- The National Institute of Standards and Technology (NIST) recently published guidelines on how organizations can utilize cybersecurity measures for IoT devices, and underlined the importance of ensuring that security systems are built directly into IoT technology.
Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems explains that the need for trustworthy and secure systems has become stronger as the cybersecurity threats continue to evolve.
“The level of trustworthiness that can be achieved in today’s complex systems is a function of our ability to think about system security across every aspect of every activity, and in our ability to execute with commensurate fidelity and rigor to produce results that provide the confidence in the basis for those claims of trustworthiness,” the report’s authors wrote.
The basic foundation for a disciplined approach to engineering trustworthy secure systems is provided with a systems engineering approach, the report explained.
“From a security perspective, a trustworthy system is a system that meets specific security requirements in addition to meeting other critical requirements,” the authors stated. “Systems security engineering, when properly integrated into systems engineering, provides the needed complementary engineering capability that extends the notion of trustworthiness to deliver trustworthy secure systems.”
However, it is important to note that trustworthy secure systems are not impervious to cybersecurity threats from “an intelligent adversary,” but they will be less susceptible to certain attacks.
Systems security engineering also “helps to ensure that the appropriate security principles, concepts, methods, and practices are applied during the system life cycle to achieve stakeholder objectives for the protection of assets—across all forms of adversity characterized as disruptions, hazards, and threats.”
It also reduces system defects that may lead to security issues, and provides evidence that a certain level of trustworthiness has been created.
There are also numerous security specialities that can be leveraged through systems security engineering:
- Computer security
- Communications security
- Transmission security
- Anti-tamper protection
- Electronic emissions security
- Physical security
- Information, software, and hardware assurance
- Technology specialties such as biometrics and cryptography
Another critical aspect NIST discussed is the system life cycle process.
“The system life cycle processes are not intended to be prescriptive in their execution and do not map explicitly to specific stages in the system life cycle,” the researchers wrote. “Rather, the system life cycle processes are conducted as needed to achieve specific systems engineering objectives.”
By tailoring the system life cycle processes, an engineering team will also be able to “facilitate the application of the processes to conform with a variety of system development methodologies, processes, and models.” Furthermore, the team can “accommodate the need for unanticipated or other event-driven execution of processes to resolve issues and respond to variances and changes that occur during the engineering effort.”
Healthcare cybersecurity measures can also benefit from ensuring that security measures are built into devices from the onset, and are not simply an afterthought or are tacked onto devices later.
Healthcare organizations cannot continuously rely on “Frankensteined” medical devices, ICIT Co-founder and Senior Fellow James Scott told HealthITSecurity.com in an October 2016 interview.
Cut cybersecurity budgets, procrastinating system updates, and postponing medical device updates could all lead to a healthcare data breach and compromised patient information, he said, discussing ICIT’s report about the Deep Web and data breaches.
An attacker might set up beach heads for future attacks, which can help create a type of remote access Trojan on a vulnerable device that has perhaps been “Frankensteined” into the IoT microcosm, Scott said. With no end-point security for that device, it could make the entire network vulnerable.
“They’ll use that as their rat where they can log in, log out, sell access as a service, or they can even use a new ransomware variant or malware when one comes out,” he stated.