Operational technology can include transportation systems, industrial control systems— which are used in certain critical infrastructure sectors — and building management systems, for example, NIST said in an email to journalists.
The revised Developing Cyber Resilient Systems document aims to offer a flexible guide that organizations can use to help assess whether their hardware, software, processes, personnel — and all other elements that make up their mission-critical systems — will be able to keep essential functions running in the face of cyber disruptions and challenges like advanced persistent threats (APTs).
For those finding their operations’ resilience and cybersecurity lacking, the framework offers guidance in thinking through approaches and identifying and adopting potential strategies. The advice is meant to be suitable for systems in various stages of their life cycle — such as those that are new, or being updated, retired or repurposed.
The document outlines key goals and objectives as well as various strategies and design principles, with the assumption that organizations will pick and adapt the approaches and aims that best suit their particular contexts and needs.
In its framework, NIST homes in on the need to ensure organizations can detect even subtle challenges to their cyber systems — such as the work of APT actors, who may operate in the shadows for years before anyone detects them — and that they can then respond to mitigate the impact and recover.
The report reminds that organizations must assume that some cyber threats will slip past detection, making it essential to act in advance to ensure systems are designed with security in mind. For example, organizations can use various methods to segment elements of their systems, so that attackers managing to penetrate one part cannot easily seize control of the rest.
The guide’s advice is intended to better protect systems against not only cyber attacks, but also against a variety of challenges that could put cyber-enabled systems at risk. This might include power outages, natural disasters, high demand on a system and other events that might strain or compromise “cyber resources.” The document defines cyber resources as assets that can be accessed by a network and which produce, store, process, manage, send or delete digital data.
The framework also takes a broad look, and states that the majority of its “higher-level” ideas and guidance are relevant both for malicious attacks and for unintentional threats, like those stemming from environmental disasters.
The framework is suitable, too, for improving resiliency in systems that have few to no cyber elements, such as water-powered sawmills. That adaptability could help keep the guide relevant as traditionally non-digital systems become more technology-infused, NIST wrote.
“This may prove beneficial given the rapid convergence of cyber and physical systems that reflects a movement of cyber into traditional non-cyber realms (e.g., vehicles, medical devices) and the growth of bio-integrated technology,” the document states.
The guide promotes four core high-level goals. Those include ensuring organizations are informed and prepared to jump into action to investigate, react and mitigate should something disrupt their cyber resources.
Other goals involve identifying the organization’s most important functions — and the tools, systems and other elements that enable them — to ensure they keep running and can be quickly restored as threats strike. Organizations should also aim to be able to adjust to maintain smooth operations in the face of anticipated changes, such as abandonment of old technologies and emergence of new ones as well as the introduction of new workflows or regulatory policies.