This issue confronts nearly every organization that depends on information or operational technology for its principal business or mission: Keeping the infrastructure up to date without jeopardizing its ability to function or breaking the bank.
That problem could soon change.
A new draft guidance to help organizations get through this vexing issue just released from the National Institute of Standards and Technology (NIST).
Along those lines, NIST is requesting public comments by August 18 on this technical document, which will help organizations perform a step-by-step analysis to identify those critical parts of a system that must not fail or suffer compromise if the system is to successfully support the organization’s mission.
The document, NIST Interagency Report (NISTIR) 8179, Criticality Analysis Process Model, builds on previous NIST guidance such as Special Publication (SP) 800-53 Rev. 4, SP 800-160, and SP 800-161, which emphasized the importance of identifying the critical points in a system, but did not provide a method for doing so.
“This draft report shows people how to perform a criticality analysis that’s tailored to their organization,” said NIST cybersecurity expert Jon Boyens, who coauthored the report with his colleague Celia Paulsen. “Each agency will have its own situation. We are developing this for the government, but we want it to be friendly and useful for the private sector.”
The draft report will have repercussions beyond federal agencies because of all the private contractors that do business with the government.
“I think guidance like this will help secure the supply chain,” said John Peterson, senior program manager at the Redhorse Corporation in San Diego. “A lot of these systems are integrated, so if you have one part that’s compromised in some way, it could affect the entire system.”
These risks are potentially heightened by the real-world issue of limited resources, which can vary substantially in the federal government depending on budget priorities. How can an organization maintain systems when it cannot always afford to buy the latest and greatest tools, but at times must make do with legacy technology?
“The legacy problem is notorious throughout industry,” said Carol Woody, technical manager for cybersecurity engineering at the Software Engineering Institute in Pittsburgh. “All organizations are trying to keep technology costs down. It’s hard to do because they have to make choices that may not always anticipate problems ten years down the road. What the NIST authors are doing is saying, think broadly. Ask yourself why you bought something and how long it will be before it could conceivably need more capability — plan for its usable life and budget accordingly.”
Paulsen said while fundamental ideas like this were already in use in many industries, they were not always applied as they should be for information security.
“We looked at many processes and realized that people tend to view risk according to what they know best — their own goals and experiences,” she said. “Existing procedures don’t always emphasize considering different — often competing — priorities or how a single component can impact various parts of an organization. With limited resources it is impossible to solve every problem, but our report will help you see the whole landscape more clearly. It will help you communicate with different parts of the organization, outside stakeholders, and supply chain partners about what’s important.”
Criticality analysis is not only essential to determining high-value assets. It also alters the traditional risk assessment focus on likelihood: From what adversaries are likely to do, to what they are capable of doing. The approach also eliminates debate over “return on investment” in favor of engineering systems that are resilient.
Guidance of the sort the report offers is necessary, said Boyens, because of the nature of the supply chain—the innumerable manufacturers whose individual wares end up combined into a system, which then becomes part of an agency’s larger infrastructure.