What are the NIST security controls?
International standard organizations and governments rolled out the requirements for businesses to tackle raising issues of cybersecurity, it’s wise to choose those standards/frameworks rather than relying entirely on business experiences. There are various standards available which propose security controls to mitigate the cybersecurity issues. Choosing the appropriate standard and selecting the right set of security controls can be a daunting task as it requires a huge effort in understanding the performance needs and industry-specific security standards. This task needs to be done during the architectural phase and it gives inputs to software stakeholders like system architects, software architects, software developers and product owner who are responsible for defining and implementing the cybersecurity strategy for a system. Show The purpose of this paper is listed below:
This paper comprises four major sections:
A glossary at the end of this article provides a list of acronyms and terminology used throughout this paper. 1. Security Strategy – Process Flow Security strategy is a must for any embedded system or a component in its overall development lifecycle. Typical security strategy phases are highlighted in Figure 1 as part of conventional SDLC phases. Figure 1: Security Strategy Flow in SDLC Process. (Source: HCL Technologies) The input and output of all the security phases are shown in Table 1. Table 1: Input and Output of the Security Phases. (Source: HCL Technologies) 1.1. Threat Modelling Threat modelling or Threat risk assessment is the process of finding out threats for a given system. Threat Modelling needs to be done in all the risk areas. Refer SEI link, Wiki link for various threat modelling techniques currently practised in the industry. Selecting the appropriate threat modelling technique for a specific system is outside the scope of this paper. After threat modelling is done, it is necessary to prioritize the threats. This task is known as the Threat Risk Assessment. The common methods available for threat prioritization are DREAD and CVSS. The result of this task is the prioritization of the threats. 1.2. Identify Security Controls The guidelines to use the NIST framework and identify security controls will be elaborated in detail from section 8. These security controls are needed to mitigate the threats in the corresponding risk area. The identified security controls need to be implemented as software functionality. These software functionalities need to work together and need to be implemented as a group of software elements to achieve the required security objectives. These group of cybersecurity software elements and their inter-relationship forms the cybersecurity software architecture which is a part of software architecture. The software architecture needs to be defined in such a way to accommodate the implementation of security controls. For a family of systems, this task needs to be done while defining the reference software architecture for that family. 1.3. Design & Implement Security Controls Once the security controls are identified, it is the job of software stakeholders to design and implement them which is outside the scope of this paper. 1.4. Vulnerability/Penetration testing Vulnerability or penetration testing is the process of identifying vulnerabilities in a system. The output of this phase gives new threats or defects. The process mentioned in Figure 2 needs to be followed to manage the new threats or defects. This phase can be iterative until all the relevant security threats are mitigated. Figure 2: Management of new threats/defects (Source: HCL Technologies) 2. Identify Technology Type The essential step needed prior to choosing standard and selecting security controls is identifying the type of technology. Performance requirements as highlighted in Table 2 varies for devices belonging to different technology groups so as the security controls. Hence, the essential step before choosing a standard/framework is to identify whether the target system is information technology or operational technology or a hybrid one. 2.1. Information Technology IT focusses on electronic data processing, storing and exchanging using general-purpose computers and networking devices. 2.2. Operational Technology OT focusses on various embedded and control systems like supervisory control and data acquisition (SCADA). These are real-time systems and interacts with the surrounding environments. 2.3. Hybrid Technology – IT/OT Convergence The integration of networking, communications, automation and analytics in OT devices introduces a hybrid technology. This enables the system administrators to monitor and control the system more easily. IoT is the best example of this hybrid technology. 2.4. Comparison of IT and OT System Characteristics The outcome of following any security framework is the identification of required security controls. These security controls might be the same for the IT and OT systems. As an example, consider the risk area “Data Protection”, the security controls identified for this risk area needs cryptography in both IT and OT systems. However, the implementation of these security controls varies as per the target technology and its characteristics. Table 2 shows a comparison of the characteristics of IT and OT. Table 2 – Comparison of IT and OT system Characteristics (Source: HCL Technologies) 3. Cybersecurity Standards There are various standards and guidelines available to implement mechanisms for securing the system. It is always good to follow these guidelines and standards rather than to proceed with our own custom solution. However, the important task here is to identify the relevant standard to follow. The list below covers the majority of the standards applicable for developing information management systems: Institute of Electrical and Electronic Engineers (IEEE) – Standards for PHY/MAC & data link layer standards (layer 1 & 2) Though many standards are available, there were no guidelines available for how to use the above-mentioned standards. 4. NIST Framework & Security Controls NIST Cybersecurity Framework released by NIST is a framework of security policies and guidance for organizations to secure their systems. This framework guides the organization in improving its abilities to handle cyber-attacks. It contains an exhaustive list of cybersecurity requirements and the security controls needed to make the system secure. NIST framework uses the terms as shown in Table 3 to do this mapping. Table 3 – NIST Terms (Source: HCL Technologies) 4.1. Functions NIST framework has defined five functions. The brief overview of the five functions are listed below: Identify – Capability which enables the organization to identify what needs to be protected, such as systems, assets, data and capabilities Refer the NIST link for a detailed understanding of the NIST framework. NIST proposes various standards as informative references from which security controls can be identified for the system. 4.2. NIST Recommended Standards The NIST recommended standards and their applicability for the technology types can be seen in Table 4. Table 4 – NIST Framework – Proposed Standards (Source: HCL Technologies) The description for the above standards are listed below: CIS – Recommends the best practices, tools and benchmarks primarily focused on improving internet security 4.3. NIST Profile Organizations need to do threat modelling against all the risk areas mentioned in the NIST Framework and choose the requirements against their business goals. The selected set of security requirements is called a profile. NIST has already created the profiles for various systems as shown in Table 5. Table 5 – NIST Profiles (Source: HCL Technologies) 4.4. Domain-Specific Standards Apart from the NIST recommended standards, there are many standards available specific to the domain. Some examples of domain-specific standards are shown in Table 6. Table 6 – Examples of Domain-Specific Standards (Source: HCL Technologies) 4.5. NIST SP 800-53 – NIST Proposed Security Controls NIST has recommended its own security controls in its special publication NIST SP 800-53 which is an open publication. When domain-specific standards are not available and if the organization decides not to procure a new standard, then NIST SP 800-53 will be highly useful. This special publication has more than 350 pages and it will take more efforts to understand. This section briefly presents how to use this publication. It is highly recommended to refer NIST SP 800-53 for the details. 4.5.1. Security Control Structure The security requirements needed to mitigate the risks are known as security controls. The security controls are organized into eighteen families or risk areas as shown in Figure 3. The controls used to protect these risk areas are called baseline security controls. Figure 3: NIST 800-53 Risk Areas (Source: NIST SP 800-53 rev4) The sections present in a security control are as follows: (i) a control section; (ii) a supplemental guidance section; (iii) a control enhancements section; (iv) a references section; and (v) a priority and baseline allocation section. 4.5.1.1. Control Section The control section explains the security requirements need to be implemented by the organization or the system 4.5.1.2. Supplemental Guidance The supplemental guidance section gives additional information related to a particular security control. 4.5.1.3. Control Enhancements The security control enhancements section gives information about the security capabilities which can be applied to particular security control. 4.5.1.4. References The references section mentions the standards and guidelines related to a specific security control 4.5.1.5. Priority & Baseline Allocation The priority and baseline allocation sections show the recommended priority codes used for security control implementation. These codes can be used by the organization for sequencing the implementation of security controls. Apart from the above sections, some security controls may be embedded with assignments and selection statements which enable the organizations to customize the selected security control to meet the security requirements. A sample security control is shown in Figure 4. Figure 4: A sample security Control (Source: NIST SP 800-53 rev4) 4.5.2. Select Security Controls – Process The process to select the security controls using NIST proposed security controls is shown in Figure 5. Figure 5: NIST 800 53 – Security Control Selection Process (Source: HCL Technologies) 4.5.2.1. Security Categorization The essential step before identifying security controls for a system is to determine how critical and sensitive is the information to be processed. This process is called the security categorization. FIPS Publication 199 describes this process in detail. 4.5.2.1.1. FIPS 199 Security Categorization FIPS Publication 199 recommends doing security categorization based on the impact of security objectives like confidentiality, integrity, and availability of the system and the data to be processed. The impact has been classified as listed below: A system is considered as a low-impact system when all the security objectives are low The implementation tip given in NIST SP 800-53 is shown in Figure 6. Figure 6 – Security Categorization – Implementation Tip (Source: NIST SP 800-53 rev4) 4.5.2.2. Identify Baseline Security Controls The output of threat modelling is threats or security requirements. The security controls have been mentioned in Appendix D in NIST SP 800-53 rev4. Organizations need to identify the required controls from this catalogue based on the security categorization and the security requirements. 4.5.2.3. Tailoring Baseline Security Controls After baseline security controls are selected from Appendix D, tailoring process needs to be started. This process allows the organization to customize the security controls by modifying or adding or deleting controls to meet the system and environment-specific requirements. Below listed steps are needed in the tailoring process 4.5.2.3.1. Identify Common Controls Common controls are applicable for a family of systems controls that are inheritable by one or more organizational systems. 4.5.2.3.2. Apply Scoping Considerations This step is needed to filter the unwanted security controls from the control baselines. The list of scoping considerations NIST specifies is shown below. Control Allocation and Placement Considerations 4.5.2.3.3. Select Compensating Controls This step allows the organization to select alternate security controls when the controls mentioned in NIST SP 800-53 do not satisfy the requirements of the target system because of the type of technology, environment, cost reasons etc. 4.5.2.3.4. Assign Security Control Parameter Values Organizations assign the organization-defined values for the identified security controls. This may be useful before selecting compensating controls. This will also be useful when organizations work together and agree upon a set of security controls for a particular system. 4.5.2.3.5. Supplementing Security Control Baselines This phase strongly recommends the use of risk assessment for the target system. Risk assessments give additional security requirements which leads to identifying the needed security controls. 4.5.2.3.6. Providing Additional Information Security controls are high-level design inputs and lack implementation level details. The organization can add additional implementation level details during documentation. Additional information for one of the security controls is shown in Figure 7. Figure 7 – Additional Information (Source – NIST SP 800-53 rev4) Organizations can use tailoring guidance on top of baseline security controls to form a set of security controls for a domain or a family of systems. The final set of security controls is called overlay. Ex: NIST SP 800-82 is the overlay created for ICS or OT. 4.5.2.4. Document the Control Selection Process Organizations need to document the entire process of identifying the baseline security controls and tailoring guidance with proper rationale. This will be highly useful during the review. The high-level security control selection process is shown in Figure 8. Figure 8 – Security Control Selection Process (Source – NIST SP 800-53 rev4) 4.6 Why & When NIST Framework should be Followed? NIST Framework and the proposed security controls in NIST SP 800-53 is applicable to organizations relying on technology, whether their cybersecurity focus is primarily on IT, OT, ICS, cyber-physical systems (CPS), or connected devices more generally, including the IoT. The flow chart in Figure 9 shows when to follow the NIST Framework and how to choose the NIST proposed security controls. Figure 9 – Process to Identify Security Controls (Source: HCL Technologies) Conclusion This paper presented the security phases required in a software development lifecycle. Then explained the type of technologies and the security standards needed for the relevant technologies. When defining the security strategy for a system, it is wise to follow the process shown in Figure 9. NIST cybersecurity framework and the security controls mentioned in NIST SP 800-53 will greatly help to define and implement security strategy for a system. An excerpt from Wikipedia states that “A security framework adoption study reported that 70% of the surveyed organizations see NIST’s framework as a popular best practice for computer security”. What are the three types of security controls NIST?System-specific controls—controls that provide a security capability for a particular information system only; Common controls—controls that provide a security capability for multiple information systems; or Hybrid controls—controls that have both system-specific and common characteristics.
What are the 4 types of security controls?One of the easiest and most straightforward models for classifying controls is by type: physical, technical, or administrative, and by function: preventative, detective, and corrective.
What are the 5 domains of the NIST?5 Domains of the NIST Security Framework. The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.
How many NIST cyber security controls are there?NIST 800-53 contains 108 controls in 20 control families. NIST CSF has five core principles: Identify. Protect.
|