One of the major issues today is when security ends up being an add-on after a system design. However, that may soon change where system designers start implementing security from the start.
That is the goal of a new initiative at the National Institute of Standards and Technology (NIST). They want to establish processes that build security into IT systems from the beginning using sound design principles, rather than trying to tack it on at the end, said computer scientist Ron Ross, a NIST Fellow.
“We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in,” Ross said.
Civil engineers employ the principles of physics and engineering to build reliable structures, Ross said. Similarly, systems security engineering processes, supported by the fields of mathematics, computer science and systems/software engineering, can provide the discipline and structure needed to produce IT components and systems that employ the same level of trust and confidence.
NIST launched a four-stage process to develop detailed guidelines for “systems security engineering,” adapting a set of widely used international standards for systems and software engineering to the specific needs of security engineering. The agency released the first set of those guidelines for public comment in a new draft document, “Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems.”
The NIST engineering-driven guidelines should be broadly applicable to systems design in the public and private sectors, for small and large systems, and for many different types of applications including general-purpose financial systems, defense systems and the industrial control systems used in power plants and manufacturing.
The current draft — and the first stage of the planned process — describes the fundamentals of systems security engineering, elements and concepts and covers 11 core technical processes in systems and software development.
Later public drafts will add material in supporting appendices, for example, on principles of security, trustworthiness and system resilience; use case scenarios; and important nontechnical processes such as risk management and quality control procedures. NIST expects to publish the final, complete version of the engineering guidelines by December 2014.
The deadline for public comments on the current draft is July 11.