SEATTLE—The US National Institute of Standards and Technology (NIST) has recently issued two draft reports on cybersecurity issues of interest to industrial IoT users, and is seeking industry comment before making their final revisions. One report describes the proposed manufacturing profile for NIST's Cybersecurity Framework. The other addresses cryptography standards and practices for resource-constrained processors.
Recognizing that the national and economic security of the United States depends on the reliable functioning of critical infrastructure, NIST created in 2014 a voluntary Cybersecurity Framework, which is a compendium of industry standards and best practices to help organizations manage cybersecurity risks. Created through collaboration between government and the private sector, the Framework helps guide cybersecurity activities and encourages organizations to consider cybersecurity risks as part of their risk management processes. Profiles, a key element of the Framework, help an organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. A profile is intended both to help identify opportunities for improving cybersecurity as well as providing a touchstone to compare against in order to prioritize process improvement activities.
While organizations are encouraged to develop their own custom profiles, NIST-issued profiles can serve as a roadmap for that effort in specific industry sectors. The recently-released draft Manufacturing Profile focuses on the desired cybersecurity outcomes for manufacturing systems and provides an approach for achieving those outcomes. It defines specific cybersecurity activities and outcomes for the protection of the manufacturing system, its components, facility, and environment.
The report, issued in early September, is not yet finalized. NIST seeks additional input from the manufacturing industry on the draft profile to help refine it further before publication. Control engineers, system administrators, line- and senior-level managers, and researchers are all encouraged to review the document and return comments to email@example.com (Subject: "Draft CSF Manufacturing Profile"). The deadline for receiving comments is November 4, 2016.
The second cybersecurity report, DRAFT NISTIR 8114 -- Report on Lightweight Cryptography, outlines NIST's effort to develop a strategy for the standardization of lightweight cryptographic primitives such as block ciphers, hash functions, and message authentication codes. Such primitives can help developers achieve a better balance between security, performance, and resource requirements in specific resource-constrained environments than the more general-purpose conventional cryptographic standards.
The draft report first defines the kinds of target devices the lightweight cryptography standards aim to serve, and describes the performance metrics for evaluating alternatives. It then describes the types of primitives available, lists the NIST-approved implementation of these primitives, and summarizes the existing industry standards for lightweight cryptography. Following this overview of lightweight cryptography, the report discusses how NIST seeks to arrive at its standard.
Rather than using the kind of competitive proposal and evaluation method it employed in setting the AES block cipher and SHA-3 hash function standards, NIST has adopted an open call for proposals to standardize algorithms. In addition, NIST is seeking information to help it define application profiles. It will then use these profiles as the basis of its call for proposals, which will request proposals that offer good solutions for the specified profiles.
To help develop these profiles, NIST asks lightweight cryptography stakeholders a series of questions in the draft report. Questions include:
- What is the application?
- Are any cryptographic algorithms currently used by the application?
- If so, which algorithms and what motivated the choice for them?
A total of 18, multi-part questions are listed in the draft report to support the identification and categorization of profiles that NIST will develop. Stakeholders need to provide their answers before October 1, 2016 to ensure consideration. NIST will then hold a Lightweight Cryptography Workshop on October 17-18, 2016 to discuss the profiles as well as compare tools and methods.
—Rich Quinnell covers industrial control for EE Times. Contact him at firstname.lastname@example.org,