NIST Releases Draft Cybersecurity Guidance
October 23, 2020 | NISTEstimated reading time: 4 minutes
Taking another step toward strengthening the nation’s critical infrastructure, the National Institute of Standards and Technology (NIST) has drafted guidelines for applying its Cybersecurity Framework to critical technologies such as the Global Positioning System (GPS) that use positioning, navigation and timing (PNT) data. Part of a larger NIST effort to implement a recent Executive Order to safeguard systems that rely on PNT data, these cybersecurity guidelines accompany recent NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS.
Formally titled the Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323), the new guidelines are designed to help mitigate cybersecurity risks that endanger systems important to national and economic security, including those that underpin modern finance, transportation, energy and additional economic sectors. The agency is requesting public comment on the draft by Nov. 23, 2020.
The draft profile is part of NIST’s response to the Feb. 12, 2020, Executive Order 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. Earlier this year, NIST sought public input regarding the general use of PNT data.
The PNT profile will join the growing list of profiles created to help apply the NIST Cybersecurity Framework to particular economic sectors, such as manufacturing, the power grid and the maritime industry. The scope of the profile includes any system, network or other asset that uses PNT services, including systems that receive and rebroadcast PNT data.
While its scope does not include ground- or space-based source PNT signal generators and providers (such as satellites), the profile still covers a wide swath of technologies. Partly for this reason, NIST’s Jim McCarthy said that it is intended to be a foundational set of guidelines that PNT users can customize.
“The profile is meant to help a broad set of users address their cybersecurity needs,” said McCarthy, one of the draft’s authors. “Rather than focus on a single economic sector, we designed it to apply to all users of PNT. Agencies and companies can tailor it to their needs based on their particular cybersecurity risk and other sector-specific factors.”
As directed by the Executive Order, the profile can help organizations accomplish four tasks:
- Identify systems that use PNT data, and/or that propagate this data based on a source signal.
- Identify PNT data sources, such as a GPS signal.
- Detect disturbance to and manipulation of systems that use PNT services.
- Manage the risks that come with responsible use of these PNT services.
“Our premise is that there are organizations that may not realize they are using PNT data, or know how they are using it,” McCarthy said. “Part of our goal is to help them make these connections so they can protect their operations more effectively.”
The Executive Order also delegates to the Department of Commerce the critical task of providing a source of Coordinated Universal Time (UTC) that is independent of GPS. To this end, NIST also recently conducted initial tests of a special calibration service for companies, utilities or other organizations that wish to receive NIST’s version of the global time standard, UTC(NIST), through commercial fiber-optic cable. The service aims to provide a time reference directly traceable to UTC(NIST) with an accuracy of 1 microsecond — good enough for telecom networks, the power grid and financial markets, and thereby boosting the resilience of accurate time distribution and the infrastructure sectors and subsectors that use timing services.
The initial link is a collaboration between NIST and OPNT, a commercial time-service provider based in Amsterdam, the Netherlands. While the work was led by researchers at NIST’s Boulder, Colorado, campus, the dedicated optical fiber connects the reference time scale at NIST headquarters in Gaithersburg, Maryland, to a facility in McLean, Virginia, that will ultimately serve as the hub for East Coast distribution of timing data.
OPNT has extended the initial fiber link to Atlanta, Georgia, about 800 kilometers from McLean. Preliminary data suggest that this link will be able to support the requirements of the Executive Order. NIST and OPNT have also begun a study of a West Coast link that will provide similar fiber-based time service to San Jose, California, and other locations in Silicon Valley from the NIST time scale in Boulder, Colorado.
Any extensive disruption to GPS signals would be highly disruptive to critical infrastructure in the United States, as would the sort of spoofing and manipulation of timing data that the PNT profile is designed to mitigate. As technologies that depend on trustworthy location and timing data grow more commonplace — such as interconnected Internet of Things devices and automated transportation — identifying and protecting these systems and data from cyber threats will only grow in importance.
“The ultimate goals are to identify systems that use PNT data and to detect disturbances to it,” McCarthy said. “Doing so can help mitigate the risk of misuse of PNT data affecting our critical infrastructure, public health and national security.”
Suggested Items
Koh Young Showcases Award-winning Inspection Solutions at SMTconnect with SmartRep in Hall 4A.225
04/25/2024 | Koh Young TechnologyKoh Young Technology, the industry leader in True 3D measurement-based inspection solutions, will showcase an array of award-winning inspection and measurement solutions at SMTconnect alongside its sales partner, SmartRep, in booth 4A.225 at NürnbergMesse from June 11-13, 2023. The following offers a glimpse into what Koh Young will present at the tradeshow:
Book Excerpt: The Printed Circuit Assembler’s Guide to... Factory Analytics
04/24/2024 | I-Connect007 Editorial TeamIn our fast-changing, deeply competitive, and margin-tight industry, factory analytics can be the key to unlocking untapped improvements to guarantee a thriving business. On top of that, electronics manufacturers are facing a tremendous burden to do more with less. If you don't already have a copy of this book, what follows is an excerpt from the introduction chapter of 'The Printed Circuit Assembler’s Guide to... Factory Analytics: Unlocking Efficiency Through Data Insights' to whet your appetite.
Real Time with... IPC APEX EXPO 2024: Industrial Quality Solutions from Zeiss
04/23/2024 | Real Time with...IPC APEX EXPOEditor Nolan Johnson and Herminso Gomez of Zeiss Group discuss the company's industrial quality solutions, with a focus on X-ray technology. Zeiss provides a range of microscopy options and Herminso highlights the advantages of X-ray technology for aerospace, medical, and consumer electronics sectors.
Altair Acquires Cambridge Semantics, Powering Next-Generation Enterprise Data Fabrics and Generative AI
04/22/2024 | AltairAltair a global leader in computational intelligence, acquired Cambridge Semantics, a modern data fabric provider and creator of one of the industry’s leading analytical graph databases.
I-Connect007 Editor’s Choice: Five Must-Reads for the Week
04/19/2024 | Marcy LaRont, PCB007 MagazineFor my must-read picks of the week, I’m highlighting Parker Capers, a young professional seeking employment, solid counsel from Dan Beaulieu on what your post-show plan should look like, more information and insight on “chiplets” and the need for secure data transfer standards from columnist Preeya Kuray, as well as Matt Stevenson’s design for reality wisdom. It’s a reminder to download one of our newest books (there are several) you don't want to miss if you are an assembler.