5

Applied Cybersecurity Division

INTRODUCTION

The Applied Cybersecurity Division (ACD) of the Information Technology Laboratory (ITL) was spun out of the Computer Security Division (CSD) and established on October 1, 2015. Since the division is new, it has not previously been reviewed by a National Academies of Sciences, Engineering, and Medicine panel. The division addresses its goal of improving the management of cybersecurity and privacy risk through outreach and application of standards and best practices whose adoption is deemed necessary to strengthen U.S. cybersecurity capabilities. Central to its approach is collaboration with industry, other federal agencies, state and local agencies, academia, international organizations, and others. The division consists of three groups: the National Initiative for Cybersecurity Education (NICE); the Cybersecurity and Privacy Applications Group; and the National Cybersecurity Center of Excellence (NCCoE).

QUALITY OF THE RESEARCH

National Cybersecurity Center of Excellence

The NCCoE is central to the mission of the ACD. It was established in 2012 by NIST in partnership with the state of Maryland and Montgomery County, Maryland. The NCCoE exists as a federally funded research and development center (FFRDC) operated by the MITRE Corporation and is housed in a modern building about 60,000 square feet in size. Inside the building are about 30 laboratories, where researchers define cybersecurity issues, develop technical descriptions of problems, and engage with technology vendors that have standards-based, commercially available products that can be used as part of an example implementation. The NCCoE accesses expertise across universities through its Academic Affiliates Council.¹ Research is done to build a reference design, identify gaps in the build, and then continue to refine and harden the example implementation until there is a practical and usable reference design that addresses the cybersecurity challenge that inspired the project. The details of this completed reference design, standards mapping, laboratory implementation and more are issued in a three-volume NIST Special Publication (SP) 1800 series document.² Three projects that the NCCoE briefed to the panel were securing wireless infusion pumps, secure interdomain routing, and trusted cloud.

___________________

¹ In addition to the University of Maryland System, nine other universities from around the country are members: University of Alabama, Birmingham; University of Delaware; George Mason University; Massachusetts Institute of Technology; Purdue University; University of California, Berkeley; University of Illinois; University of Texas, Dallas; and University of Texas, San Antonio.

² The National Institute of Standards and Technology (NIST) Special Publication (SP) 1800 series documents “present practical, usable, cybersecurity solutions to the cybersecurity community. These solutions demonstrate how to apply standards-based approaches and best practices. An 1800 document can map capabilities to the

The NCCoE’s Secure Interdomain Routing project is an effort to build a standards-based solution to a significant problem: spoofing routing information to hijack (reroute) packets on the Internet. The current routing system uses BGP (Border Gateway Protocol), and this is open to attacks by way of providing false information to sites performing routing.

The team involved, including contractor personnel, has built a working proof-of-concept model showing how to add protection to BGP. The solution uses a combination of roots of trusted information and PKI (Public Key Infrastructure) to authenticate routing changes. The solution appears to be compliant with the BGP standard and is thus plug-compatible with the current system. The solution appears to be potentially cost effective and thus practical for deployment, although a formal cost-benefit analysis has not yet been done.

This effort involved participation by many major Internet service provider (ISP) organizations, thus ensuring that the model developed will be compatible with existing practice and will help to accelerate any technology transfer to implementation.

The NCCoE-Secure Interdomain Routing group appears to have a workable, standards-compliant solution to the problem it is seeking to solve. The group needs to stress test and attack its solution to determine if it is, in fact, a complete solution. The group also has an opportunity to think a bit more broadly about its approach, and what else could be incorporated to enhance security—for example, including a notification step in its solution, such that sites that are targeted by spoofing attempts (directly or indirectly) can receive an alarm and trace information would provide for a stronger defense and initial forensics. BGP is a problematic protocol, however, so there are limits to what may be achievable.

In these very early days of cloud computing, one configures a machine model with desired hardware and software characteristics and assumes through contractual and reputational mechanisms that the machine will be provisioned as advertised. The NCCoE Trusted Cloud project explores how secure or measured boot technology employing a hardware root of trust can add engineering mechanisms into this mix to further ensure that one is not building on compromised foundations. Although the core technologies have been in existence for years, they are complicated and not widely used, and so they are at some risk of disappearing from future hardware designs. The ACD properly sees this as an excellent opportunity via the SP 1800 how-to guides to make hardened cloud computing more widely accessible.

Consistent with the NCCoE’s goal to engage with vendor partners, the Trusted Cloud project included the involvement of Dell, IBM, Intel, Microsoft, RSA, VMware, and potentially other large cloud vendors not engaged during the early phase of NCCoE. It appears that the laboratory also possesses a network component that would allow the project to explore remote attestation.

Two directions for expanding the NCCoE-Trusted Cloud work could be (1) involving some security-sensitive cloud customers such as banks, to validate the benefits and hone the messaging; and (2) working with system administrators of operational large clouds to assess how the hardened individual machines can be managed at scale.

The NCCoE initiated the Securing Wireless Infusion Pump project with the goal of applying the cybersecurity framework to devise a set of specific security measures that could enable health-care delivery organizations such as hospitals to use wireless infusion pumps for drug delivery without introducing undue risks such as compromise of personal information or unauthorized modifications to drug dosage. Wireless infusion pumps are in wide use, and management of the risks they pose is important to public safety and security.

Five major vendors of wireless infusion pumps contributed resources and personnel to work with NIST and NCCoE staff to construct the guidelines. These vendors represent approximately 85 percent of the deployed equipment in the United States. In addition to their development of a standard that can be widely deployed, the companies were able to learn best practices that some are folding back into their product lines.

___________________

Cybersecurity Framework and outline steps needed for another entity or organization to recreate an example solution.” See https://www.nist.gov/itl/nist-special-publication-1800-series-general-information, accessed August 28, 2018.

After reviewing the potential vulnerabilities of wireless infusion pumps, the project selected a security solution that is based on partitioning the hospital network to prevent malicious people or malware from gaining access to an infusion pump or pump server system. The project created a publication that provides detailed guidance on how to configure and lock down a network for organizations that wish to operate wireless infusion pumps securely. The project has delivered a valuable resource for direct application by hospitals and other health-care organizations.

While the infusion pump security solution has the potential to be a valuable resource for healthcare delivery organizations, almost all security solutions can potentially be defeated by a sufficiently clever and determined adversary. Furthermore, complex solutions such as the network partitioning approach proposed for protecting infusion devices run a significant risk of being misconfigured by operators or users. The publication Securing Wireless Infusion Pumps in Healthcare Delivery Organizations³ does provide some general recommendations for mitigating and responding to residual risks. However, there is no indication in the document that those recommendations resulted from an adversarial analysis of the proposed solution. The infusion pump publication and other similar guidance documents produced by the NCCoE would benefit from such a review.

Even with the best possible adversarial security review, there will remain some risk that a solution such as that in the infusion pump document could be defeated by a clever attacker. The consequences of such an event could be embarrassing or even hazardous. This is not a reason to avoid producing such solutions—to the contrary, well thought out solutions are of especially great value in such applications. However, it would be prudent for the ITL and the ACD to consider how they would respond to a defeat scenario, technically and with communications to stakeholders, and to have a plan and assigned responsibilities ready in advance. Mature cybersecurity organizations create such response plans as a matter of course and find that they can mitigate many of the substantive and reputational consequences of dealing with such contingencies if they act quickly and consistently.

RECOMMENDATION: The ITL should consider putting together a rapid response plan of action to be invoked in the event of a real-world safety or security problem after a technology has adhered to the best practices and guidance from the NCCoE. To the extent that there is the potential for reputational damage to NIST as to the effectiveness of its best practices and guidance, the ACD should prepare in advance to proactively address issues that may arise.

RECOMMENDATION: The NCCoE should add an adversarial perspective to the solutions and guidance that are promulgated by the NCCoE laboratories. That would mean conducting an adversarial review (e.g., red-teaming) against these solutions and feeding the adversarial review results back into their process for purposes of defensive improvement. This may involve adding steps into the current NCCoE process before reference designs and documents are released from the laboratory; additional resources should be added if needed to accomplish including the additional steps.

CYBERSECURITY FRAMEWORK

The creation, enhancement, and sustainment of the NIST Cybersecurity Framework is one of the key contributions of the ACD and of the NIST cybersecurity program. The framework is mandatory for U.S. government agencies, and its adoption is proceeding across the federal government. Adoption by the private sector is voluntary, but critical infrastructure sectors—the financial sector is a key example—have chosen to adopt it, as have many individual organizations. The framework has also seen significant

___________________

³ MITRE Corporation and NIST, 2017, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations, Special Publication 1800-8, https://nccoe.nist.gov/projects/use-cases/medical-devices.

international adoption, which continues to grow, leading to a level of de facto international harmonization that is a major benefit for U.S. companies that operate worldwide.

The ACD recently updated the framework in response to Executive Order 13800,⁴ and NIST has supported the framework by creating samples of framework profiles. The profiles are a critical resource for organizations that seek to adopt the framework. The ACD is showing excellent commitment to sustaining the framework and enabling its adoption.

While many people and organizations are aware of the NIST Cybersecurity Framework, the deep understanding necessary to adopt it effectively is uneven. The ACD’s creation of sample profiles will assist organizations in the task of adoption and help to prevent cases where an organization deliberately or inadvertently claims to adopt the framework without taking appropriate action to determine and manage its cybersecurity risk. Creation of sample profiles is a key activity for the division and needs to be continued and emphasized. The NIST website that is the public face of the framework provides considerable useful information, but it is challenging for an organization that is new to the framework to find a concise answer to the question “I want to adopt the framework—what steps should I take and in what order?” NIST can provide organizations with an answer to this question with a modest investment of time and effort. Such an investment will pay major dividends for the nation and cybersecurity and needs to be undertaken. There may be some additional work required to advance the practical alignment between the Cybersecurity Framework version 1.1⁵ and NIST Special Publication 800-37 on the Risk Management Framework (RMF).⁶

National Initiative for Cybersecurity Education

The field of cybersecurity and privacy has undergone rapid expansion over the last two decades. Where once a single person could master a majority of the field, the knowledge and practices needed to work in the field have multiplied and diversified so that one person can no longer cover more than a fraction. To enable conversations about hiring, training, and education, a common framework of terms was needed. NIST provided this framework through the NICE and issued it as SP 800-181.⁷

The NICE framework provides classification of practitioner duties in both broad categories and specific professional roles. It has been generally accepted within the field and is being used to map certifications’ common bodies of knowledge. It is also being used by professional organizations to map and describe elements of curricular recommendations. The recent Association for Computing Machinery (ACM)⁸/ Institute of Electrical and Electronics Engineers (IEEE)/International Federation for Information Processing (IFIP)⁹ joint curricular recommendations are undergoing mapping to the guideline. In April, the Office of Personnel Management (OPM) issued guidance on use of the NICE framework to define federal jobs in the area of cybersecurity; some private sector entities are reportedly doing the same.

The NICE group is also seeking to encourage collaboration and development of enhanced educational and training materials. This effort is relatively recent but appears to be making good progress

___________________

⁴ The White House, 2017, “Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”

⁵ NIST, 2018, Framework for Improving Critical Infrastructure Cybersecurity: Version 1.1., Gaithersburg, Md.

⁶ NIST, 2018, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (Final Public Draft), Draft NIST Special Publication 800-37: Revision 2, Gaithersburg, Md.

⁷ W. Newhouse, S. Keith, B. Scribner, and G. Witte, 2017, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181, U.S. Department of Commerce, Washington, D.C.

⁸ Further information is available at the Association of Computing Machinery website at https://www.acm.org.

⁹ Further information is available at the International Federation for Information Processing website at https://www.ifip.org.

with its conferences, RAMPS project¹⁰ to encourage new educational efforts, newsletters, and other activities.

The NICE group has also developed some resources, including a website, to help show hiring needs by practice area and national location (CyberSeek). This tool shows promise for guiding hiring and encouraging further training development.

The NICE initiative is of high quality and high impact. This effort is being recognized internationally as well as nationally for filling a significant need and doing so in a detailed fashion. There is strong interaction with multiple communities—education, government, and private sector—and the work appears to be well accepted. It is being integrated into those sectors to provide a common framework and definitions. The initial framework and the CyberSeek site are well done and highly useful for their intended audiences. The group is working on defining metrics and further guidance. These will be important for maintaining a leadership role in cyberspace education and training.

Cybersecurity for the Internet of Things

As the cost of computing devices and communication continues to decrease, there is an acceleration of the movement to insert sensors and computational elements into a variety of elements in our environment—to connect “things” in a computational mass. This Internet of Things (IoT) presents new risks and challenges that are not being properly considered by all the developers and users of those “things.”

This project within the ACD is focused on providing guidance to assess and mitigate risks in this evolving environment and to coordinate stakeholders, which is a challenge, since they are distributed globally. It is a nascent effort, but it builds on existing Information Technology Library projects and expertise. An initial report, NISTIR 8200, is under development.¹¹ The project is involved in several standards activities and working groups. Its goal is to better capture and define special needs and considerations of IoT systems. This effort will be informed by other ITL efforts, including the Cybersecurity Framework.

The Cybersecurity for the Internet of Things project is a new effort in a very important topic area. The effort is too new to draw any significant conclusions, other than to note that the personnel are pursuing appropriate initial goals. The market-definition of “things” is extraordinarily broad and growing. There is potential here for the group to be overwhelmed with the magnitude and scope of the problem set. It is important that strong leadership be exercised to keep the group focused on achievable important goals, and to keep alignment with other cybersecurity efforts within ITL, particularly within the NCCoE.

Privacy Engineering

In recent years major Internet technology companies created a privacy engineering function that is distinct from security and legal concerns. Federal agencies holding data about individuals may be expected to staff that function as well. Security deals with risks from unauthorized access to data; privacy deals with risks from authorized access. Legal concerns include compliance obligations, met, for example, by clicking through terms of use and privacy policies. Engineering involves the construction of system features—for example, offering a map location timeline feature that provides an interesting activity memento but implicitly also illustrates what data are being collected. Privacy engineering is a new discipline that builds in predictability, manageability, and judicious protection of privacy, including

___________________

¹⁰ Regional Alliances and Multistakeholder Partnerships to Stimulate (RAMPS) cybersecurity education and workforce development.

¹¹ NIST, 2018, Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT), NISTIR 8200 (Draft), Gaithersburg, Md.

masking and anonymization. The ACD Privacy Engineering program helps technology managers navigate these choppy waters via guidance such as NISTIR 8062, integrates the new privacy sensibilities into existing NIST SPs, and participates in collaborations, workshops, and standards bodies. The ACD has assembled talented staff with diverse perspectives that are carrying out this function with clarity and efficiency.

Identity and Access Management

The NIST Identity and Access Management project has released a new family of guidelines (NIST SPs 800-63-3¹² and 800-63A-C¹³) that focuses on digital identity. This family of guidelines represents a significant evolution from the earlier versions of SP 800-63. It takes a risk-based approach to identity standards and is compatible with modern technical approaches to identity and access management, such as new kinds of authentication tokens and pseudonymous identities. The new standard appears to be a significant improvement over its predecessors.

In addition to the content of the new standard, it is worth emphasizing the way that the ACD produced it. Two points are especially significant: (1) Rather than relying solely on drafts and calls for content, NIST also posted the drafts of the new documents on GitHub, a widely used open source software repository, and responded to comments on GitHub on a continuous basis. This process worked (the standards were produced), and it seems to have resulted in more public input, faster standard development, and a better and more widely accepted product. (2) The ACD integrated privacy engineering considerations into the development of the new standards. This is a proof point for the ACD’s commitment to make privacy engineering a real and valuable technical discipline.

As future ACD programs undertake a similar approach to publication and public comment, the ACD may need to educate some new constituencies about the benefits of this approach and how to take advantage of it.

SCIENTIFIC EXPERTISE

The ACD has built a first-rate team that focuses on the Cybersecurity Framework. The team combines a high level of cybersecurity expertise with an outstanding approach to stakeholder engagement and collaboration. The wide acceptance of the framework is ample testimony to their accomplishments in both technical cybersecurity and community engagement. Similarly, the NICE effort appears to be properly scoped and staffed. As the field continues to evolve, the NICE framework will need to continue to evolve as well, but the current personnel seem well-positioned to track and incorporate changes as they occur. The scope and nature of the Cybersecurity for the Internet of Things project is still being defined, but personnel appear to be appropriate and the team created for the new identity and access management initiative was very well suited to the task and brought significant expertise in the relevant technical and user interaction disciplines.

The NCCoE wireless infusion pump project was conducted by a team from NIST, the NCCoE FFRDC, and technical employees from infusion pump and security product developers who comprise a major fraction of the market for such products. Thus, the solution reflects significant expertise in security products and their use, and in the real-world configuration and operation of infusion pumps and related information technology (IT) systems. The expertise of this team is well suited to the project that it undertook. Similarly, the NCCoE Secure Interdomain Routing group has drawn on experienced personnel within ITL and the contractor operating the NCCoE FFRDC as well as a number of industry partners that

___________________

¹² NIST, 2017, Digital Identity Guidelines, NIST Special Publication 800-63-3, Gaithersburg, Md.

¹³ NIST, 2017, Digital Identity Guidelines: Enrollment and Identity Proofing Requirements, NIST Special Publication 800-63A, Gaithersburg, Md.

operate significant portions of the Internet. This project helps to illustrate the potential of collaborative projects directed by NIST within the NCCoE, and the expertise of the team is also well suited to perform the currently assigned tasks.

The Cybersecurity Framework project needs to focus on the educational function of ensuring that potential adopters of the framework have clear and consumable information about what they should do to get started. This will be a small investment—perhaps requiring a new skillset—that will have a major payoff.

There did not appear to be evidence that the infusion pump project team included individuals with expertise in adversarial (“red-team”) analysis of security solutions. The addition of such expertise to this and other similar NCCoE projects would provide a significant boost to product quality and credibility in the future.

In general, the scientific and technical talent was adequate for the projects and tasks that were undertaken. The research staff represented a diverse and inclusive mix of backgrounds, talent, and skills. For the research and testing conducted in the NCCoE laboratories, future research would benefit from having people with more adversarial experience in their backgrounds.

ADEQUACY OF FACILITIES, EQUIPMENT, AND HUMAN RESOURCES

The Cybersecurity Framework development effort is focused on identification and documentation of best practices and on community collaboration rather than experimentation or technical development. Based on its accomplishments, the project’s resources appear to be sufficient for their task. In particular, the project appears to have sufficient resources for travel and for convening meetings and workshops—a critical aspect of their task. Similarly, the resources available to the NICE effort appear appropriate for the efforts at hand. The personnel are well qualified for the tasks being undertaken by the group. No specialized equipment or resources appear necessary at this time.

The resources for the Cybersecurity of the Internet of Things project appear to be appropriate. There will be strong interactions with other groups within the ACD as the project matures. There are several existing projects within the NCCoE that could be considered as part of the IoT domain, and those resources and their results may be useful to this group. Specialized resources may be necessary if specific types of “things” are evaluated—for example, security and privacy of fitness trackers, autonomous vehicles, and household appliances may require either obtaining a collection of such devices or collaborating with entities that have them.

The Identity and Access Management project appears appropriately resourced for the task it undertook. The team clearly learned from experience with the previous version of SP 800-63 and from the history of the National Strategy for Trusted Identities in Cyberspace (NSTIC) project. The significant resources allocated to the NSTIC program were reallocated to the NCCoE, with the effect that the ACD has fewer resources to commit to identity and access management than in the past. However, there was no sign that the team was inadequately resourced to meet its commitments.

The NCCoE wireless infusion pumps project benefited from the participation of equipment vendors who committed both equipment and people to the project. Commitment of this level of resources indicates a high level of industry enthusiasm for NCCoE and the infusion pump project. It is likely that this level of enthusiasm will result in broad operational adaptation and adoption of the solution that resulted from the project. Similarly, the NCCoE Secure Interdomain Routing project has an experimental testbed that appears to be adequate for model development. Access to systems provided by the industry partners needs to involve testing at scale and at Internet backbone speeds and volumes.

A project of the scope and credibility of the NCCoE wireless infusion pumps security effort is likely to attract broad interest in the medical device and cybersecurity communities. The latter attraction offers the ACD the opportunity to seek adversarial analysis and feedback that will make the solution more credible and effective. Such feedback can be solicited on a voluntary basis or by implementing a targeted

“bug bounty” project to engage vulnerability researchers in security reviews. Such programs have been implemented widely in the IT industry and by some government agencies (e.g., Department of Defense).

While still relatively new, the NCCoE would benefit from greater breadth and depth in its engagement with university partners in the future. Improved university partner engagement will produce many benefits, including greater access to faculty and students who could potentially bring fresh new perspectives, approaches, and solutions to difficult technical challenges. Greater university engagement can assist in bringing additional adversarial perspectives into the NCCoE.

RECOMMENDATION: The NCCoE should examine the university affiliates program with the federally funded research and development center contractor and consider how that program could be modified to enhance engagement with the existing university affiliates and how it could be improved to broaden participation with additional universities.

DISSEMINATION OF OUTPUTS

Recognition of the Cybersecurity Framework is both industry-wide and worldwide and represents an example of a NIST project that is extremely well disseminated and recognized. While the Cybersecurity Framework is widely recognized and has already seen a high level of adoption, additional focus by the ACD on communicating the basics of the framework and how to adopt it will pay dividends in even broader adoption and even greater improvements in cybersecurity.

The NICE project is holding workshops and conferences on development of educational materials for the K-12 space, for post-secondary education, and for professional education. There is a newsletter published by the NICE office. NIST personnel from the group regularly attend and present at conferences and professional events, including, in recent months, the RSA conference and the Colloquium for Information Systems Security Education (CISSE) education conference. Considerable effort is being devoted, with great effect, to dissemination of results and interaction with the community beyond the publication of the Special Report.

The recently initiated Cybersecurity for the Internet of Things group appears to be connected with appropriate external organizations and is already in the process of developing a first document. The group has leadership with experience in dissemination of results from other projects.

The Privacy Engineering team is engaging with operators of federal information systems to prioritize privacy risks, offer solutions, and clear up confusion. Connected cars, smart cities, and ID systems are forward-looking examples. This commendable approach is a better fit for the privacy effort than laboratory experiments would be.

By using GitHub for dissemination and review of drafts, the Identity and Access Management project has introduced an innovative approach to the creation of NIST standards. The innovation extends to the publication of the identity and access management special publications as web pages rather than PDF documents. These changes will help the ACD to be seen as an organization that is operating in the world of the Internet.

Some individuals and organizations may be put off by innovations such as the use of GitHub for the dissemination of identity and access management project results. It may be appropriate for the ACD to watch for resistance or negative feedback and ensure that it is clear with stakeholders about what has and has not changed in the standards development process.

The product of the NCCoE wireless infusion pumps project is a well-structured document that includes clear explanatory text and sufficient technical detail for applying the solution. It is very usable, and the fact that many vendors participated in the creation of the solution makes it likely that the document will receive broad distribution to an interested audience. The infusion pump project is a good model for the creation of NCCoE products that are likely to be used.

The NCCoE Secure Interdomain Routing group has a plan for appropriate dissemination of the results, but the effort is not yet to a level of maturity where that is appropriate. The presence of industry

partners in the project suggests a robust technology transfer path for the results. If problems arise in NCCoE products, NIST will need to be prepared to create updates and make users of the document aware that they have been released. Software development organizations, for example, create regular updates (patches) and publicize their release. Preparing a plan for updating guidance documents and publicizing the fact that an update has been released would be very worthwhile. Advance planning will make the process go smoother and mitigate negative consequences.

The ACD, and in particular the NCCoE, would enhance its fulfillment of its practical, applied purpose of strengthening the nation’s cybersecurity posture, by proactively tracking and monitoring problems, attacks, and failures after solutions from the laboratories have been fielded. Problems will occur in the real world that were not anticipated in the laboratory. It is important that the systematic tracking of these results from the field be reported as part of the NCCoE dissemination process and fed forward into future laboratory projects.

RECOMMENDATION: The NCCoE should develop a process by which results from the field are systematically and proactively tracked and monitored after a project has been successfully transferred out of the NCCoE laboratory. The results from this proactive monitoring should then be disseminated (e.g., by the NIST Special Publications 1800 series) and appropriately incorporated into future NCCoE laboratory projects.