NIST Cyber-Resiliency Framework Extended to Include Critical Infrastructure Controls

The National Institute of Standards and Technology (NIST) has published an update to its cyber-resiliency engineering framework that advocates building resilient IT systems that can withstand a modern attack by limiting the damage an attacker can cause.

Cyber-resiliency engineering combines specialty systems engineering, systems security engineering, and resilience engineering to architect, design, develop, implement, maintain, and sustain the trustworthiness of systems. The point of cyber-resiliency engineering is to develop “survivable, trustworthy secure systems” that can anticipate, withstand, recover from, and adapt to adverse conditions and attacks, NIST says. Being cyber-resilient can help organizations reduce the risks of security incidents because the potential damage – the blast radius – is contained.

Cyber-resiliency assumes the attacker has already gained access to a system or will gain access to the system at some point; the framework depends on that assumption. In "Developing Cyber-Resilient Systems: A Systems Security Engineering Approach" (SP 800-160 Vol. 2 Rev. 1), published Dec. 9, NIST outlines a series of tools, techniques, and approaches enterprise defenders can deploy to counter attacks by building resiliency, and they can be applied to both older systems already deployed or new ones being built from scratch.

The original framework helped organizations understand and apply cyber-resiliency to traditional IT systems. This update expands the focus of the original framework and includes new sections on operational technology and how cyber-resiliency approaches and controls can be used to counter adversarial attacks on industrial control systems.

The assessment is meant to be a starting point and can be tailored to meet the individual needs of the organization, which can select, adapt, and use some or all of the objectives, techniques, approaches, and design principles outlined in the framework and apply them as needed. Organizations can see how effective their implemented controls are and determine the strengths and weaknesses of their systems.

The framework is also designed to be used in conjunction with the MITRE ATT&CK framework. The update creates a single threat taxonomy based on the framework for organizations to use.

Finally, the updated framework is aligned to be consistent with NIST’s catalog for "Security and Privacy Controls for Information Systems and Organizations" (SP 800-53, Revision 5).