Safeguarding Critical Infrastructure: NIST Releases Draft


A city in daylight represents systems that the profile covers, such as our energy, transportation and finance infrastructure. Nearby, in darkness, a dish antenna broadcasting a signal to several satellites represents what lies beyond the scope of the profile, including ground or space based source signal generators and providers.

Credit:
B. Hayes/NIST

NIST’s new cybersecurity profile is designed to help mitigate risks to systems that use positioning, navigation and timing (PNT) data, including systems that underpin modern finance, transportation, energy and other critical infrastructure. While its scope does not include ground- or space-based PNT source signal generators and providers (such as satellites), the profile still covers a wide swath of technologies.

Taking another step toward strengthening the nation’s critical infrastructure, the National Institute of Standards and Technology (NIST) has drafted guidelines for applying its Cybersecurity Framework to critical technologies such as the Global Positioning System (GPS) that use positioning, navigation and timing (PNT) data. Part of a larger NIST effort to implement a recent Executive Order to safeguard systems that rely on PNT data, these cybersecurity guidelines accompany recent NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS.

Formally titled the Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323), the new guidelines are designed to help mitigate cybersecurity risks that endanger systems important to national and economic security, including those that underpin modern finance, transportation, energy and additional economic sectors. The agency is requesting public comment on the draft by Nov. 23, 2020.

The draft profile is part of NIST’s response to the Feb. 12, 2020, Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. Earlier this year, NIST sought public input regarding the general use of PNT data. 

Do you know what PNT stands for? There are billions of devices around the world that rely on these services, and our economy depends on them. Learn how it affects you in this explainer video. For more information, go to www.nist.gov/pnt.

The PNT profile will join the growing list of profiles created to help apply the NIST Cybersecurity Framework to particular economic sectors, such as manufacturing, the power grid and the maritime industry. The scope of the profile includes any system, network or other asset that uses PNT services, including systems that receive and rebroadcast PNT data.

While its scope does not include ground- or space-based source PNT signal generators and providers (such as satellites), the profile still covers a wide swath of technologies. Partly for this reason, NIST’s Jim McCarthy said that it is intended to be a foundational set of guidelines that PNT users can customize. 

“The profile is meant to help a broad set of users address their cybersecurity needs,” said McCarthy, one of the draft’s authors. “Rather than focus on a single economic sector, we designed it to apply to all users of PNT. Agencies and companies can tailor it to their needs based on their particular cybersecurity risk and other sector-specific factors.” 

As directed by the Executive Order, the profile can help organizations accomplish four tasks: 

  • Identify systems that use PNT data, and/or that propagate this data based on a source signal.
  • Identify PNT data sources, such as a GPS signal.
  • Detect disturbance to and manipulation of systems that use PNT services.
  • Manage the risks that come with responsible use of these PNT services.  

“Our premise is that there are organizations that may not realize they are using PNT data, or know how they are using it,” McCarthy said. “Part of our goal is to help them make these connections so they can protect their operations more effectively.”

The Executive Order also delegates to the Department of Commerce the critical task of providing a source of Coordinated Universal Time (UTC) that is independent of GPS. To this end, NIST also recently conducted initial tests of a special calibration service for companies, utilities or other organizations that wish to receive NIST’s version of the global time standard, UTC(NIST), through commercial fiber-optic cable. The service aims to provide a time reference directly traceable to UTC(NIST) with an accuracy of 1 microsecond — good enough for telecom networks, the power grid and financial markets, and thereby boosting the resilience of accurate time distribution and the infrastructure sectors and subsectors that use timing services. 

The initial link is a collaboration between NIST and OPNT, a commercial time-service provider based in Amsterdam, the Netherlands. While the work was led by researchers at NIST’s Boulder, Colorado, campus, the dedicated optical fiber connects the reference time scale at NIST headquarters in Gaithersburg, Maryland, to a facility in McLean, Virginia, that will ultimately serve as the hub for East Coast distribution of timing data. 

OPNT has extended the initial fiber link to…



Source link