IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Revised NIST Framework Focuses on Securing Operational Tech

The National Institute of Standards and Technology’s revised framework expands its focus to operational technologies, urging organizations to better ensure mission-critical systems can withstand cyber disruptions.

NIST
The National Institute of Standards and Technology (NIST) has released an updated, broader-reaching version of its cyber resiliency engineering framework. This latest document goes beyond its predecessor’s focus on IT to also address how the concepts can be applied to preparing operational technology systems to withstand disruptions to their digital elements.

Operational technology can include transportation systems, industrial control systems— which are used in certain critical infrastructure sectors — and building management systems, for example, NIST said in an email to journalists.

The revised Developing Cyber Resilient Systems document aims to offer a flexible guide that organizations can use to help assess whether their hardware, software, processes, personnel — and all other elements that make up their mission-critical systems — will be able to keep essential functions running in the face of cyber disruptions and challenges like advanced persistent threats (APTs).

For those finding their operations’ resilience and cybersecurity lacking, the framework offers guidance in thinking through approaches and identifying and adopting potential strategies. The advice is meant to be suitable for systems in various stages of their life cycle — such as those that are new, or being updated, retired or repurposed.

The document outlines key goals and objectives as well as various strategies and design principles, with the assumption that organizations will pick and adapt the approaches and aims that best suit their particular contexts and needs.

In its framework, NIST homes in on the need to ensure organizations can detect even subtle challenges to their cyber systems — such as the work of APT actors, who may operate in the shadows for years before anyone detects them — and that they can then respond to mitigate the impact and recover.

The report reminds that organizations must assume that some cyber threats will slip past detection, making it essential to act in advance to ensure systems are designed with security in mind. For example, organizations can use various methods to segment elements of their systems, so that attackers managing to penetrate one part cannot easily seize control of the rest.

The guide’s advice is intended to better protect systems against not only cyber attacks, but also against a variety of challenges that could put cyber-enabled systems at risk. This might include power outages, natural disasters, high demand on a system and other events that might strain or compromise “cyber resources.” The document defines cyber resources as assets that can be accessed by a network and which produce, store, process, manage, send or delete digital data.

The framework also takes a broad look, and states that the majority of its “higher-level” ideas and guidance are relevant both for malicious attacks and for unintentional threats, like those stemming from environmental disasters.

The framework is suitable, too, for improving resiliency in systems that have few to no cyber elements, such as water-powered sawmills. That adaptability could help keep the guide relevant as traditionally non-digital systems become more technology-infused, NIST wrote.

“This may prove beneficial given the rapid convergence of cyber and physical systems that reflects a movement of cyber into traditional non-cyber realms (e.g., vehicles, medical devices) and the growth of bio-integrated technology,” the document states.

The guide promotes four core high-level goals. Those include ensuring organizations are informed and prepared to jump into action to investigate, react and mitigate should something disrupt their cyber resources.

Other goals involve identifying the organization’s most important functions — and the tools, systems and other elements that enable them — to ensure they keep running and can be quickly restored as threats strike. Organizations should also aim to be able to adjust to maintain smooth operations in the face of anticipated changes, such as abandonment of old technologies and emergence of new ones as well as the introduction of new workflows or regulatory policies.
Jule Pattison-Gordon is a senior staff writer for Governing and former senior staff writer for Government Technology, where she'd specialized in cybersecurity. Jule also previously wrote for PYMNTS and The Bay State Banner and holds a B.A. in creative writing from Carnegie Mellon. She’s based outside Boston.