Security experts have long said that internet-connected systems and software need security controls and features built in by design, in the same manner they’re built into physical infrastructure. The National Institute of Standards and Technology agrees and has issued guidance to help software engineers build secure products.

Titled “Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems,” the guideline emphasizes incorporating “well-defined engineering-based security design principles at every level, from the physical to the virtual,” NIST Fellow Ron Ross wrote on the Taking Measure blog. A holistic approach does more than make systems penetration-resistant; even after a compromise, they’re still capable enough to contain the damage and resilient enough to keep supporting critical missions and business functions.

[ An InfoWorld exclusive: Go inside a security operations center. | Discover how to secure your systems with InfoWorld’s Security Report newsletter. ]

NIST’s guidance uses the international standard ISO/IEC/IEEE 15288 for systems and software engineering as a framework, and it maps out “every security activity that would help the engineers make a more trustworthy system” for each of the 30-plus processes defined by the standard. The activities cover the entire system lifecycle, from the initial business or mission analysis to requirements definition to the design and architecture phases, and they’re applicable for new, upgraded, or repurposed systems.

“We have a high degree of confidence our bridges and airplanes are safe and structurally sound. We trust those technologies because we know that they were designed and built by applying the basic laws of physics, principles of mathematics, and concepts of engineering,” Ross wrote. Similarly, applying fundamental principles in mathematics, computer science, and systems/software engineering can give us the same level of confidence in our software and hardware.

Taking a holistic approach

A holistic approach requires coordinating across different specialties, such as information, software and hardware assurance, physical security, antitamper protection, communications security, and cryptography. It also demands addressing multiple focus areas, such as privacy, verification, penetration resistance, architecture, performance, validation, and vulnerability.

The guidance addressed the dependencies and  subspecialties by grouping the processes in the system lifecycle into four families:

  • Agreement Process: Tasks related to acquiring products and services, as well as providing services as a supplier.
  • Organizational Project-Enabling Process: Lifecycle model management, infrastructure management, portfolio management, human resource management, quality management, and knowledge management.
  • Technical Management Process: Project planning, project assessment and control, decision management, risk management, configuration management, information management, and quality assurance.
  • Technical Process: All the activities related to business or mission analysis, defining stakeholder needs and requirements, defining system requirements, defining the architecture, defining the design, system analysis, implementation, integration, verification, transition, validation, operations, maintenance, and disposal.

The processes outlined in the publication do not prescribe a mandatory set of activities and do not explicitly map to specific stages in the lifecycle, NIST warned. Engineers should rely on their experience and their understanding of the organization’s objectives to tailor the processes to meet the stakeholder’s requirements for a trustworthy system.

The publication also did not attempt to formally define systems security engineering. There is something for everyone involved in the process, from business stakeholders to developers, administrators, and security analysts.

Calling on engineers

When civil engineers build a bridge, they have to consider the weight of vehicles and people crossing the bridge, the stress caused by wind and other natural elements, and the materials used to build the bridge itself. Buildings have to meet specific structural and fire codes to make sure they are safe and will not collapse. Similarly, software engineers need to build systems with security controls already included in the design and not added afterward as a separate component.

If bridges were routinely collapsing, scientists and engineers would be immediately on the scene to figure out what went wrong and identify how to fix it for future projects. Currently, instead of asking engineers and scientists to perform root-cause failure analysis to find and fix the problem, cybersecurity focuses on add-ons. Changing how technology is designed and built—by strengthening underlying systems and system components, and developing with well-defined security requirements—would help reduce the number of known, unknown, and adversary-created vulnerabilities, Ross said.

NIST’s approach echoes what Dan Kaminsky, chief scientist and co-founder of White Ops, said in his keynote speech at the Black Hat security conference earlier this year. Kaminsky called for an “NIH [National Institutes of Health] for Cyber” to study the security challenges and come up with engineering solutions addressing them. While Kaminsky was using the name of a different federal agency, his message was the same: Cybersecurity needs to be treated as an engineering discipline with tools and principles that can be used to build secure systems.

“We didn’t stop our cities from burning by making fire illegal or heal the ill by making sickness a crime. We actually studied the problems and learned to deliver safety,” Kaminsky said in his speech. “If we want to make security better, give people environments that are easy to work with and still secure.”

Addressing the IoT problem

While NIST focused the language on systems and software, the guidance provides a welcome direction for the internet of things, most of which hit the market with little to no security controls.

NIST’s authority extends to only government agencies and contractors, so the guidance is not binding for engineers working in the private sector. Even so, these recommendations can raise expectations on what features must be included to be acceptable for the marketplace.

This NIST publication is the culmination of nearly four years of work, Ross said. The final draft was originally expected in December, but the release date was moved up after a crippling distributed denial-of-service attack against Dyn temporarily cut off access to large parts of the internet. The attack also revived discussions on whether the government should try to regulate the security of IoT, especially since there are currently no consequences for manufacturers selling subpar devices to consumers.

Regulation would be difficult, as many of the embedded devices aren’t manufactured in the United States. “While I’m not taking a certain level of regulation off the board, the United States can’t regulate the world,” Rep. Greg Walden (R-Ore.), chairman of the Subcommittee on Communications and Technology said during a recent Congressional hearing on IoT security.

Building trustworthy systems

The rapid pace of technological innovation, the dramatic growth in consumer demand for new technology, and the boom in IoT have made it difficult to understand, let alone protect, the global information technology infrastructure. There are too many areas to cover—software, firmware, hardware components—and cyberhygiene efforts, such as patching, asset management, and vulnerability scanning, are not enough.

“Our fundamental cybersecurity problem can be summed up in three words—too much complexity,” Ross wrote. “Creating more trustworthy, secure systems requires a holistic view of the problems, the application of concepts, principles, and best practices of science and engineering to solve those problems, and the leadership and will to do the right thing—even when such actions may not be popular.”

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security

Apple may have refused to help the FBI unlock an iPhone used by the San Bernardino shooter, but the tech industry is still better off working with the U.S. government on encryption issues than turning away, according to a former official with the Obama administration.

“The government can get very creative,” said Daniel Rosenthal, who served as the counterterrorism director in the White House until January this year. He fears that the U.S. government will choose to “go it alone” and take extreme approaches to circumventing encryption, especially if another terrorist attack occurs.

[ Safeguard your data! The tools you need to encrypt your communications and web data. • Maximum-security essential tools for everyday encryption. • InfoWorld's encryption Deep Dive how-to report. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

“The solutions they come up with are going to be less privacy protective,” he said during a talk at the Versus 16 cybersecurity conference. “People will think they are horrifying, and I don’t want us to see us get to that place.”

Rosenthal made his comments as President-elect Donald Trump—who previously called for a boycott of Apple during its dispute with the FBI—prepares to take office in January.

A Trump administration has a “greater likelihood” than the Obama administration of supporting legislation that will force tech companies to break into their customers’ encrypted data when ordered by a judge, Rosenthal said.

“You have a commander-in-chief, who said at least on the campaign trail he’s more favorable towards a backdoor regime,” Rosenthal said.

Earlier this year, one such bill was proposed that met with staunch opposition from privacy advocates. However, in the aftermath of another terrorist attack, Congress might choose to push aside those concerns and pass legislation drafted without the advice of Silicon Valley, he said.  

Rosenthal went on to say that U.S. law enforcement needs surveillance tools to learn about terrorist plots, and that’s where the tech industry can help. During his time in the White House, he noticed a “dramatic increase” in bad actors using encryption to thwart government efforts to spy on them.

“There are people trying to come up with a reasonable solution,” he said of efforts to find a middle ground on the encryption debate. “To immediately say there is no solution is counter historical.”

dsc05324Michael Kan

Cindy Cohn (right), executive director of EFF, and Daniel Rosenthal, former director of counterterrorism for the White House.

However, Rosenthal’s comments were met with resistance from Cindy Cohn, executive director for Electronic Frontier Foundation, a privacy advocate. She also spoke at the talk and opposed government efforts to weaken encryption, saying it “dumbs down” security.

“This idea of a middle ground that you can come up with an encryption strategy that only lets good guy into your data, and never lets a bad guy into your data, misunderstands how the math works,” she said.

Law enforcement already possess a wide variety of surveillance tools to track terrorists, she said. In addition, tech companies continue to help U.S. authorities on criminal cases and national security issues, despite past disputes over privacy and encryption.

But law enforcement has done little to recognize the risks of building backdoors into products, Cohn said. Not only would this weaken security for users, but also damage U.S. business interests.

“If American companies can’t offer strong encryption, foreign companies are going to walk right into that market opportunity,” she said.

Cohn also said any effort to force U.S. companies to weaken encryption wouldn’t necessarily help catch terrorists. That’s because other strong encryption products from foreign vendors are also circulating across the world.

“The idea that the Americans can make sure that ISIS never gets access to strong encryption is a pipe dream,” she said. “That’s why I think this is bad idea. Because I don’t think it’s going to work.”

The Versus 16 conference was sponsored by cybersecurity firm Vera. 

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security

Two U.S. government agencies have released security guidance documents focusing heavily on IoT security following a series of massive DDoS attacks that leveraged IoT devices using default security settings.

Both the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) have released recommendations for how to approach security for the Internet of Things (IoT). Experts said the IoT security guidance from DHS focuses on the basics while NIST had offers more of a "how-to" for businesses.

The DHS IoT security guidance put forth six strategic principles intended to equip IoT developers, manufacturers, service providers and consumers "with tools to comprehensively account for security as they develop, manufacture, implement or use network-connected devices." The DHS recommends: incorporating IoT security in the design phase, pushing security updates, building upon proven security practices, prioritizing higher risk issues, promoting transparency and being deliberate in the use of IoT devices.

Derek Manky, global security strategist at Fortinet, told SearchSecurity that the focus on the basics from the DHS was the best strategy for IoT security guidance.

"There's a lot of groups that should have focused on [the basics], but unfortunately nobody saw the problem until there were millions of devices deployed across the world," Manky said via email. "I think the best option is to focus on the basics right now. There aren't any best practices out there from an IoT perspective -- for security and development alike. The first step is to develop the right framework and then start changing the mindset of the IoT developers."

Art Swift, president of prpl Foundation, said the DHS offered "a good baseline for IoT security practices." 

"While it may seem basic, these are exactly the things manufacturers and developers need to be doing to improve security in the Internet of Things, Swift said. "The part that is not addressed by the DHS is to provide any practical guidelines on how to implement its recommendations."

Jamison Utter, vice president at IoT cybersecurity firm Senrio, said "it's important at this phase for any governing body to set for things that are high impact, but very achievable."

"For example in the 'Incorporate Security at the Design Phase' section is to enable security by default," Utter told SearchSecurity via email. "This single recommendation of changing default passwords would have a profound impact on simple compromises -- and 90% are simple. Mirai, for example, uses default passwords."

Manky agreed that the Mirai botnet attack was proof that security from the start is one of the most important issues in IoT security.

"Mirai was shown to have accumulated its great power through something incredibly simple -- trying to log-in to devices using their default usernames and passwords. If developers just eliminated default usernames and passwords it would have completely dismantled this botnet before it got off the ground," Many said. "Security from the start means incorporating things like the Common Weakness Enumeration to evaluate the security posture of your product, where things like hardcoded and default passwords would be fleshed out before they ever make it out the door."

However, Utter said the DHS IoT security guidance left out more technical details.

"The document seems to have some overtones (ok, strong ones) of recycled ideology. Things like 'patch management' is really not something the IoT has the ability to scale right now," Utter said. "It also has some traditional thinking and assumptions -- like that the IoT is still an 'on network' issue, where we rather think of the IoT as an always connected and always on issue. So the guidance is good, the vision of how to apply this frame work to the reality of IoT falls a bit short."

Manky said "the DHS release explains the what and why, and if you want to security seriously, the NIST Special Publication gives you a how-to."

According to the new NIST Special Publication 800-160, " Engineering-based solutions are essential to managing the growing complexity, dynamicity, and interconnectedness of today's systems, as exemplified by cyber-physical systems and systems-of-systems, including the Internet of Things. This publication addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems, inclusive of the machine, physical, and human components that compose the systems and the capabilities and services delivered by those systems."

Swift said "it's time to get the industry at large involved and effecting the change needed to make IoT safer and more secure."

"Securing devices at the hardware layer is one of the most important ways the IoT is going to become more secure, but using open source software is also a key area. Manufacturers and developers should no longer rely on proprietary code that can be reverse engineered as it has been proven time and time again that this 'security by obscurity' approach is broken," Swift said. "By using open source implementations, which are open to review and hence inherently more secure, developers can agree to get basics right on security first and then compete on value-add market differentiators."

Manky praised the two new IoT security guidances for promoting the need for more discussion on the topic.

"This needs to be collaborative, and it's not just Silicon Valley they need on board. They need manufacturers of practically every vertical to adopt this mindset, and a surefire way to lose your voice is to demand too much too soon," Manky said. "These are things we've been saying within the tech world for years, but the IoT reaches so many new people. So many things that weren't done over IP are quickly moving that direction. It's the next wave of digitalization, and continual outreach is important."

Next Steps

Learn more about the risks to consider with IoT systems.

Find out if passwords are destined for obscurity.

Get info on why the IoT security window is closing.

SearchSecurity: Security Wire Daily News