems

The National Institute of Standards and Technology canonical Systems Security Engineering guide SP 800-160 provides a catalog of systems and procedures that developers can use to build secure IT networks from the ground up.

The guide’s second volume, published Wednesday, shows developers how to use those procedures to shore up the security of older legacy IT systems in order to limit the access hackers have if they do manage to break in.

Ron Ross, NIST fellow and the one of the agency’s cybersecurity experts, told CyberScoop it’s a needed corrective.

“We’ve been too focused on penetration resistance, hardening the systems, trying to keep the bad guys out,” he said, “The problem is, with the incredibly complex IT systems we have today, there will always be an [effectively] unlimited supply of vulnerabilities that we can’t know about.”

Nation-state hackers are sophisticated and persistent, Ross said: “The empirical data shows that you can’t always stop them getting in.”

Volume two focuses on cyber resilience engineering, which it defines as having the following four characteristics:

  • Focus on the mission: “Maximiz[ing] the ability of organizations to complete critical or essential missions or business functions despite an adversary presence in their systems and infrastructure.”

  • Focus on the adversary: “These guys are high end and and well resourced,” said Ross. “You have to understand how they operate.”

  • Assume compromise: “A fundamental assumption of cyber resiliency.” No matter “the quality of the system design, the functional effectiveness of the security components, and the trustworthiness of the selected components,” a determined and skilled adversary will get in.

  • Assume persistence:  “The stealthy nature of the APT makes it difficult for an organization to be certain that the threat has been eradicated.”

Volume two also includes elements that “can be employed at any stage of the system life cycle,” not just when the system is being built.

“We had to address the question of what can we do today to secure the legacy systems we have,” said Ross.

The guide is an informational publication, part of a growing library of best practices that NIST’s computer scientists provide for the public and private sector.