ICS Security Framework
Industry
News
NIST
Regulation, Standards and Compliance

NIST releases cybersecurity framework for PNT services

February 19, 2021
PNT services

The National Institute of Standards and Technology (NIST) released a cybersecurity guidance framework for positioning, navigation and timing (PNT) services. Organizations can increase their resilience through responsible use of PNT services, as the national and economic security of the U.S. is dependent on the reliable functioning of critical infrastructure, NIST said.

The agency is a part of the U.S. Department of Commerce that advances measurement science, standards and technology. Covering critical infrastructure protection for various sectors, including utilities, transportation, financial services, communications, healthcare and public health, food and agriculture, chemical and other facilities, dams, manufacturers, and emergency services, the NIST framework has been designed to address and manage cybersecurity risk in a cost-effective way based on business and organizational needs without placing additional regulatory requirements on businesses.

PNT is necessary for the functioning of the nation’s critical infrastructure. Whether for civil, commercial or military use, nearly all sectors rely on accurate PNT information to provide services, according to CISA. However, the ubiquitous use of Global Positioning Navigation (GPS) as the primary source of PNT information makes these sectors vulnerable to adversaries seeking to cause harm by disrupting or manipulating the GPS signal. When PNT is used in combination with map data and other information like weather or traffic data, it leads to GPS, the modern navigation system.

PNT services have become an invisible, but essential, utility for many critical infrastructure operations. Disruption of, or interference with, these systems have adverse effects on individuals, businesses, and the nation’s economic and national security. The existence and nature of threats to PNT services are known, with governments and organizations recognizing the need for resilient PNT equipment, which is capable of withstanding and recovering from such threats.

Responsible use of PNT services includes the deliberate, risk-informed use of PNT services, including their acquisition, integration and deployment, such that disruption or manipulation of PNT services minimally affects national security, the economy, public health, and the critical functions of the federal government.

Public and private sector entities who rely on PNT services can include owners/operators of the electrical power grid, and communication infrastructure, in addition to businesses in the transportation, agriculture, weather and emergency response sectors.

The Cybersecurity Framework (CSF) provides prioritized, flexible, risk-based, and voluntary guidance, based on existing standards, guidelines and practices, to help organizations better understand, manage and communicate cybersecurity risks. The CSF is organized by five high-level functions of Identify, Protect, Detect, Respond, and Recover. These functions provide the basis to develop guidance on cybersecurity risk management as applied to PNT services.

NIST uses the CSF to develop and issue a foundational PNT profile to help organizations identify systems dependent on PNT along with appropriate PNT sources, detect disturbances and manipulation of PNT services, and manage the risk to these systems.

NIST’s Jim McCarthy, one of the profile’s authors. said that although the profile was now finalized, NIST would continue to look for ways to keep it current. “In accordance with the Executive Order, we plan to revisit the profile every two years or as needed,” he said. “We intend to make sure it remains useful.” The framework complements federal activities required under Executive Order 13905, “Strengthening National Resilience through Responsible Use of PNT Services,” signed this month.

CISA, through the National Risk Management Center (NRMC), works with government and industry partners to strengthen the security and resiliency of the national PNT ecosystem from the risks of both intentional and unintentional threats.

The PNT profile describes the responsible uses of PNT, which have been selected for a particular system to address the potential disruption or manipulation of PNT services. It was created by using the NIST cybersecurity framework and can be used as part of a risk management program to help organizations manage risks to systems, networks, and assets that use PNT services. It is also intended to be broadly applicable and can serve as a foundation for the development of sector-specific guidance.

The PNT Profile provides a flexible framework for users of PNT to manage risks when forming and using PNT signals and data, which are susceptible to disruptions and manipulations that can be natural or manufactured.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape