Standards group creates draft report on updating critical IT, OT infrastructure

The National Institute of Standards and Technology (NIST) has created a technical draft report that is designed to will help organizations perform a step-by-step analysis to identify those critical parts of a system that must not fail or suffer compromises to information technology (IT) or operations technology (OT).

By Gregory Hale, ISSSource September 7, 2017

Keeping the infrastructure up to date without jeopardizing its ability to function or breaking the bank has been a challenge for nearly every organization that depends on information technology (IT) or operational technology (OT) for its principal business or mission.

That problem could soon change.

A draft guidance to help organizations get through this vexing issue has been released from the National Institute of Standards and Technology (NIST). This technical document is designed to will help organizations perform a step-by-step analysis to identify those critical parts of a system that must not fail or suffer compromise if the system is to successfully support the organization’s mission.

The document, NIST Interagency Report (NISTIR) 8179, Criticality Analysis Process Model, builds on previous NIST guidance such as Special Publication (SP) 800-53 Rev. 4, SP 800-160, and SP 800-161, which emphasized the importance of identifying the critical points in a system, but did not provide a method for doing so.

"This draft report shows people how to perform a criticality analysis that’s tailored to their organization," said NIST cybersecurity expert Jon Boyens, who coauthored the report with his colleague Celia Paulsen. "Each agency will have its own situation. We are developing this for the government, but we want it to be friendly and useful for the private sector."

The draft report will have repercussions beyond federal agencies because of all the private contractors that do business with the government.

"I think guidance like this will help secure the supply chain," said John Peterson, senior program manager at the Redhorse Corporation in San Diego. "A lot of these systems are integrated, so if you have one part that’s compromised in some way, it could affect the entire system."

These risks are potentially heightened by the real-world issue of limited resources, which can vary substantially in the federal government depending on budget priorities. How can an organization maintain systems when it cannot always afford to buy the latest and greatest tools, but at times must make do with legacy technology?

"The legacy problem is notorious throughout industry," said Carol Woody, technical manager for cybersecurity engineering at the Software Engineering Institute in Pittsburgh. "All organizations are trying to keep technology costs down. It’s hard to do because they have to make choices that may not always anticipate problems ten years down the road. What the NIST authors are doing is saying, think broadly. Ask yourself why you bought something and how long it will be before it could conceivably need more capabilityplan for its usable life and budget accordingly."

Paulsen said that while fundamental ideas like this were already in use in many industries, they were not always applied as they should be for information security.

"We looked at many processes and realized that people tend to view risk according to what they know besttheir own goals and experiences," she said. "Existing procedures don’t always emphasize considering differentoften competingpriorities or how a single component can impact various parts of an organization. With limited resources it is impossible to solve every problem, but our report will help you see the whole landscape more clearly. It will help you communicate with different parts of the organization, outside stakeholders, and supply chain partners about what’s important."

Criticality analysis is not only essential to determining high-value assets. It also alters the traditional risk assessment focus on likelihood: From what adversaries are likely to do, to what they are capable of doing. The approach also eliminates debate over "return on investment" in favor of engineering systems that are resilient.

Guidance of the sort the report offers is necessary, Boyens said, because of the nature of the supply chainthe innumerable manufacturers whose individual wares end up combined into a system, which then becomes part of an agency’s larger infrastructure.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

See related stories from ISSSource linked below.