One of NIST's important roles in cybersecurity has been to understand advances in technology and provide guidance and standards support to support secure use of systems and secure infrastructure protocols and practices. The growth of an emerging technology is usually promising in terms of capabilities and functionality gained, but also concerning in terms of security challenges that increase the risk organizations faced by adopting these technologies. NIST strives to understand these challenges and help organizations understand what the challenges are and how they can address them in order to reduce risk. For example, NIST developed a definition of cloud computing and related terms that has been referenced by over 15,000 subsequent publications. The definition created a necessary foundation to develop cloud security standards and guidance.
Established in 2012, the National Cybersecurity Center of Excellence (NCCoE) brings together experts from industry, government, and academia to solve complex, real-world cybersecurity challenges. Using standards and best practices, the NCCoE and its collaborating partners demonstrate how to apply secure technologies to accelerate the adoption of cybersecurity and improve the security posture of businesses. Projects result in NIST Cybersecurity Practice Guides, providing detailed information on how to replicate the NCCoE's example solutions. To ensure widespread adoption of those practice guides, the NCCoE invites collaboration from the public and private sectors.
In 2014, NIST established a Federally Funded Research and Development Center (FFRDC) as the support model for the NCCoE. This FFRDC is the first sponsored by NIST and the Department of Commerce, and in September 2014 NIST awarded a contract to The MITRE Corporation. The NCCoE created a National Cybersecurity Excellence Partnership (NCEP) program where U.S. companies have pledged to provide hardware, software and expertise to support mutual efforts to advance rapid adoption of secure technologies. In addition to contributing equipment and other products to the NCCoE’s test environments, companies may designate guest researchers to work at the center, in person or remotely.
In 2015, NCCoE moved to a permanent, state-of-the-art facility to increase its collaborations and to undertake new projects. It has amplified NIST’s work in areas such as cloud security, end mobile device security, networking infrastructure security, security and identity management for nationwide public safety. In addition, the Center has worked with several business sectors to support specific requirements in areas such as healthcare, finance, energy, and manufacturing.
In the early 2000s, some people had a general notion of what cloud computing was, but it was hard to explain the technology and its security implications, largely because the market was in flux and there was no consistency in the vocabulary.
SP 800-145, The NIST Definition of Cloud Computing (2011)
NIST’s first significant effort in support of cloud computing security was to define the concepts and models. NIST security researchers started by defining the cloud computing domain and its terminology, describing the inherent issues, and providing a common vocabulary. This helped move the debate from the idea of cloud computing to what organizations could or should do with it. NIST also proposed concepts, like hybrid clouds, that did not exist at the time but became a reality years later.
NIST published 15 draft definitions for cloud computing between 2009 and 2011, refining the definition each time based on community feedback. The impact of the final definition (NIST SP 800-145, 2011) has been profound: as of December 2021 it had been cited by over 19,000 scholarly publications1. The NIST definition has become the standard used by cloud security publications and those in many other areas of information technology.
In December 2015 NIST's National Cybersecurity Center of Excellence (NCCoE) published its first guidance: NISTIR 7904, Trusted Geolocation in the Cloud: Proof of Concept Implementation. This publication explains selected security challenges involving Infrastructure as a Service (IaaS) cloud computing technologies and geolocation. It then describes a proof-of-concept implementation that was designed to address those challenges. The publication provides sufficient details so that organizations can reproduce the proof of concept if desired. Since then, the Trusted Cloud program evolved and expanded on the initial features from NISTIR 7904. This resulted in a NCCoE publication NIST SP 1800-19, Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments.
NIST's trusted cloud work continued at the NCCoE with a series of publications that address hardware-enabled security for trusted cloud and container platforms. The physical platform provides the initial protections to help ensure that higher-layer security controls can be trusted. The foundational publication, NISTIR 8320, Hardware-Enabled Security: Enabling a Layered Approach to Platform Security for Cloud and Edge Computing Use Cases, describes security features that can be enable by hardware, and follow on publications document prototype implementations.1 Per Google Scholar
SP 800-72, Guidelines on PDA Forensics (2004)
NISTIR 7250, Cell Phone Forensic Tools: An Overview and Analysis (2005)
SP 800-101, Guidelines on Cell Phone Forensics (2007)
NISTIR 7617, Mobile Forensic Reference Materials: A Methodology and Reification (2009)
NISTIR 7658, Guide to SIMfill Use and Development (2010)
In the beginning years of the new millennium, there were no established guidelines for handling mobile devices—personal digital assistants (PDAs) and cell phones—that hold information potentially pertaining to an incident or crime during an investigation. For example, what should be done about maintaining power? How should the overall state of the device and prevention of incoming/outgoing signals be handled? How should relevant data on the device be examined?
NIST staff conducted extensive research into PDA and cellular phone forensics. They provided general principles and technical information on preserving, acquiring, and examining digital evidence found on PDAs and cell phones. They also provided guidelines on reporting the results and an overview of forensic software tools for cellular handheld devices, reviewing their capabilities and limitations.
NIST’s work in forensics progressed to identifying and removing impediments to the practice of cell phone forensics. For example, one publication described a complete methodology for device population and documented test results from applying the methodology to assessing popular forensic tools. Also, an open source application called SIMfill and a companion set of test data that embodied the methodology for certain classes of cell phone equipment were developed.
NIST has been working since the early 2000s on protecting the security of handheld mobile devices like PDAs, tablets, and smartphones. Early NIST research led to an overview of cell phone and PDA devices in use at that time and offered insights into making informed security decisions on their treatment. It covered details about the threats and technology risks associated with the use of these devices and the safeguards available to mitigate them.
SP 800-124, Guidelines on Cell Phone and PDA Security (2008)
SP 800-124 Rev. 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise (2013)
An extensive revision to the original guidelines reflected how much mobile devices and their capabilities had changed and how much security technologies had advanced in just a few years. The revision was intended to help organizations centrally manage and secure mobile devices against a variety of threats. It provided recommendations for selecting, implementing, and using centralized management technologies, and it explained the security concerns inherent in mobile device use. It encompassed both organization-provided and personally owned (bring-your-own-device) mobile devices.
SP 800-114, User's Guide to Securing External Devices for Telework and Remote Access (2007)
SP 800-111, Guide to Storage Encryption Technologies for End User Devices (2007)
SP 800-114 Rev. 1, User's Guide to Telework and Bring Your Own Device (BYOD) Security (2016)
NIST has researched telework security since the early 2000s and provided product-neutral information and recommendations. Resulting guidance has helped teleworkers secure the external devices that they use for telework, such as personally owned desktop and laptop computers, cell phones, and PDAs. These were effectively bring-your-own-device (BYOD) before the term was coined. A 2016 revision reflected changes in end user devices and in the options for securing them.
Another guide helped organizations understand storage encryption technologies for mobile devices and removable media, and it assisted in planning, implementing, and maintaining storage encryption solutions. This publication discussed important security elements of a storage encryption deployment, including cryptographic key management and authentication.
NIST's Trustworthy Networks Program has a long history of working with industry to resolve systemic vulnerabilities in existing and emerging critical network infrastructures and to advance the development of potentially disruptive technologies to improve the trustworthiness of future networks. In the late 1990s the program focused on the initial designs and Internet Engineering Task Force (IETF) standards for the Internet Protocol Security (IPsec) suite of protocols. NIST staff authored several of the first IPsec Requests for Comment (RFCs), produced reference implementations and developed interoperability test tools to expedite the development of commercial implementations.
With the publication of the first National Strategy to Secure Cyberspace in 2003, NIST aligned its program with the identified national priorities to address security and resilience issues in the internet's core routing and naming infrastructure and to advance the development and adoption of IPv6. As of 2022, the program remains aligned to current national priorities in improving the security and resilience of foundational internet protocols and fostering innovation in disruptive new technologies to improve the robustness of the internet protocol suite.
The Border Gateway Protocol (BGP) is used to exchange routing and reachability information among the tens of thousands of autonomous networks that comprise the public internet. Internet Service Providers (ISPs), cloud and content providers, and enterprises use BGP to engineer and select “best paths” to the billions of unique destinations on the internet.
SP 800-54, Border Gateway Protocol Security (2007)
SP 800-189, Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation (2019)Software
BGP Secure Routing Extension (BGP-SRx): Reference Implementations and Test Tools for Emerging BGP Security and Resilience StandardsMeasurement Tools
BGP, as originally designed, had no internal mechanisms to provide strong protection of the integrity, freshness, or authenticity of the messages exchanged between routers. Nor did it have any mechanisms to validate the authority of a network to announce specific address blocks, or to detect violations of routing policies that constrain the redistribution of routes over specific forms of peering relationships. As a result of these vulnerabilities, malicious attacks and accidental misconfigurations can result in network traffic being delivered to the wrong destination network. The accidental misconfigurations typically result in availability failures in which the address blocks involved become unreachable to some portion of the internet. The malicious attacks can result in a broad series of risks including the theft of data and impersonation of online services, capture or manipulation of data in transit, and subverting other internet policy and security mechanisms not adequately protected from the mis-delivery of data.
In the early 2000s, NIST, in collaboration with the Department of Homeland Security Science and Technology Directorate (DHS S&T), kicked off its Robust Interdomain Routing project (RIDR) with the goal to raise awareness of the systemic vulnerabilities in the internet’s global routing infrastructure and to work with industry to design, standardize and foster deployment of technologies to improve the security and robustness of Internet routing.
In the early years of the RIDR project, NIST focused on understanding the potential risks of attacks on the internet’s routing infrastructure and collaborating with DHS S&T to engage the internet industry in workshops aimed developing a technology road map to design and standardize new solutions. NIST's early work included large-scale simulation modeling of focused BGP attacks and empirical analysis of several proposed BGP mitigation techniques that do not require changes to the widely deployed BGP standards.
The majority of NIST's subsequent efforts in this area focused on direct technical collaboration with the IETF and network operator communities to design, standardize and foster the deployment of new techniques to address systemic vulnerabilities. NIST staff actively contributed to the design of IETF BGP specifications for path validation extensions (e.g., RFCs 8205, 8208, 8374), route leak mitigation techniques (e.g., RFCs 7908, 9234), and DDoS mitigation (e.g., RFC 8704). As IETF standards matured, NIST developed open source reference implementations and test tools for many of these technologies. As commercial implementations emerged, NIST developed deployment and practice guides and hosted workshops to foster their adoption in commercial networks. The full history of NIST's contributions to routing security are documented here, with select key contributions noted below.
The domain name system (DNS) is another key component of the internet’s core infrastructure that is responsible for resolving names for internet systems and services (e.g., www.nist.gov) into technical information necessary to access those services (e.g., network addresses, security policies, pointers to other systems and services). Almost every instance of internet communication begins with several queries to the DNS to retrieve such information and relies on that information to be authentic and unmodified. Unfortunately, like BGP, the initial DNS protocols lacked security mechanisms necessary to prevent attacks on its services, and the DNS became a common target for attempts to hijack internet traffic and undermine other security policies and mechanisms.
These DNS vulnerabilities were also identified in the first National Strategy to Secure Cyberspace and became a second area in which NIST, in collaboration in with DHS S&T, set out of design and standardize solutions. NIST initiated its High Assurance Domains project to develop technologies to address the DNS's inherent vulnerabilities and to research new technologies that could leverage a hardened DNS to address other issues in internet security and resilience.
NIST worked with the IETF community to develop standards for Domain Name System Security Extensions (DNSSEC) to protect the internet from common DNS attacks. NIST led the Internet Engineering Task Force (IETF) DNSSEC editors' team in the completion and progression of all core DNSSEC specifications (e.g., RFCs 4033, 4034, 4035), and NIST worked with industry and the Department of Homeland Security (DHS) to expedite the deployment of these new standards.
As DNSSEC standards matured, NIST initiated efforts to develop operational plans for the secure operation of .gov and subordinate domains. NIST developed a prototype of the Secure Zone Integrity Tester (SZIT), which was put online for diagnosing configuration and operation errors in operational DNSSEC-enabled servers. In 2006 NIST developed the first version of a Secure Domain Name System (DNS) Deployment Guide (NIST SP 800-81), which defined the DNS security problem space, outlined best current practices for securing DNS operations, and provided deployment guidance for DNSSEC technologies. Recommended practices for federal agencies implementing DNS security were added in a 2010 revision.
In 2007, in collaboration with DHS and SPARTA Inc., NIST set up a pilot internet domain with DNSSEC features – Secure Naming Infrastructure Pilot (SNIP). The pilot aimed to enable federal agency DNS stakeholders to understand DNSSEC and its impact on current DNS operations, and to help agency DNS administrators learn and deploy DNSSEC on their zones. NIST expanded the SNIP in 2008 to deploy and test new DNSSEC tools, implementations, and applications as they became available, and to provide a persistent, signed infrastructure for use with NIST-sponsored workshops for U.S. Government (USG) DNS administrators. NIST also assisted the U.S. General Services Administration (GSA) in successfully deploying DNSSEC on the .gov Top Level Domain (TLD) to meet the 2009 mandate from the Office of Management and Budget (OMB).
NIST worked with standards organizations to ensure that the DNSSEC specifications kept up with best security practices regarding cryptographic algorithm deployment options and cryptographic key sizes. A 2013 revision to the initial DNS deployment guidance included the new cryptographic algorithm, key lifetime, key size parameters, and updated configuration and operational guidance based on lessons learned from early deployments.
NIST also collaborated with the National Telecommunications and Information Administration (NTIA) to develop a set of requirements and testing plan for deploying DNSSEC at the root zone of the global DNS. Since the root zone is queried by every client connected to the internet, it is important to ensure the security and stability of the system when deploying any new technology, including DNSSEC. NIST assisted NTIA in successfully deploying DNSSEC at the root zone in July 2010 – a major milestone in the internet infrastructure.
NIST continues to work on topics related to DNS security and resilience and the use of trustworthy naming infrastructures to address other issues in internet infrastructure security. A 2017 NCCoE project demonstrated Domain Name System-Based Electronic Mail Security that leveraged new IETF Domain Based Authentication of Named Entities (DANE) standards, based upon DNSSEC, to distribute keying material necessary to enable opportunistic encryption between internet email services. Current NIST research in this area focuses on the use of artificial intelligence to detect forms of DNS abuse commonly used as covert command and control channels for massive botnets.
The Internet Protocol Version 6 (IPv6) is an updated version of the widely used IPv4. IPv6 was, and continues to be, developed and defined by the Internet Engineering Task Force (IETF) in a series of consensus-based standard documents. The primary motives for the development of IPv6 were to increase the number of unique IP addresses and to handle the needs of new internet applications and devices. IPv6 was designed for increased ease of network management and configuration, expandable IP header, improved mobility and security, and quality of service controls.
OMB mandated that federal agencies would incorporate IPv6 capability into their backbones (routers, gateways, etc.) by 2008. NIST actively participated in the Federal IPv6 Working Group, formed to help agencies plan and execute the transition in an interoperable and secure manner. OMB Memorandum 05-22, Transition Planning for Internet Protocol Version 6 (IPv6) (2005), directed NIST to develop the technical infrastructure (standards and testing) necessary to support wide-scale adoption of IPv6 in the U.S. Government (USG).
In response to this government-wide initiative, NIST developed the first USGv6 profile in 2008 to assist federal agencies in developing plans to acquire and deploy products that implement IPv6. The profile recommended IPv6 capabilities for common network devices, including hosts, routers, intrusion detection systems, and firewalls, and included a selection of IPv6 standards and specifications needed to meet the minimum operational requirements of most federal agencies. This helped to ensure that IPv6-enabled federal information systems were interoperable and secure, and it addressed how such systems can interoperate and coexist with IPv4 systems.
To further support and protect the USG’s acquisition and use of IPv6 technology, NIST developed the USGv6 Test Program, which became operational in 2009. This product testing program facilitated wide-scale conformance and interoperability testing of commercial IPv6 implementations in accredited laboratories that use standardized test methods.
In 2010 NIST published Guidelines for the Secure Deployment of IPv6 (NIST SP 800-119), describing and analyzing new and expanded protocols, services, and capabilities, including addressing the Domain Name System (DNS), routing, mobility, quality of service, multihoming, and IPsec. It characterized new security threats posed by the transition to IPv6, and it provided a detailed analysis of the differences between IPv4 and IPv6, the security ramifications, and any unknown aspects. It included guidance on IPv6 deployment, including transition, integration, configuration, and testing. It also included several practical IPv6 transition scenarios.
As IPv6 technologies matured, the government issued new directives from OMB in 2010 to operationally deploy IPv6 on all USG public-facing internet services. NIST was tasked with developing the means to test and measure progress towards the milestones defined in this new initiative. In response, NIST developed online IPv6 test and measurement tools that have been widely used throughout the USG to facilitate meeting the IPv6 deployment goals for public-facing services.
Finally, in 2020, OMB issued federal guidance on IPv6 calling for the USG to complete the transition to IPv6 by 2025 with the strategic intent for the federal government to deliver its information services, operate its networks, and access the services of others using only IPv6. This memo tasked NIST with making significant updates to its profiles and testing program and to update its security guidance to reflect the most recent IPv6 technologies. In response, in November 2020 NIST published a major revision to its USGv6 profile and testing program, providing USG agencies with more streamlined means of developing technical acquisition requirements for IPv6 technologies and to seek product conformance and interoperability test results from third-party laboratories.
SP 800-48, Wireless Network Security: 802.11, Bluetooth and Handheld Devices (2002)
SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i (2007)
SP 800-98, Guidance for Securing Radio Frequency Identification (RFID) Systems (2007)
SP 800-48 Rev. 1, Guide to Securing Legacy IEEE 802.11 Wireless Networks (2008)
SP 800-121, Guide to Bluetooth Security (2012)
SP 800-127, Guide to Security for WiMAX Technologies (2010)
SP 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs) (2012)
SP 800-187, Guide to LTE Security (2017)
In 2002, NIST published guidance on wireless network security, addressing wireless local area networks (WLANs) that are based on the IEEE 802.11 standard, wireless personal area networks (WPANs) based on the Bluetooth specifications (also known as IEEE 802.15.1), and wireless handheld devices.
NIST later expanded on this work by providing a detailed explanation of next-generation 802.11 wireless security. It described the inherently flawed Wired Equivalent Privacy (WEP) and explained 802.11i’s approach to providing effective wireless security.
Around this time, wireless network usage was rapidly increasing, as was the recognition of the security issues involved. This led to a flurry of activity from NIST, including publications that:
A final publication in this area provided organizations with recommendations for improving the security configuration and monitoring of IEEE 802.11 WLANs and devices connecting to those networks.
NISTIR 8014, Considerations for Identity Management in Public Safety Mobile Networks (2015)
NISTIR 8080, Usability and Security Considerations for Public Safety Mobile Authentication (2016)
NISTIR 8135, Identifying and Categorizing Data Types for Public Safety Mobile Applications (2016)
NISTIR 8196, Security Analysis of First Responder Mobile and Wearable Devices (2018)
NISTIR 8235, Security Guidance for First Responder Mobile and Wearable Devices (Draft) (2020)
NIST SP 1800-13, Mobile Application Single Sign-On: Improving Authentication for Public Safety First Responders (2021)
Police, firefighters, paramedics, and other emergency personnel use public safety networks for coordination during emergency situations, disasters, and other incidents. States, counties, and other jurisdictions across the United States operate numerous independent public safety networks based on different communication technologies, and when public safety personnel from different jurisdictions arrive at the same incident, interoperability problems often arise. To help address this problem, NIST has been researching network interface and data security, mobile application and data isolation, identity management, and mobile application security in support of a planned nationwide public safety broadband network (NPSBN).
The National Public Safety Telecommunications Council (NPSTC) released a Public Safety Broadband High-Level Launch Requirements document, including initial cybersecurity requirements, in December 2012. Since that time, NIST and other government agencies have worked together to conduct cybersecurity research that advances security for wireless public safety communication. This work showcases the success of cross-organizational collaboration at NIST as it leverages expertise from the Computer Security and Applied Cybersecurity Divisions in the Information Technology Laboratory (ITL) as they worked closely with the Public Safety Communications Research (PSCR) project in NIST's Communications Technology Lab (CTL).NIST publications on the topic include:
In 2020, the NCCoE initiated a 5G cybersecurity project in collaboration with industry participants to show how the components of 5G architectures can securely mitigate cybersecurity risks and meet industry sectors’ compliance requirements. 5G standards have been designed to support use case–specific capabilities by way of network deployment options.
The proposed proof-of-concept solution will integrate commercial and open source products that leverage cybersecurity standards and recommended practices to showcase 5G’s robust security features, while securing its underlying infrastructure.
NCCoE's 5G Cybersecurity project is one of the only Federal Government 5G cybersecurity efforts taking a holistic approach that focuses on standards-defined security features while enabling security capabilities in the supporting infrastructure. This collaboration with industry around security for 5G networks is intended to bridge the gap between IT and Telecommunications cybersecurity capabilities. By driving technical collaboration between organizations, the project is leading to discussions that impact and alter product roadmaps to more quickly support foundational security capabilities.
In 2002, Congress passed the Help America Vote Act (HAVA) to encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST. HAVA called on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. NIST supports the activities of the EAC and TGDC related to voting equipment security.
NISTIR 7551, A Threat Analysis on UOCAVA Voting Systems (2008)
NISTIR 7682, Information System Security Best Practices for UOCAVA Supporting Systems (2011)
NISTIR 7770, Security Considerations for Remote Electronic UOCAVA Voting (2011)
NISTIR 8310, Cybersecurity Framework Election Infrastructure Profile (2021)
NIST supports updates to the Voluntary Voting System Guidelines (VVSG) and the TGDC’s development of the next generation of the VVSG, focusing on enhancing auditability and developing a security architecture that addresses significant threats to voting systems without compromising usability and accessibility. In 2005, VVSG version 1.0 was adopted and then updated in 2015 (VVSG 1.1). February of 2021, the EAC approved the VVSG 2.0 guidelines which are designed to meet future challenges, to replace decades-old voting machines, to improve the voter experience, and provide necessary safeguards to protect the integrity of the vote. VVSG 2.0 guidelines represent the latest in industry and technology best practices and call for significant updates in many aspects of voting systems.
NIST also supports the National Voluntary Laboratory Accreditation Program (NVLAP) accreditation efforts of voting system testing laboratories.
NIST participates with the Department of Homeland Security (DHS) Election Security Initiative, as an ex officio member of the Election Infrastructure Subsector Government Coordinating Council (EIS-GCC), alongside federal, state, and local partners. NIST Co-chairs the Election Cybersecurity Framework Working Group with a member of Election Infrastructure Subsector Sector Coordinating Council (EIS-SCC). This Election Working Group includes working with election officials and voting system vendors to draft an Elections Infrastructure Profile using the NIST Cybersecurity Framework. That profile, published as a draft in March 2021, can serve as a cybersecurity playbook that matches cybersecurity requirements with operational methodologies across all election processes, from voter registration through election reporting and auditing. The profile can be used by Secretaries of State and state and local election officials to identify and prioritize opportunities to improve their cybersecurity.
NIST supported the efforts of the EAC and Federal Voting Assistance Program (FVAP) of the Department of Defense to improve the voting process for citizens under the Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) by leveraging electronic technologies. This work produced publications that:
NIST worked with the TGDC’s UOCAVA Working Group to develop aspirational, high-level goals for UOCAVA voting systems and identified possible pilot voting systems for the 2012 and 2014 elections.
During the mid-2000s, interest in the smart grid increased in the United States. Smart grid technologies were expected to introduce large numbers of new, networking-capable computing devices to the electric grid in the coming years. In support of the Smart Grid Interoperability Framework section of the Energy Independence and Security Act of 2007 (EISA), NIST initiated a multi-disciplinary, cross laboratory smart grid program.
In late 2009, NIST established the Smart Grid Interoperability Panel (SGIP) as a public/private partnership that defines requirements for essential communication protocols and other common specifications, and provides an open process for stakeholders, including NIST, to interact and accelerate standards harmonization and advance the interoperability of smart grid devices and systems. Initially, the SGIP consisted of two standing committees, the Smart Grid Architecture Committee (SGAC) and Smart Grid Testing & Certification Committee (SGTCC), and one permanent working group (the Cybersecurity Working Group (CSWG).
NISTIR 7628, Guidelines for Smart Grid Cyber Security (2010)
NISTIR 7628 Revision 1, Guidelines for Smart Grid Cybersecurity (2014)
NISTIR 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework (2015)
NIST Technical Note (TN) 2051, Cybersecurity Framework Smart Grid Profile (2019)
Chaired by NIST, the CSWG had nearly 500 members who collaborated to develop guidelines for smart grid cybersecurity. Published in 2010, NISTIR 7628, Guidelines for Smart Grid Cyber Security, included security requirements, privacy recommendations, and supporting analyses to be used by strategists, designers, implementers, and operators of the smart grid as input to their risk assessment processes. The report provided a baseline that organizations could use to start developing their own cybersecurity strategies for smart grid. The report was revised in 2014 by the SGIP Smart Grid Cybersecurity Committee (SGCC), formerly known as the CSWG. These publications have achieved international recognition and use by utilities, vendors, regulators, and others.
In April 2013, the SGIP fully transitioned to a nonprofit private-public partnership organization, SGIP 2.0, Inc., supported by industry stakeholder funding as well as funding provided through a cooperative agreement with NIST. Four years later, SGIP 2.0 merged into the nonprofit organization Smart Electric Power Alliance (SEPA). Although NIST stepped down as the Chair of the SGCC in 2020, NIST continues to have an active role in SEPA and supports the smart grid community through NIST’s smart grid program, including from a cybersecurity perspective.
With the initial release of NIST’s Cybersecurity Framework in 2014, the smart grid community expressed interest in understanding the relationship the cybersecurity framework had to the cybersecurity standards and requirements of their community. As a result, NIST collaborated with the North American Electric Reliability Corporation (NERC) to develop a mapping between NIST’s Cybersecurity Framework version 1.0 and NERC Critical Infrastructure Protection (CIP) standards versions 3 and 5 in late 2014. NIST and NERC partnered again to update the mapping in 2020 to reflect updates to the NERC CIP standards and NIST Cybersecurity Framework.
NIST also used the Cybersecurity Framework’s profiling capability to develop a smart grid profile that provides cybersecurity risk management guidance to power system owners/operators. The profile prioritizes cybersecurity activities based on their effectiveness in helping power system owners/operators achieve common high-level business objectives and provides a list of considerations relevant to the challenges they experience when implementing the cybersecurity activities in infrastructures with high concentrations of distributed energy resources (DERs). Released in 2019 as NIST Technical Note 2051, the profile provided the basis for the cybersecurity chapter of the NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 4.0 (2021).
As various smart grid standards and requirements were developed (in particular, for smart meter maintenance), the community looked for ways to determine smart grid equipment conformance to the standards and requirements. To help address the conformance determination need, NIST published NISTIR 7823, Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework (2015). It described conformance test requirements to determine whether smart meters and upgrade management systems conform to the functional and security requirements for the secure upgrade found in National Electrical Manufacturers Association (NEMA) SG-AMI 1-2009, Requirements for Smart Meter Upgradeability. The conformance test requirements could be used voluntarily by testers and/or test laboratories of smart meters and associated upgrade management systems.
NIST continues to support the smart grid community by participating in SEPA’s SGCC and standard development organizations. Since 2020, NIST has been participating in the effort to update IEEE 1547.3 Draft Guide for Cybersecurity of Distributed Energy Resources Interconnected with Electric Power Systems, which used the NIST Cybersecurity Framework to organize the guidance provided. During 2021, NIST supported SEPA’s Energy Internet of Things (IoT) Task Force in developing a report to provide guidance on securing home energy IoT devices (e.g., smart thermostats) citing several NIST IoT cybersecurity publications.
Operational Technology (OT) Security encompasses a broad range of programmable systems and devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems and devices detect or cause a direct change through monitoring and/or control of devices, processes, and events. Examples include industrial control systems (ICS), building automation systems, transportation systems, physical access control systems, physical environment monitoring systems, and physical environment measurement systems. The document provides an overview of OT and typical system topologies, identifies typical threats and vulnerabilities for these systems, and recommends security countermeasures to mitigate the associated risks.
SP 800-82, Guide to Industrial Control Systems (ICS) Security (2011)
NISTIR 8183, Cybersecurity Framework Manufacturing Profile [CSF 1.0] (2019)
NISTIR 8183 Rev. 1, Cybersecurity Framework Manufacturing Profile [CSF 1.1] (2020)
NISTIR 8219, Securing Manufacturing Industrial Control Systems: Behavioral Anomaly Detection (2019)
OT is critical to the operation of U.S. critical infrastructures, which are often highly interconnected, mutually dependent systems. It is important to note that while federal agencies operate many of the nation’s critical infrastructures, many others are privately owned and operated. Critical infrastructures are often referred to as a “system of systems” because of the interdependencies that exist between various industrial sectors as well as interconnections between business partners.
Initially, OT had little resemblance to traditional information technology (IT) systems in that OT systems were isolated, ran proprietary control protocols, and used specialized hardware and software. As OT are adopting IT solutions to promote corporate business systems’ connectivity and remote access capabilities, and being designed and implemented using industry-standard computers, operating systems (OSs), and network protocols, they are starting to resemble IT systems. This integration supports new IT capabilities, but it provides significantly less isolation for OT from the outside world than predecessor systems, creating a greater need to secure OT systems. The increasing use of wireless networking places OT implementations at greater risk from adversaries who are in relatively close physical proximity but do not have direct physical access to the equipment. While security solutions have been designed to deal with these issues in typical IT systems, special precautions must be taken when introducing these same solutions to OT environments. In some cases, new security solutions tailored to the OT environment are necessary.
NIST’s efforts for OT security began in the early 2000’s with the formation of the NIST-led Process Control Security Requirements Forum (PCSRF), a working group comprised of representative organizations from the various sectors that make up the U.S. process control industry and the vendors that design, produce, and/or integrate components and systems for the industry. The PCSRF developed the first ever cross-industry, baseline set of security requirements for new industrial process control systems. The Common Criteria for Information Technology Security Evaluation, also known as ISO/IEC 15408 was used to document the results of this effort in the form of Common Criteria Protection Profile security specifications.
In 2004 NIST cybersecurity researchers and Manufacturing Engineering Laboratory (MEL) researchers developed guidance to secure existing SCADA and other ICS. This document, first published in 2006 as NIST SP 800-82, identified typical vulnerabilities and threats to the systems, and recommended security countermeasures to manage the associated risks. Drafts of the publication underwent expert review by the NIST-led PCSRF and ISA-99. The document has undergone several revisions since its first release.
In 2007, NIST added implementation guidance in SP 800-53 (Revision 2) for applying SP 800-53 security control in ICS environments. Later, after the development and widespread application of the NIST Cybersecurity Framework, NIST developed a Cybersecurity Framework Manufacturing Profile (for both CSF 1.0 and CSF 1.1) that can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices. It provides a voluntary, risk-based approach for managing cybersecurity activities and reducing cyber risk to manufacturing systems. The Manufacturing Profile is meant to enhance but not replace current cybersecurity standards and industry guidelines used by manufacturers.