NIST cybersecurity profile designed to safeguard critical infrastructure

The National Institute of Standards and Technology (NIST) has drafted guidelines for applying its Cybersecurity Framework to critical technologies such as GPS that use positioning, navigation and timing (PNT) data. Part of a larger NIST effort to safeguard systems that rely on PNT data, these cybersecurity guidelines accompany NIST efforts to provide and test a resilient timekeeping signal that is independent of GPS.

Formally titled the “Cybersecurity Profile for the Responsible Use of Positioning, Navigation and Timing (PNT) Services (NISTIR 8323),” the new guidelines are designed to help mitigate cybersecurity risks that endanger systems important to national and economic security, including those that underpin modern finance, transportation, energy and additional economic sectors.

The draft profile is part of NIST’s response to the Feb. 12, 2020, Executive Order on PNT. In early 2020, NIST sought public input regarding the general use of PNT data. The PNT profile will join the growing list of profiles created to help apply the NIST Cybersecurity Framework to particular economic sectors, such as manufacturing, the power grid and the maritime industry. The scope of the profile includes any system, network or other asset that uses PNT services, including systems that receive and rebroadcast PNT data.

While its scope does not include ground- or space-based source PNT signal generators and providers (such as satellites), the profile still covers a wide swath of technologies. Partly for this reason, NIST’s Jim McCarthy said that it is intended to be a foundational set of guidelines that PNT users can customize.

“The profile is meant to help a broad set of users address their cybersecurity needs,” said McCarthy, one of the draft’s authors. “Rather than focus on a single economic sector, we designed it to apply to all users of PNT. Agencies and companies can tailor it to their needs based on their particular cybersecurity risk and other sector-specific factors.”

As directed by the Executive Order, the profile can help organizations accomplish four tasks:

• identify systems that use PNT data, and/or that propagate this data based on a source signal
• identify PNT data sources, such as a GPS signal
• detect disturbance to and manipulation of systems that use PNT services
• manage the risks that come with responsible use of these PNT services

“Our premise is that there are organizations that may not realize they are using PNT data, or know how they are using it,” McCarthy said. “Part of our goal is to help them make these connections so they can protect their operations more effectively.”

The Executive Order also delegates to the Department of Commerce the critical task of providing a source of Coordinated Universal Time (UTC) that is independent of GPS. To this end, NIST also recently conducted initial tests of a special calibration service for companies, utilities or other organizations that wish to receive NIST’s version of the global time standard, UTC(NIST), through commercial fiber-optic cable.

The service aims to provide a time reference directly traceable to UTC(NIST) with an accuracy of 1 microsecond — good enough for telecom networks, the power grid and financial markets, and thereby boosting the resilience of accurate time distribution and the infrastructure sectors and subsectors that use timing services.

The initial link is a collaboration between NIST and OPNT, a commercial time-service provider based in Amsterdam, the Netherlands. While the work was led by researchers at NIST’s Boulder, Colorado, campus, the dedicated optical fiber connects the reference time scale at NIST headquarters in Gaithersburg, Maryland, to a facility in McLean, Virginia, that will ultimately serve as the hub for East Coast distribution of timing data.

OPNT has extended the initial fiber link to Atlanta, Georgia, about 800 kilometers from McLean. Preliminary data suggest that this link will be able to support the requirements of the Executive Order.