Want to Be Your Organization's Cybersecurity Expert? Put NIST at the Top of Your List
Protecting the network has become synonymous with protecting the business because the two have become inseparable. As physical security professionals with cameras and access control systems connected to an IP network, we know how to protect people and assets. However, these tools are only as effective as the network they are connected to, which makes protecting the network a critical part of the overall security equation. IT departments rightly consider this part of their core mission, so it’s not surprising that any security system that is connected to a network under IT’s control is going to be subject to rigorous scrutiny.
If you or your team are responsible for an organization’s physical security system, how do you rise to the occasion in terms of cybersecurity expertise? NIST might be just the thing you are looking for.
An Incredible Resource for Security Professionals
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce. According to its website, NIST’s primary mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve the quality of life. In other words, NIST comes up with technical standards covering almost every aspect of the modern world to ensure safety while enabling technology to advance. From guaranteeing hoses fit on all fire hydrants to working on what will be the first living cell reference material, NIST’s contributions are vast and can be traced back to section 8 of the U.S. Constitution which mandates that the United States “fix the Standard of Weights and Measures” to support commerce across the nation. Originally known as the National Bureau of Standards, it is also one of the oldest physical science laboratories in the United States, having been founded in 1901.
One of NIST's significant, and more recent, contributions is in the area of cybersecurity. NIST develops guidelines, tools, and frameworks to help organizations manage cybersecurity risks. The NIST Cybersecurity Framework (CSF) can assist any business to better understand, manage, and reduce their cybersecurity risk. While the framework is rigorously followed by government agencies such as the Department of Defense (DOD), National Security Agency (NSA), and FBI, it is completely voluntary for all other organizations. By following it, businesses have access to a set of proven best practices to guide investments and efforts to maximize cybersecurity protection. After all, if it’s good enough for the NSA, FBI, and DOD, it’s probably good enough for your business too!
Continual Collection and Testing of Existing Standards
It's important to note that the smart people who work at NIST don’t always come up with this information themselves. Rather, they continually adopt, assess, and recommend existing methods and standards that have passed their rigorous testing and verification processes. One of the best things about NIST’s recommendations and best practices is that they constantly evolve to keep up with myriad emergent threats and the technological advances that can be used to combat them. Even more important is when NIST recommends that we collectively retire legacy technologies that are no longer able to offer suitable protection.
With so much information available, we need to narrow it down to what matters in our industry. For physical security professionals, some publications are targeted directly at our wheelhouse:
- NIST Special Publication (SP) 800-53 Revision 5, "Security and Privacy Controls for Information Systems and Organizations"
- FIPS 140-2 and 140-3,“Security Requirements for Cryptographic Modules”
NIST 800-53 - Security and Privacy Controls for Information Systems and Organizations
NIST 800-53 is a comprehensive document that outlines a wide range of security and privacy controls for information systems and organizations. We can think of these controls as the safeguards and countermeasures that organizations can implement to secure their information systems. The controls are designed to be customizable and can be applied as part of any organization-wide method to manage risk.
For example, we might want to improve the way a company manages passwords with all the devices on their network. Section 3.7 on identification and authentication tells us everything we need to know about best practices regarding passwords and other forms of authenticating users. Want to know how to set up a resilient access control system? Look no further than section 3.1 of the document. It’s a massive resource, and you probably won’t need all of it, but when you do, it’s all there and it’s free.
While 800-53 only applies directly to federal agencies, it is safe to assume that for any organization conducting business with the U.S. government, compliance with all or at least some portion of these best practices will be required.
FIPS 140-2 and 140-3 – Security Requirements for Cryptographic Modules
NIST has created a collection of approved encryption algorithms within their Federal Information Processing Standards (FIPS). The goal of the FIPS 140 series documents is to ensure computer security and interoperability for U.S. government agencies and contractors. Like 800-53 above, FIPS wasn’t created in a vacuum either, as it takes its best practices from many other technical groups like the American National Standards Institute (ANSI) and the Institute of Electrical and Electronics Engineers (IEEE) as well as the International Organization for Standardization (ISO).
When a manufacturer says their product is FIPS certified at a certain level, it’s possible to know exactly how cybersecure they are. For example, you might hear that a network security camera is FIPS 140-2 Level 3 certified. That’s a recent version of the FIPS standard, which lays out security requirements for cryptographic modules utilized in a security system protecting sensitive information. (It has recently been superseded by 140-3, which is slowly being rolled out.) A camera might have a tamper-resistant integrated circuit chip, called a secure element, that can be used to generate and store cryptographic keys that protect devices from a wide range of attacks and tampering. A secure element is small, fast, and easily deployable in edge devices. Network devices that don’t conform to the FIPS requirements are simply easier to hack than their counterparts.
How Deep is This Rabbit Hole?
The pool of information publicly available through NIST and its partners is indeed enormous. Thankfully, search engines can help us narrow down the subjects we need more knowledge about.
Beyond what is mentioned above, NIST has a whole section devoted to information technology topics that cover cloud computing and virtualization cybersecurity, biometrics, and even the use of artificial intelligence (AI). Research is going on constantly, too, together with universities and other partners. In this way, it’s possible to explore the very cutting edge of how to protect systems. For example, an article came out in January exploring how AI systems can malfunction when exposed to untrustworthy data and how attackers are exploiting this issue.
You can get involved, too—NIST regularly seeks feedback on topics by submitting a Request for Information (RFI) that anyone can respond to. As of this writing, NIST was actively seeking information regarding its assignments under Presidential Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of AI.
The More You Know
We live in interesting times and thankfully, cybersecurity best practices are readily accessible to anyone who has the time and inclination to learn how to implement them. Thanks to organizations like NIST, they have done almost all the homework for us. All we need to do is read and implement as required.
Will Knehr is the senior manager of information assurance and data privacy at i-PRO Americas, Inc. where he works to secure their products and networks. He has been working to secure networks since 2004 when he started his career in Cryptologic Warfare conducting cyber defense missions for the U.S. National Security Agency (NSA), Combined Maritime Forces (CMF), Department of Defense (DOD), Defense Information Systems Agency (DISA), and more—helping to defend, accredit, certify, and provide digital forensics and incident response on the United States’ most sensitive and secure networks. He also worked for Northrop Grumman supporting special projects for the NSA and DISA building virtualized environments for malware analysis, data brokering, and managing their cybersecurity program.
He has master’s degrees in cybersecurity and business. He holds many industry-leading certifications including CISSP, PMP, CEH, CNDA, CASP, CMMC RP, and many more.