National Institute of Standards and Technology release Applying the Cyber Security Framework for the Responsible Use of Positioning, Navigation and Timing (PNT) Services NISTIR 8323
July 1, 2022 |
The US President’s Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation, and Timing Services. made on February 12, 2020 has had a significant impact on government agencies working on instituting standards to improve cyber security and privacy generally.
The Executive Order specially stated that “the widespread adoption of PNT services means disruption or manipulation of these services could adversely affect U.S. national and economic security. To strengthen national resilience, the Federal Government must foster the responsible use of PNT services by critical infrastructure owners and operators.” The Order called for updates to the profile every two years or on an as needed basis.
Positioning, navigation and timing (PNT) services is a US owned utility. This system consists of three segments: the space segment, the control segment, and the user segment. The U.S. Air Force develops, maintains, and operates the space and control segment.
The PNT Profile is designed to be used as part of a risk management program in order to help organizations manage risks to systems, networks, and assets that use PNT services. It is not intended to serve as a solution or compliance checklist that would guarantee the responsible use of PNT services
The abstract provides:
The national and economic security of the United States (US) is dependent upon the reliable functioning of critical infrastructure. Positioning, Navigation and Timing (PNT) services are widely deployed throughout the critical infrastructure. A disruption or manipulation of PNT services would have adverse impacts on much of the nation’s critical infrastructure. In a government wide effort to mitigate these impacts, Executive Order (EO) 13905, Strengthening National Resilience Through Responsible Use of Positioning, Navigation and Timing Services was issued on February 12, 2020. The National Institute of Standards and Technology (NIST) as part of the Department of Commerce (DoC), produced this PNT Profile in response to Sec.4 Implementation (a), as detailed in the EO. The PNT Profile was created by using the NIST Cybersecurity Framework and can be used as part of a risk management program to help organizations manage cybersecurity risks to systems, networks, and assets that use PNT services, and is intended to be broadly applicable across all sectors. NIST acknowledges the tremendous efforts being undertaken by individual entities to address the responsible use of PNT services in their particular sectors and also encourages the development of sector specific guidance should more granular or specific risk management efforts be required. The PNT Profile can serve as a foundation for the development of sector specific guidance as well. This PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to natural and man-made, both intentional and unintentional, disruptions and manipulations.
The released document comes in at a hefty 115 pages.
Some interesting matters to note from the Foundational PNT Profile:
- the PNT Profile supports and is informed by cybersecurity risk management processes.
- the PNT Profile provides a flexible approach for users of PNT to manage risks when forming and using PNT signals and data regardless of the source of the risk. It also provides a starting point from which organizations can customise their approach to manage risk to their PNT services and data.
- the Cybersecurity Framework consists of three main components:
- the Framework Core provides a catalog of desired cybersecurity activities and outcomes. It guides organizations in managing and reducing their cybersecurity risks in a way that complements an organisation’s existing cybersecurity and risk management processes.
- the Framework Implementation Tiers provide context for how an organization views cybersecurity risk management. The Tiers help organizations understand whether they have a functioning and repeatable cybersecurity risk management process and the extent to which cybersecurity risk management is integrated with broader organizational risk management decisions.
3. The Framework Profiles are customized to the outcomes of the Core to align with an organization’s requirements. Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
- the 5 concurrent functions of the Framework Core are:
- Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational to the effective use of the Cybersecurity Framework, enabling an organization to focus and prioritize its efforts in a manner consistent with its risk management strategy and business needs. The objectives are:
- Identify the business or operational environment and organization’s purpose;
- Identify all assets, including applications dependent on PNT data;
- Identify sources and infrastructure that provide PNT information; and
- Identify the vulnerabilities, threats, and impacts should the threat be realized in order to assess the risk.
- Protect – Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services. The objectives are:
- Protect the systems that form, transmit, and use PNT data to support the needed level of integrity, availability, and confidentiality based on application needs.
- Protect the deployment and use of PNT services through adherence to cybersecurity principles, including understanding the baseline characteristics and application tolerances of the PNT sources, data, and any contextual information; providing sufficient resources; managing the systems development life cycle (SDLC); and deploying needed training, authorizations, and access control.
- Should a threat be realized, protect users and applications that are dependent on PNT data by enabling them to maintain a sufficient level of operations through verified response and recovery plans.
- Protect organizations that rely on PNT services and data with respect to business and operational needs.
- Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. This enables the timely discovery of PNT cybersecurity events. The objectives are:
- Enabling detection through monitoring and consistency checking; and
- Establishing a process for deploying and handling detected anomalies and events.
- Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. Thes activities support the ability to contain the impact of a potential PNT cybersecurity event. The objectives are:
- Contain PNT events using a verified response procedure;
- Communicate the occurrence and impact of the event on PNT data to PNT data users, applications, and stakeholders;
- Develop processes to respond to and mitigate new known or anticipated threats or vulnerabilities; and
- Evolve response strategies and plans based on lessons learned.
- Recover – Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event. These activities support timely recovery to normal operations to reduce the impact of a PNT cybersecurity event. The objectives are:
- Restore systems dependent upon PNT services to a proper working state using a verified recovery procedure;
- Communicate the recovery activities and status of the PNT services to PNT data users, applications, and stakeholders; and
- Evolve recovery strategies and plans based on lessons learned.
- Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational to the effective use of the Cybersecurity Framework, enabling an organization to focus and prioritize its efforts in a manner consistent with its risk management strategy and business needs. The objectives are: