NIST’s new cyber-resiliency guidance: 3 steps for getting started

We’re living in a time of unprecedented connectivity. Nearly everything you can think of is already or will soon be connected to networks and the internet. Some metrics rate the broader IoT ecosystem to be over 12 billion devices. At the same time, we are living in a digitally driven economy. Sources such as the World Economic Forum project that soon digital platforms will account for nearly 60% of global GDP. While all this connectivity is great, it isn’t without its perils.

Digitally connected systems are vulnerable to myriad cybersecurity threats. High-profile security incidents in 2021 included open-source security breaches, alarming vulnerabilities in hyperscale cloud platforms, and more ransomware attacks. It isn’t a matter of if an incident will occur, but when and how systems will both respond and recover from it.

That is why resilience is the name of the game when it comes to modern IT enabled systems. To build on that, NIST has released an updated publication of 800-160 v2. “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach”. The goal is to apply resilience and system security engineering to develop survivable trustworthy systems. Here are some of the document’s core concepts and fundamental takeaways.

Four fundamental cyber resiliency goals

The guidance is structured around a cyber resilience framework with goals and objectives. By implementing defined cyber resiliency practices, solutions are produced that meet both stakeholder expectations and the goals of the framework. The cyber resilience framework accounts for applying its concepts beyond systems and to business functions, organizations and even entire industrial sectors.

The publication lays out four fundamental cyber resiliency goals: anticipate, withstand, recover, and adapt. This logical flow of goals emphasizes that it isn’t enough to anticipate or withstand adversarial activities against systems, but organizations must ultimately improve resiliency by modifying processes, practices, and technologies.

One can’t read these goals without thinking of Nassim Taleb’s book Antifragile, which states: “Antifragility is beyond resilience or robustness. The resilient resists shocks and stays the same; the antifragile gets better.” Following the goals laid out by NIST, systems would not only resist and recover from shock, but they would iterate and ultimately become even more trustworthy as a result.

Cyber resiliency objectives

In pursuit of achieving the cyber resiliency goals, specific objectives are defined. These include prevent, prepare, continue, constrain, and transform. These objectives collectively look to prevent attacks and incidents from occurring, continue mission/organizational functions when they do happen, limit the damage and ultimately restore operations and functionality as quickly as possible. Building on that, the goal is to enable critical business functions to handle adversity effectively, be flexible, and most importantly, be sustainable.

Cyber resiliency techniques and properties

NIST defines many techniques and properties in the cyber resiliency framework. Some are aligned with being agile, adaptive and responsive. Others are aligned with concepts such as deception, non-persistence, and segmentation, which strive to both mislead adversarial actors as well as ensure systems can sustain through malicious actions and still deliver on supporting organizational business objectives.

As shown in the image below, there is a symbiotic relationship among the components of a comprehensive cyber resiliency solution. All are tied to supporting a defined risk management strategy that cuts the systems, business processes and the organization.

National Institute of Standards and Technology (NIST)

Cyber resiliency in practice

The guidance goes on to discuss cyber resiliency in practice. It does so by helping organizations develop a tailorable set of resilience concepts, constructs, and practices that can be applied. NIST recognizes that different system types such as IoT, cyber physical systems, and enterprise IT all have unique requirements and therefore demand a unique approach.

There’s also a recognition that while cyber resilience techniques can be complementary, they can also be contradictory. For example, segmentation and non-persistence can make monitoring and awareness more difficult. This emphasizes the need for professional practitioner discretion to discern between the application of these techniques based on system and organizational requirements.

Much of what the NIST guidance describes may seem novel or new, and in some cases may warrant additional process, practices, and technological investments. However, much of what is being proposed can build on existing organizational cybersecurity investments. Most organizations of substantial size and scope likely have investments in areas such as incident response, monitoring, and logging. These investments can be leveraged to complement cyber resilient practices.

The push for building cyber-resilient systems is an iterative process. It involves establishing a baseline, analyzing existing systems and processes, identifying gaps and providing recommendations to help drive further organizational and mission improvements.

Where to begin with cyber resiliency? 

Again, we’re living in an increasingly connected society driven by a digital economy. Almost all organizations are becoming technology companies, even if they don’t realize it. Those failing to leverage technology to help drive competitive advantage in their respective markets and domains may cease to exist.

That said, these same systems are constantly under a barrage of dynamic threats from threat actors. This reality requires not just using technology but building cyber-resilient systems able to prevent, withstand and ideally transform in the face of adversity.

Practitioners looking to get started can take a few key steps:

• Focus on the mission and business functions. These digital systems are often being wielded to support critical business functions. What are those functions, why do they may affect the organization, and why are they of interest to an adversary?
• Change is the only constant. The business will constantly change technologies, processes, and objectives. Cybersecurity practitioners must also be flexible and dynamic while applying fundamental cyber resiliency concepts to ensure business continuity and sustainability.
• Assume a compromise, breach, or incident will, and likely has already occurred. The idea of a system being infallible is impractical. Adversaries only need to be right once. Begin asking yourself and your team, how do we ensure when this does occur it isn’t so devastating that business and organizational operations grind to a halt? How do we architect our systems in a fashion that allows us to not only absorb challenges, malicious activities and resistance but thrive in the face of them?