The National Institutes of Science and Technology (NIST) continues to offer timely and relevant information for companies to consider when addressing cyber-risks in an ever-changing landscape.

 On February 2, 2021, NIST published an alert outlining tools it has developed to assist companies “to help defend against state-sponsored hackers.” According to its press release, nation-state actors, also known as “advanced persistent threat” (APT), are targeting both governmental agencies and private industry and academia in order to steal “sensitive but unclassified information,” known as ‘controlled unclassified information’ (CUI), that the government relies on “to carry out a wide range of missions using information systems” and, therefore, the “protection of sensitive federal information that resides in nonfederal systems…is of paramount importance, as it can directly impact the federal government’s ability to carry out its operations.”

Following the Chinese government’s 2018 hack of a third-party contractor of the United States Navy in which, according to the Washington Post, the Chinese government “stole a large amount of highly sensitive data on undersea warfare,” NIST developed and published its draft Special Publication SP 800-172 to assist in protecting CUI against APT.

After public comment, the final publication of SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171 was released this week for private companies, industry and academia to adopt NIST-developed tools that provide “additional recommendations for handling CUI in situations where that information runs a higher than usual risk of exposure. CUI includes a wide variety of information types, from individuals’ names or Social Security numbers to critical defense information.”

According to NIST, “implementing the cyber safeguards in SP 800-172 will help system owners protect what state-level hackers have considered to be particularly high-value targets: sensitive information about people, technologies, innovation and intellectual property the revelation of which could compromise our economy and national security.”

NIST provides help to all of us in defending against cyber-attacks. NIST says, “The adversaries are bringing their ‘A-game” in these cyberattacks 24 hours a day, 7 days a week…You can start making sure the damage is minimized if you use SP 800-172’s cyber safeguards.”

Take a look at the tools and consider using them to enhance the security of your high-risk data.

There is a new federal IoT law, H.R. 1668, the IoT Cybersecurity Improvement Act of 2020, that recently passed the House and Senate and was signed by the President on December 4. The bill had 26 co-sponsors, representing Democrats and Republicans almost equally, and enjoyed bipartisan support in an era that has not seen much of that lately.

What does the new IoT law do? The law establishes minimum security requirements for IoT devices owned or controlled by the federal government. Specifically, this new law:

  • Requires the National Institute of Standards and Technology (NIST) to issue standards and guidelines for the use of IoT devices owned or controlled by federal agencies;
  • Directs NIST to consider relevant standards, guidelines and best practices developed by the private sector, agencies, and public-private partnerships;
  • Directs the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including updating the Federal Acquisition Regulation;
  • Directs NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on security vulnerability relating to information systems owned or controlled by an agency (including IoT devices owned or controlled by an agency) and the resolution of such security vulnerability;
  • Requires any IoT devices purchased by the federal government to comply with the NIST standards and guidelines; and
  • Requires contractor compliance with the NIST standards and regulations and agencies to make a determination of such compliance before awarding a contract to procure or obtain an IoT device from a contractor.

The text of the new law can be found here. This importance of this new law cannot be overstated from a cybersecurity standpoint. IoT vulnerabilities are a well-known cyber threat that often open the door to data breaches or denial-of-service attacks. The question is whether this new federal law will have a broader impact on consumer IoT devices. Right now, the answer is no, since the law is designed to apply only to devices owned or controlled by the federal government. But the hope is that by increasing cybersecurity for IoT devices owned or controlled by the federal government, manufacturers of such devices will use this same secure technology and standards in the development of consumer IoT devices.

To assist utilities with assessing and responding to cyber risks, the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) recently issued a report on best practices to respond to and recover from cybersecurity incidents in the utility industry.

Like other industries, the utility industry is at high risk for cyber-attacks by bad actors or nation states. Following the cyber-attack against a pipeline earlier this year, [view related post], FERC and NERC issued the guidance based upon the National Institute of Standards and Technology (NIST) cybersecurity incident response lifecycle of preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.

According to the report, an incident response plan should provide personnel responsible for incident response with well-defined roles, so they can respond quickly and effectively and include personnel with appropriate skills and support to respond, mitigate, contain and learn from a cyber incident. The guidance is helpful in outlining the elements of an Incident Response Plan and providing suggestions on how to develop and implement one, which is crucial for utilities to continue operating in the event of an attack.

In addition to attacks by bad actors and nation states, the utility and energy industries are also at risk for attacks through vendors. Therefore, in addition to developing and implementing an incident response plan, a vendor management plan can assist utilities and oil and gas companies to assess and manage the risk of a cyber-attack through vendors.

The Department of Energy’s Office of Energy Efficiency and Renewable Energy (EERE) recently announced a multi-year plan to accelerate cybersecurity research and development in the renewable energy, manufacturing, buildings and transportation sectors. According to EERE, “Cyber threats targeting EERE technologies present an immediate risk to the integrity and availability of energy infrastructure and other systems critical to the nation’s economy, security and well-being.”

These efforts are designed to assess and prevent cyber incidents against critical infrastructure and to respond and mitigate the effects of a cyber incident in these industries, which would have a serious and potentially devastating effect on the U.S. population.