Cybersecurity News

NIST Shares Draft PNT Data Service Profile for Cybersecurity Framework

New NIST insights can help organizations mitigate cybersecurity risks facing critical technologies, including GPS tech leveraging PNT, used in the public health sectors and other industries.

NIST Cybersecurity Framework standard PNT data services profile draft feedback infrastrcture security public health sector PNT services

By Jessica Davis

- NIST recently released a draft profile for technology leveraging positioning, navigation, and timing (PNT) data, such as the Global Positioning System (GPS), meant to be applied to its Cybersecurity Framework standards and designed for critical infrastructure sectors.

The release is part of a NIST initiative to implement a February Executive Order to secure systems that rely on PNT data, including critical infrastructure, such as public health, energy, and finance, among others that receive and rebroadcast PNT data. 

In addition to GPS, a NIST spokesperson explained the Cybersecurity Profile for the Responsible Use of PNT Services insights can help secure less-familiar systems that underpin the healthcare sector and other industries. 

Entities can review the PNT cybersecurity profile to help identify systems, networks, and assets on the enterprise network that depend on PNT services, as well as detect any disruption to or manipulation of those services and manage the risks associateds to the networks, assets, and systems that rely on PNT services. 

The PNT profile is broken down into five key sections that includes an introduction and overview of PNT data, as well as risk management. The insights are meant to be used in conjunction with existing cybersecurity risk management processes, in addition to PNT-specific risk management processes. 

NIST explained the profile is designed to support organizations in making deliberate, risk-informed decisions on the use of PNT services. The insights are designed to provide a foundation for securing PNT data that can be customized to meet the organization’s specific needs. 

There is also a governance section to help organizations craft policies, procedures, and processes that identify legal, risk, environmental, and operational requirements impacted or enabled by the use of PNT services. 

“Rather than focus on a single economic sector, we designed it to apply to all users of PNT. Agencies and companies can tailor it to their needs based on their particular cybersecurity risk and other sector-specific factors," said NIST Senior Security Engineer Jim McCarthy, in a statement. “Our premise is that there are organizations that may not realize they are using PNT data or know how they are using it.” 

“Part of our goal is to help them make these connections so they can protect their operations more effectively,” he added. “The ultimate goals are to identify systems that use PNT data and to detect disturbances to it. Doing so can help mitigate the risk of misuse of PNT data affecting our critical infrastructure, public health and national security.” 

To NIST, an extensive disruption to GPS signals, as well as spoofing and manipulation timing data, would be highly disruptive to critical US infrastructure. Given the increase in technologies that depend on trustworthy location and timing data, such as IoT, it’s imperative entities identify and protect these systems from attacks. 

Organizations are being asked to provide feedback on the PNT cybersecurity profile by November 23. NIST is particularly interested in recommendations for gaps in existing standards, guidelines, and practices tied to the responsible use of PNT services, as well as further guidance on how to best apply the NIST CF. 

Further, reviewers are asked to rank the effectiveness of the NIST CF in addressing cybersecurity concerns for responsible use of PNT data services. NIST is seeking recommended references that should be implemented in the PNT data profile and whether the NIST-recommended controls and informative references adequately address cyber risks to those technologies.