The National Institute of Standards and Technology (NIST) has released an update to its cyber resilience engineering framework, which promotes the construction of resilient IT systems to resist modern attacks by limiting the damage that attackers can cause.
Network resilience engineering combines professional system engineering, system security engineering and resilience engineering to structure, design, develop, implement, maintain and maintain the credibility of the system. NIST stated that the focus of cyber resilience engineering is to develop a “survivable and trustworthy security system” that can predict, resist, recover, and adapt to adverse conditions and attacks. Being cyber-resilient can help organizations reduce the risk of security incidents because the potential damage-the radius of the explosion-is under control.
Cyber resilience assumes that the attacker has already gained access to the system, or will gain access to the system at some point; the framework depends on this assumption. In “Developing Cyber-Resilient Systems: System Security Engineering Methods” (SP 800-160 volume. 2 Revision 1), released on December 9, NIST outlines a series of tools, technologies, and methods that corporate defenders can deploy to respond to attacks by building resilience. They can be applied to old systems that have been deployed or new systems built from scratch.
The original framework helps organizations understand cyber resilience and apply it to traditional IT systems. This update expands the focus of the original framework to include new sections on operational techniques and how to use cyber-resilient methods and controls to combat adversarial attacks on industrial control systems.
The assessment is intended as a starting point, which can be adjusted according to the individual needs of the organization. The organization can select, adjust and use some or all of the goals, technologies, methods and design principles outlined in the framework and apply them as needed. Organizations can see the effectiveness of the control measures they implement and determine the strengths and weaknesses of their systems.
The framework is also intended to be used in conjunction with the MITRE ATT&CK framework. The update creates a single threat taxonomy based on a framework for organizations to use.
Finally, the updated framework is consistent with NIST’s “Security and Privacy Control of Information Systems and Organizations” catalog (SP 800-53, revision 5).
