NIST Publishes Security Guidance for Wireless Links, Industrial Controls

Via GCN.com -

The National Institute of Standards and Technology has released three information security documents in its 800 series of special publications; two final guidelines on information security assessment and Bluetooth security, and a draft of guidelines for security industrial control systems.

SP 800-121, Guide to Bluetooth Security, has been finalized and describes the security capabilities of Bluetooth technologies and gives recommendations on security them effectively. Bluetooth is an open standards protocol for personal area wireless networking commonly used to connect peripherals with desktop or handheld computing devices.

Much of SP 800-121 originally was included in a draft of NIST’s SP 800-48 Revision 1, Wireless Network Security for IEEE 802.11a/b/g and Bluetooth. But because of comments received on that publication, the Bluetooth material has been placed in a separate publication. This document and SP 800-48 Revision 1, which was released in July, replace the original SP 800-48, which dates to 2002.

SP 800-115, Technical Guide to Information Security Testing and Assessment, provides guidance for planning and conducting tests, analyzing findings and developing mitigation strategies for risks that are identified. The document gives an overview of key elements of security testing, with the benefits and limitations of different technical testing techniques and recommendations for their use. It replaces SP 800-42, Guidelines on Network Security Testing, which was released in 2003.

For effective testing and assessment, NIST recommends that organizations:

• Establish an information security assessment policy to identify requirements for executing assessments and provide accountability topics to address organizational requirements, roles and responsibilities, adherence to an established assessment methodology, assessment frequency and documentation requirements.
• Implement a repeatable and documented assessment methodology. This enables organizations to maximize the value of assessments while minimizing possible risks introduced by certain technical assessment techniques. Minimizing risk caused by assessment techniques requires skilled assessors, comprehensive assessment plans, logging assessor activities, performing testing off-hours and conducting tests on duplicates of production systems. Organizations need to determine the level of risk they are willing to accept for each assessment and tailor their approaches accordingly.
• Determine the objectives of each security assessment. Because no individual technique provides a comprehensive picture of an organization’s security when executed alone, organizations should use a combination of techniques. This also helps organizations to limit risk and resource usage.
• Analyze findings and develop risk mitigation techniques to address weaknesses. This includes conducting root cause analysis upon completion of an assessment to translate findings into actionable mitigation techniques.

A final draft of SP 800-82, Guide to Industrial Control Systems (ICS) Security, is being released for public comment. Its guidance includes recommendations for security Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) and other control system configurations such as Programmable Logic Controllers.