Webinar – NIST SP 800-53 & Securing the Airwaves

Wireless devices are no longer just an accessory to the enterprise — they’re embedded in our operations, facilities, and critical systems. From IoT sensors to personal hotspots, these devices often operate outside traditional network monitoring, creating blind spots that attackers can exploit.

In this special session, former NIST Fellow Ron Ross — one of the nation’s most influential cybersecurity leaders and the principal architect of the NIST Risk Management Framework — will discuss NIST SP 800-53 guidance and how it can help organizations improve security in wireless and IoT environments. Joining him is Brett Walkenhorst, CTO of Bastille Networks, whose pioneering work in RF detection has given organizations new tools to identify and respond to hidden threats.

Attendees will learn what NIST SP 800-53 covers, how it connects to broader risk management and compliance efforts, and why securing the airwaves is now essential to protecting both IT and OT systems. The discussion will include practical examples of how rogue cellular, Wi-Fi, Bluetooth, and other RF activity can be detected and mitigated — and how that evidence can be incorporated into continuous monitoring and audit processes.

Whether you’re responsible for compliance, security architecture, incident response, or operational technology, you’ll leave with actionable steps to close RF blind spots and align with NIST best practices.

What you’ll learn

• Key takeaways from NIST SP 800-53 and why it matters now
• How wireless and IoT devices create unseen risk in your environment
• Practical methods for detecting and managing RF threats
• How to align RF security with compliance and continuous monitoring

Who should attend

CISOs, ISSOs, security architects, security engineers, compliance teams, OT security leaders, procurement/acquisition officials, and anyone responsible for protecting sensitive facilities.

Speakers

Brett Walkenhorst

Ron Ross

Full Transcript

Thank you so much for joining our Bastille webinar today on NIST SP 800-53, Securing the Airwaves. So who is who in our webinar? We have Brett Walkenhorst, our CTO.

He’s former director of the software defined radio lab at Georgia Tech and works closely with all our government enterprise customers. He’s probably visited many of the customers who are on this webinar today.

We’re extremely lucky to be joined by Ron Ross. Ron Ross is a former fellow of the National Institute of Standards and Technology, NIST, and one of the nation’s leading voices in cybersecurity and risk management. As a retired US Army officer, he’s received numerous awards, including the induction to the National Cyber Security Hall of Fame.

He’s also one of the principal architects behind many of the NIST standards, and we’re very happy to have him today to go over all the details and to answer questions at the end. So thank you so much for your attendance. We’ll ask a number of polls during this event. We’ll also answer your questions. And now over to you, Brett.

Thanks, Justin.

I’m happy to be joined by Ron today. I think, we’re going to have a really good discussion about NIST 800-53. To start things off though, I’m going to try to frame the discussion with a little bit of a motivation on why we care about wireless, to try to help people understand why this is a real risk area.

And then we’re going to have Ron dive into 800-53, talk about some of the families of controls and dig into some of the details of those, specifically as they’re related to wireless communications. And then I will end the discussion by talking a bit about how we can implement defensive measures that help us to meet some of those controls. And then we’ll have some discussion at the end.

So, the wireless threat. In general, we have a lot of devices that speak wireless protocols all around us all of the time. And they’re constantly transmitting information that comes in the form of electromagnetic radiation that’s sent out of the antennas that are connected to these devices.

And this number’s in the tens of billions worldwide. So devices that can speak one or more of these wireless protocols, they are just literally everywhere. And those numbers, of course, continue to grow–

whether those be cell phones, which are ubiquitous, laptops, peripherals, wearables, medical devices, IoT. There’s just tons of stuff.

And the signals themselves coming from those wireless devices are also propagating all over the place. The challenge with electromagnetic radiation, especially at these lower frequencies where these communications protocols live–

the challenge is that it’s difficult to stop them from propagating.

So you can be in a building. And this is both the blessing and the curse of these technologies, is that they can reach their intended destination. But they also go pretty much everywhere else. So they decay as they propagate, but they pretty much go everywhere in all directions.

So what I’m trying to say here is that these signals that are traveling at the speed of light are accessible to anyone within earshot.

And they penetrate physical objects, ignoring all of our physical security mechanisms that we use to keep people out. Those signals tend to sail right through. So that’s one issue associated with wireless. It’s literally everywhere, the devices and the signals they send.

[COUGHS]

So, the wireless threat. First of all, it’s important to note that the existence of wireless is often invisible to us. And one way that we think about this is when we’re looking at the way that data flows in our networks and various endpoints and what they have access to, we often don’t account for the wireless element.

We hopefully are accounting for the logical connections when endpoints are communicating to servers via Wi-Fi. But there is more going on than just those authorized devices speaking Wi-Fi. And there’s more than just the Wi-Fi protocol.

So here to note is an example of a very simplistic network diagram. But the truth of the matter is that even if we’ve mapped this out properly, there’s always a lot more going on in our space. And that can include equipment that gets installed without the knowledge of IT, shadow IT equipment, industrial control systems, personal devices, peripherals, wearables.

A lot of this stuff comes into our space and has some ability to connect to network resources or at the very least, offers a potential mechanism for data transfer outside of authorized mechanisms. So there’s no monitoring, in general, for a lot of this stuff. We don’t have tools, in general, for looking at the wireless emissions.

And yet they are an important part of our environment and pose risk. They represent an attack surface for bad actors who would like access to our data and/or want to leverage those mechanisms for surveillance, espionage and whatnot.

So the wireless that we don’t pay attention to, that we don’t often think about as part of our networks and part of our environments is literally all around us. There are tens of billions of wireless-enabled devices in the world today.

We’re literally swimming in these devices. And the signals that they are sending are also all around us. So these signals come in the form of electromagnetic radiation that travels at the speed of light.

And the challenge with the signals at these frequencies where these communication protocols live is that they go everywhere, which is both good and bad. We want them to go everywhere. I want to be able to connect to a cell tower from my phone when I’m inside of a building. But of course, that means that those same signals are going in all other directions. And anyone within earshot who has the capability to do so can listen in on those signals.

Now for the most part, a lot of these protocols–

not all of them, but a lot of them are protected by some level of encryption. So that’s good news. But the point of this is because these signals are able to travel so far, so fast and in all directions, it opens up our risk. And it creates this very broad attack surface that can be accessed from very far away.

So the fact that these are everywhere and they can penetrate physical objects is of concern. These waves will travel at the speed of light and bypass all of our physical security mechanisms, meaning both the devices and the signals are all around us.

And as I’ve mentioned before, they are invisible to us. We don’t see them with our eyes. We can see a very narrow slice of electromagnetic radiation in what we call the visible light spectrum. But other than that, all of that radiation is–

we’re blind to it as humans.

And so we require some help from electronic systems that are able to convert those waves into electrical signals that can then be represented in some fashion. And at the bottom of this slide are some examples of how we would go about representing that information. In a very coarse way, we can use instruments like spectrum analyzers to get insight into power distribution versus frequency and time.

But we probably need more than that. We need more visibility than just a rough understanding of, hey, at this frequency, there’s something going on. We need to understand what’s going on, who’s talking to whom and what their behavior is. And are they a threat? And are they behaving properly? Are they authorized? Are they not?

So that’s the insight that we generally lack that I’ll talk a bit about later on in this presentation. But in general, the signals are everywhere. They are invisible to us. And they are built on protocols that are vulnerable to exploitation.

This chart just illustrates the exponential growth that we have seen in recent years in terms of CVEs that have been published, that are associated with these wireless protocols. And let me just spell that out as listed here in the legend on the plot.

We have things like cellular, 4G and 5G, Wi-Fi of all different flavors. Bluetooth Classic and Bluetooth Low Energy, in this plot, have been lumped together, but they are different protocols. Zigbee and other IoT protocols have a related fashion.

And so you can see this growth just based on what white hat researchers have been able to discover about the vulnerabilities that exist in the protocols, whether they be specifications or vendor implementations of them.

And that growth is concerning, simply because what we know about is only ever the tip of the iceberg. And so this growth is simply an indicator that this threat–

maybe I should say this attack surface encompassing all of these wireless protocols is more and more prone to attack and represents an increasing risk over time that we need to be paying attention to.

And there are plenty of examples that we could give of things that have been compromised using these wireless protocols. But in the interest of time, what I’m going to do is leave that here at a high level so that we can spend some time talking about the protocols.

But just to give you a flavor for a couple these, some examples of attacks in the news have been evil twin attacks. There were some agents that were apprehended in Western Europe, in the Netherlands, who were busy conducting wireless attacks on a non-government organization.

The back of their rental car is shown depicted in the upper right here, where we have all this equipment that’s being used to conduct those attacks. This is not a one-time event, but it’s an example of something where people were on the ground conducting wireless attacks.

But an interesting trend has been in place here where instead of getting on the ground in person in order to conduct an attack from whatever reasonable distance might be necessary to conduct such attack, a couple of years ago, there was an incident in the news where some attackers had mounted equipment onto a drone, flew that drone onto the roof of a building that was their target in the financial services industry, and they were able to launch an evil twin attack from that location, penetrating the network and moving around and doing some things before they were eventually caught. And then the equipment was later discovered on the rooftop.

So this is an interesting evolution, where the attackers are removing themselves from the scene of the crime, but putting equipment forward. These use COTS equipment that’s readily available for a couple hundred dollars.

And again, we’re seeing this evolution in attack that leads to–

just recently, Volexity reported an incident that they had been investigating for a while, where attackers took the next logical step and simply leveraged the existence of opportunistic wireless devices in the vicinity of their target.

So rather than being physically present and rather than putting hardware forward, they simply exploited hardware that was already there. These tens of billions of devices that were swimming in, these are all potential access points for attackers to either launch an attack to pivot or in some form or fashion, leverage the wireless protocols to conduct an attack.

And in this case, what happened was they were attacking a specific organization. And when they failed to penetrate it directly through public-facing services on the internet, what they chose to do was attack neighboring organizations, navigate their networks, discover dual-homed devices that allowed them to take over one or more Wi-Fi network interface cards.

And then they were able to use those devices to connect to the Wi-Fi network of their target organization to penetrate the network and continue from there. So they were able to do this with multiple organizations. So they had some robustness in their entry into their primary target.

But again, this points to an interesting evolution where wireless is everywhere. All of it is potentially accessible to an attacker. And we need to be more aware of the wireless in our domains.

Another example of something that’s concerning would be in a data center, having someone fire up a hotspot that would connect to a client that’s in the rack. And then you can exfiltrate data over the cellular to the cloud wherever you want. We have seen this in a customer’s organization. And outside of dedicated wireless monitoring tools, that thing is invisible to us. We’re not paying attention to hotspots that could be exfiltrating sensitive data.

Lots of threats are out there. Again, in the interest of time, I’m not going to go into a lot of detail on these. But the impacts can be severe–

data compromise, data manipulation, denial of service, many of the things that you might expect from any of an attack. All of these are potential impacts of a wireless-based attack.

And consequences run the gamut, from lost revenue, brand impact, loss of partner/customer faith. And if you’re in the business of protecting government information, of course, another consequence could be loss of life.

So we need to be very aware of the potential for wireless to compromise the integrity of our data.

So with that as an overview, let me turn it over to Ron to discuss a bit about 800-53. Ron, over to you.

Great. Thanks very much, Brett. I really appreciate it. I’m going to ask you to advance my slides, if you would be so kind to do so.

Absolutely.

The whole wireless issue has been of great interest to me personally, and especially when I was at NIST for the past 28 years. We’re going to talk a little bit today about the overarching protection strategy for organizations.

Brett did a great job of outlining the threats, the wireless potential vulnerabilities that almost every organization has today. Because we love the technology. We have innovative technology that is unprecedented in our history. And it’s very affordable to use. And we use a lot of it.

And with that, as Brett talked about, we have an increasing complexity of systems. There are literally trillions of lines of code, billions of devices. Everything is connected ubiquitously across these great networks, from wide area networks to local area networks and everything in between.

So when you’re looking at this from a cybersecurity perspective, complexity equals attack surface. And so we have this ongoing problem of–

it’s kind of we love the technology. We use a lot of it. And yet that complexity brings us this increased attack surface.

So the number 1 objective is to try to manage and reduce that attack surface. And that’s really what we’re going to talk about today. I’m going to go through a little bit of, very briefly, the history of 800-53 and what’s in the document.

So organizations use 800-53 both in the public and the private sector. The public sector uses 800-53 because it’s mandated by the Federal Information Security Modernization Act. That goes back to 2003.

It’s mandated by OMB policy. A-130 is the circular that sets the cybersecurity policy for the federal government.

And then of course, you’re seeing 800-53 moving out into the private sector, contractors who either operate systems on behalf of the federal government, or they’re under contract. So you can see that a lot with the 800-171 and the CUI protection initiatives, the DOD’s CMMC initiative. All of that is an outgrowth of 800-53.

And so the problem is very wide. And as Brett was talking about, this is not just a potential national security issue. It’s also an economic security issue. Because if you look at this slide, all the threats that are out there today for organizations, everything from natural disasters to software errors of omission and commission–

now, system failures, the technology can fail at almost any time.

And then of course, we have the last category, which we’re going to focus on today, is cyber attacks from hostile adversaries. And make no mistake about it, the adversaries that we’re up against today include nation state-level adversaries, which they’re highly skilled.

They have almost unlimited resources. They’re very targeted in their attacks.

And so we’re looking at that threat space with our eyes wide open. And we’re saying, what do our organizations look like? What does our attack surface look like? And what things can we do to build a good security program that’s going to address a lot of the things I’m going to talk about in the next few slides. Next slide, please.

So this slide is almost unnecessary to talk about today. But the adversaries, when they do attack systems, they have lots of different motivations for doing so. A lot of times, they want to exfiltrate data. It can be state secrets, national security information.

It could be intellectual property–

design documentation, next-generation innovations from our great companies across the country.

It’s a very, very large problem. We lose billions of dollars every year in intellectual property. And that hurts both the national security of the United States, but also the economic security as well. And those two things are very closely tied together.

The other thing that we worry about a lot–

and this is another concern of having unmanaged wireless devices–

is the adversaries, once they get access to your system, can pre-position malicious code.

This is a big concern both within the federal government and also in the 16 sectors of the critical infrastructure, which include our financial services sector, the defense sector, the energy sector, first responders. You can go all the way across the 16 sectors. They all have the same problem of complex systems and this ever-expanding attack surface.

We’re also concerned about that potential for malicious code to be triggered at the time of the adversary’s choosing, not of our choosing.

And that can bring down mission capability. And that could be a very significant thing for the warfighters. And don’t forget, the warfighters now are not just on the front lines. Their supply chain goes very deep across the public and the private sectors.

And then the last element is relatively new. It’s been around for maybe three or four or five years, probably longer than that. But it’s been accentuated with the creation of deception campaigns by adversaries. And we see that on social media and other things. Next slide, please.

So the system conceptually is very simple to look at. We use this graphic from one of our special publications, 800-160 volume 1. And it’s a caricature of a system. Every system is characterized by that triangle, the system of interest. That could be a weapon systems, a financial system, a PLC, and an energy in a grid situation.

But those systems are composed of hundreds and thousands of system elements.

I call this the great stack, from applications to middleware, down to operating systems and integrated circuits and everything in between. And then you have the enabling systems, systems that help you do your mission or conduct your mission operations. And then, of course, there are other systems that you’re connected to.

So you can see where the wireless problem becomes very, very important because we’re connected to a lot of things. And wireless capability, wireless technologies gives both the good guys and the bad guys access to critical pieces of the system–

both to do the mission, support the mission, and to subvert the mission.

So we talk about all of these hundreds and thousands of components. And of course, as Brett said, many of those components today are wireless because that’s the way the technology is moving. And one of the things that is consistent across our concerns, both for wireless and for non-wireless components, is the attack surface, whatever you have in your inventory–

whether it’s the hardware, the software or the firmware components.

All of those have to come under some kind of management, understanding what components you have, how they’re composed within the system, what the system capability is and then understanding the threat space.

And Brett talked about the NIST vulnerability database. The known vulnerabilities are a problem in and of themselves. Those are the things we know about. But one of the big dangers, and this is really emphasized by the wireless technology, is the unknown part of the attack surface–

the part of the attack surface that you are not managing.

And what that means is there are literally–

there’s the opportunity for hundreds of components coming into your space that are not managed. Many times, they’re not even known. And that’s a free pass for the adversary.

So the question is, how do we make sure we get a handle on all these components? So we know they’re in the inventory. We’re actively managing them. And that’s where we have to rely on policies, procedures and technologies.

And that’s something that gets lost. We think the technology can handle all of our problems. But technology is the thing that is the foundation. But it has to be supported by good policies and procedures.

And the NIST standards and guidelines, all those controls in 800-53 transcend all three of those spaces–

policies, procedures, and technologies. Next slide, please.

So one of the documents that you may or may not be familiar with, if you–

a lot of people are familiar with 800-53. Those are the actual controls, the safeguards, the countermeasures. The NIST is defined over the past 20 years or longer.

But the Risk Management Framework is a document that the NIST number is special publication 800-37. And this is just a framework that helps organizations understand the value of their mission and their data and their systems, and then gives them a very disciplined and structured process to go through to make sure you select the right controls in 800-53.

And as you’re going to see, as we go through our presentation today, there are probably a couple of thousand controls and control enhancements in this 800-53. Organizations never need all of those controls.

But the challenge is picking the right controls that can help you protect your organization’s missions–

whether that’s financial, transportation, electric, first responders, or space, or the war fighters. It’s all the same thing, making sure that you bring enough protection to your systems to protect the mission. And that’s a full stop after that statement.

So the framework allows you to understand the value of the mission and the business operations. It then allows you to pick whatever controls are necessary to afford you adequate protection. There’s a step to make sure those controls are implemented correctly, operating as intended and producing the desired effect with regard to supporting whatever your security policy might be. And that’s going to be different for every organization.

There’s also a step to assess those controls, to make sure that they’re doing what you think they’re supposed to do. And then the step called authorization, that’s a federal government term–

authorization to operate. What it really means is very simple.

A senior leader looks at the system in their mission. They look at what their security teams have done to help protect the system and the mission. And then whatever residual vulnerabilities remain–

there will always be residual vulnerabilities because that attack surface is broad.

We like to think that we can protect every inch of it, but we can’t. There are mitigations that we can bring to the fight, but security controls have costs. There’s cost, schedule, and performance issues with every organization.

So the authorization official, the senior leader, has to make a credible risk-based decision. And then of course, once he or she makes that decision, either go or no go, they either go back and provide additional protections or they go into operations.

And that’s where every organization has to be at the end of the day. They’ve got to operate, supporting the stockholders, the shareholders or the warfighters, whoever that constituency might be. This framework is just your–

it’s like a scaffolding, if you will, around the NIST 800-53 to make sure you do the right thing. Next slide, please.

So if you think of the 800-37, the risk management framework is like the car. And then under the hood of the car is the engine. And this is the engine of the safeguards and countermeasures that we call 800-53.

It’s literally a catalog of 1,000 or–

actually, it’s probably 2,000 if you count the enhancements of security and privacy controls. And they’re arrayed across 20 families, everything from access control to supply chain. Everything is structured. They’re labeled.

They’re accessible. The catalog of controls are what you’re drawing from as you build your system security plan.

And again, we’re not going to go through all the details of 800-53. The purpose of this webinar today is to focus on those control families and the controls that are really targeted at the wireless threat.

And NIST spends lots of time on controls and these families. And we’re going to see it as we go through the next several slides. We’re going to focus on, I think, maybe five, six or seven families. And we’re going to give you a taste of the kinds of controls that you want to look at to help you build your programs and really address this wireless threat. So with that, let’s go to the next slide.

These are the eight families that I just picked out that seem to be most targeted at the wireless threat. Now the good news is that most of these families, when you’re building a security plan in general for your organization, you’re not just concerned about the wireless threat. You’re concerned about the entire organization.

And there are 20 families. So you’re going to probably have these eight families in a general security plan. And you may even have some of the controls that I’m going to go over in a few minutes here that are already in your security plan.

But what I’d like you to focus on is the wireless problem today. And we’re going to talk about how each of these families really supports the wireless threat, and what you can do to make sure you understand those controls.

And again, we’re talking in fairly high levels of generality today. But what I want to point out–

and I’ve got some pointers at the end of my part of the presentation to give you some links to critical resources.

So the point today is to just understand where the resources are. And then you can go out to the NIST website. You can look at every control. And the good news is that many of those controls have entire NIST special publications that you can recommend to your security staff. And they can help you implement whatever security program that you’re trying to build. So with that, let’s go to the first family.

Access control is the heart of everything, when you talk about the attack surface and the ability of adversaries to gain access to your system. If you think about how we’ve done cybersecurity for the past 40 years, it’s really been a one-dimensional protection strategy.

And the reason I’m bringing this up is because Brett was talking about adversaries. Some of these are advanced persistent threats. They get access to your system through–

we call it the low-hanging fruit. And once they get access to your system through some very simple exploits, in many cases, or a system adjacent to yours that is connected to your system, then they move on to what we call the transitive attack. They move laterally through the system.

So we’ve defined a new, multi-dimension protection strategy at NIST. The publication that I referred to earlier is our system security engineering publication. It’s SP 800-160. And while that’s not the focus of this talk today, I bring that publication up because going forward in the future, the things we’re talking about today, we’re trying to make sure that we have penetration resistance.

In other words, if we–

our first desire is to stop the bad guys at the front door, so they don’t get into the house or into our systems And that’s where the focus has been for the past 40 years.

But we know through literally, at least two or three decades of empirical data that even when we do everything right and all these controls are implemented properly, the adversary sometimes can get to the 10% of those systems where even though they’re well-protected with controls and cyber hygiene, it’s an architectural engineering issue.

We call that below the waterline. In fact, I use the term above the waterline and below the waterline to characterize how most organizations view security. Most of the COTS products that we buy and we implement in our organizations, they have a lot of safeguards and countermeasures built into them, hopefully. But there are still things you can do from an architecture and engineering perspective. And that’s where the wireless problem is really below the waterline.

And so we try we try to describe a second dimension called damage limitations. How do you keep the atmosphere from moving laterally within your system? And we have a lot of different technologies through segmentation, microsegmentation to address those issues. We can also use virtualization and microvirtualization, making sure that your components can be refreshed as fast as possible.

So this multi-dimensional protection strategy or what Brett was referring to–

that lateral movement, the transitive movement–

that has been the source of many very, very high-profile cyber attacks.

But the idea is deploying good security controls at the frontend during the penetration resistance part of that problem space. That can really go a long way, so you don’t have to worry about that transitive movement. Now, yes, it could happen. But when you implement controls effectively, you really take a lot of that attack surface away from the adversary.

So just diving into the ones in the access control family, we’re always concerned about remote access in general. And of course, wireless access gives us even greater concerns. Remote access has to be monitored and controlled.

Through all access control, we’d like to use two-factor authentication if possible. That’s the passwords and then supplemented with some kind of a token mechanism or a biometric. But confidentiality and integrity protection of the access control process is really, really important, especially for remote because they’re coming in from outside of your protected boundary, in many cases.

We have an enhancement called managed access control points. Again, this talks to the attack surface. How many points can an adversary actually get into your system, if those points are not managed in some way?

And that really talks to the wireless problem. A lot of those wireless devices are not managed to access control points. They’re off the radar. And it’s like if you’re trying to fight a war without night vision capability today, it’s next to impossible. That’s what makes our war fighters so lethal is because they have the night vision capability.

So understanding the wireless problem and having technology that allows you to understand where those wireless components are and bring them into the management spectrum, that really gives you the equivalent of night vision capability.

Now the other thing is the access control for mobile devices continues to be a big deal, with smartphones and tablets. Basically, these computers have gotten incredibly powerful in small form factor now. And you put the wireless component within those small-form-factor devices, and you can see this is a growing problem, as Brett showed with that slide, with the number of vulnerabilities growing almost exponentially over the past several years. Next slide, please.

Going from access control, the other one–

this is more of the same technical. We have our controls that are management-related, operational-related, and technical-related. And access control and system and information integrity are two of the technical families of controls.

And this is really one of the most important because once your system is in operation and you’ve actually applied the controls, it’s really critical that you monitor your system all the time. Because one thing we know for sure is that systems change every day.

New people arrive. New applications are deployed. You bring in new components, whether it’s a network device or a new application. The system is constantly changing. And whenever you perturb what was a known security state previously, after you built that security plan, you implemented the plan and you’re up and operating, now the challenge is that change over time.

And so there’s lots of technology available to monitor inbound and outbound communications traffic. We talked about the adversary liking to get the low-hanging fruit–

getting a foothold within the system and then making sure that you monitor all the suspicious events that might go on after the system is in operation.

And so this entire system monitoring control and all of those enhancements listed there in the light blue are ways to dig deeper into the system so that monitoring can go on both broadly and deeply within the system.

Ron, can I just interrupt for a second to observe that that’s a really interesting insight about the need for monitoring, based on the fact that systems evolve over time. Things come and go, configurations change, whatever.

I guess, I’m not as much of an expert on the wired side of security. But I would say from a wireless security perspective, this is so true. It is like a configuration change on steroids because devices are constantly on the move.

Physically, they’re moving around the facility. And we see this huge influx of devices at the beginning of a workday and this exodus of all these devices at the end of a workday. And sometimes over lunch, we see a change in the behavior.

So this is huge in the wireless world. And I think it’s not maybe widely appreciated, just how dynamic everything is from a wireless perspective. So I just wanted to highlight that because I really appreciate your insight–

I totally agree with that, Brett. And that’s why you see SI-4(14), the Wireless Intrusion Detection, that–

and what you said is exactly true. In the NIST catalog, we have literally hundreds of controls that deal with the wireless problem. It may not say wireless in the control name, but you can see the application of all of these enhancements to the wireless threat, in general.

And so the dynamic nature of the way our systems are today and the complexity of those systems, those two things alone really make the threat space as dangerous as I’ve ever seen in my 35 years of doing cybersecurity.

So it’s not something that we have to run away from. We have to understand the problem first. And that’s really the purpose of the webinar, is to bring the problem to the forefront. Because you can’t solve a complex and challenging problem if you first–

unless you recognize it and then being able to look clear-eyed at the problem and then to have a game plan in place.

And that’s part of what I’m trying to do with the NIST standards and guidelines and the controls, is to give people a place to go, to start to solve a problem that they may either know about and haven’t addressed yet, or they know about it and they’ve tried to address it. But I’m hoping that with the intro that you talked about today and some of the technology that we have employed today on the wireless side, it really gives people a pause to rethink this problem.

And make sure if you’ve done your wireless protection, go back and look at it again after you’ve seen this presentation. And take a second look at it because sometimes, we overlook things. And the technology changes. And there’s a whole lot of reasons why that change is happening every day. The change is not inherently bad.

In fact, I would argue that change is part of the way that we have to operate today because that’s just the way the organizations do business. So we have to be able to embrace the change and protect our systems and manage the risk.

There is no such thing as a fully secure system. It’s about understanding your risk, mitigating to the extent that you can afford to and then being eyes wide open on what the residual vulnerabilities are that you choose not to address, and have a rationale for why that’s the case. Next slide, please.

Well, this is the heart, again. We talked about everything in the access control, but managing attack surface and reducing the attack surface–

there’s CM-07, is what I’d love to highlight. This is a control that I believe is one of the most important controls in the whole catalog. And it affects wireless a lot.

Least functionality says of all the things you can bring into your system, only bring in those functions–

ports, protocol, services, technologies, applications and connections that are mission-essential. And by the way, this is the hardest control for people to address because the technology is so compelling. It’s so innovative. And we embrace it.

We love it. We bring it in.

And sometimes we just don’t want to admit that all the stuff we’re bringing in, even though it’s cool and we love to play around with it, and maybe even it supports our mission, our business functions–

but we have to look at every one of those components and make this critical decision. Because any time you increase the attack surface without a good reason, you’re going to have to work harder to defend that attack surface.

And then the other one that goes along with that is whenever you identify all of your components, every one of those components on the technology side has the ability for some level of configuration settings. Secure configuration settings are critical to making sure that those components are locked down.

And you manage the privileges, for example, that, who can access the system? What components are in play, not just for people accessing, but individual device authentication and configuration control and management?

Because these devices now–

and this is especially true for AI and the AI agent technology that is now coming at us like a steamroller. All of those AI applications and those agents are roaming around. And there’s going to be a wireless connection to all of that as well.

So system component inventory, CM-08, goes without saying. A good inventory, an effective inventory, an accurate inventory goes a long way toward helping you manage what could be a very difficult and challenging problem. Next slide, please.

Well, we talked about monitoring. One of the steps, as you recall in that Risk Management Framework process, is called continuous monitoring. And that goes directly to Brett’s comment about this dynamic aspect of our organizations and our technology and our people and everything that we have to deal with.

So when we’re talking about monitoring, we’re really monitoring the changes that are taking place. And how much has it changed our understanding of what we did previously to protect the organization and the system?

So risk monitoring and looking at trends. We know a lot about the threat space today. We know a lot about the adversary. We know a lot about the specific cyber attacks. But if you can’t monitor the attack surface that you end up with after you reduce it, it’s really going to be very difficult to keep track in that second dimension that we call damage limitation.

Because those high-end adversaries will, at some point, get in. And the ability for you to slow them down, increase their work factor, maybe stop them once they’re inside the system at various points as you define your different security domains–

and then how are you going to handle those incidences that are going to happen?

That’s the thing, that most people think that contingency plans and incident response plans–

yeah, they’re important. They’re paperwork exercises. But those two things are critical because once that cyber attack happens, you are literally on adrenaline and autopilot. You have to have a well-defined incident response plan.

Incident handling has to be addressed. That’s part of the policies and procedures aspect that supplement the technologies that our industry produces to help us defend these systems.

So all of those things, the trend analysis–

we have literally some of the best threat data, both public and private sector, that’s available to all of our organizations today. So you take that threat data, and you marry it up with those security controls that we’re talking about today. And just that alone in managing your attack surface will go extremely far toward having an organization that is adequately protected for operating in today’s modern technology and our modern business operations. Next slide.

The last couple of families are–

we talked a little bit about this already–

risk assessment. Before you go through, and when you manage your attack surface and you’re getting a handle on your inventory, a risk assessment is always a necessary thing to do because risk management–

we talk about, what are the components of a risk assessment?

We talk about threats, vulnerabilities, impact if the threats exploit the vulnerability. And what does that do? It causes mission or business impact. And there’s a likelihood that that can happen. I would say today that that likelihood component for almost every organization is 100%.

If you’re operating in today’s modern world of these great systems of the high capability and advanced technologies, and you’re in the business cycle, whether you’re producing technology or you’re using the technology, that life cycle and that business cycle is incredibly short.

And look at some of those really impactful attacks that happened about a year or two ago, where a development organization is making a small change to a device or a software, a component. And it’s pushed out to all of its customers.

These attacks happen in literally the speed of light. And when you patch a system and you send it out to customers, it happens again extremely rapidly. So this damage can take place very, very rapidly.

And that’s another reason why getting ahead of this problem through risk assessments and managing risk to the mission and the business operations of your organization, risk management is always a localized type of decision based on what you’re doing. And it goes across the entire spectrum.

Risk tolerance is an individual organizational decision.

And that’s why going through a disciplined and structured process, having the resources available to set up a good security plan, doing a good risk assessment, being able to monitor vulnerabilities that you currently have based on your legacy systems or the ones that you may be developing through zero-day exploits, where zero-day vulnerabilities sometimes just show up because your attack surface was not monitored or you–

it was unknown. And so that’s where the RA family of controls come in with respect to the wireless threat. Next slide, please.

Well, the key takeaways, I think, we’ve talked about this.

From what Brett talked about, it’s the wireless technology, in general. And what I’ve tried to give you today are the notion of how serious the nation state-level threats are. And nation states can be looked at attacking national security or economic security. They’re both tied together, two sides of the same coin.

And I think, maybe the argument that wireless components bring a whole new level of concern into our infrastructure. We need wireless. It helps us become more productive. And we love the technology. It gives us great new capabilities.

But in order to be able to use that technology safely and effectively, we need to have policies, procedures, and technologies working together to make sure we can identify those components and bring them under control–

good management, whether that’s configuration control or configuration management of changes to the software, hardware components.

And all of that has to be done in a dynamic environment because as Brett was talking about, everything is changing. Every day, you come to work. Things look a little bit different. So with that, I think, we can roll into my last slide or two. I think, I just have a couple of final points.

Here’s the resources that NIST has. The Risk Management Framework, the NIST 800-37, is downloadable in a PDF format. I do want to point out that the NIST security and privacy controls now are being managed online in something called the Cybersecurity and Privacy Reference Tool.

When you go to that link, you can find every security control that we talked about today in this presentation. You can also find all of the assessment procedures for every one of those controls. And NIST now, to be able to update their security controls rapidly–

because as that threat space changes, NIST can’t put out updates every three or four or five years, like they used to.

Now they’re updating these controls almost in near real time or real time. You’ve seen over the past two or three months, they have these intermediate updates. And so before they go to revision 6, which may be in the next year or so, they have all these interim updates which are going to make sure that you have the latest and greatest security and privacy controls to include those for wireless, as those threats may evolve. And NIST addresses those with new wireless controls or controls that are related to the wireless threat. So with that, I think, that’s my time, Brett. And I’ll turn it back over to you.

Ron, thank you. That was fantastic. I want to just sit here and talk with you about some of the points that I’ve made notes about.

Good.

Well, maybe we can do that for just a minute. But also, I need to make sure that I wrap this up and give the audience a sense of how to implement these controls.

I loved your comments about complexity. I think, we’ve talked about this before, you and I. But complexity breeds vulnerability, I think, is the essence of what we’ve discussed.

And one thing I came to realize recently was that complexity can give us the illusion of security simply because there are so many layers to our systems that it becomes in essence, an exercise in security through obscurity, which of course never works very well.

So I think it can provide us with a sense of, well, everything is OK, until something breaks. And then we realize just how insecure things were because although the complexity gave us this illusion, it actually made things worse.

Anyway, so I remember, you were talking about that early on in the discussion. And I just wanted to see if you had any thoughts on that.

No, I totally agree with that. Complexity is the adversary’s friend, full stop.

This whole notion of protection by obscurity, the adversaries understand our systems better than we do. And that complexity, the one thing that I’ve learned is that yes, it gives us the capability that the systems provide and the innovation.

But we can do a lot to maintain that innovation and that system capability, either the system as a whole or the individual components. But unless and until we manage complexity, reducing risk complexity, the adversary will always win.

And so I think, that’s the message today, is that with wireless technology–

and there’s a lot of this thing. I look at AI as being the same type of a problem. It’s invisible. People just install these AI applications, and they’re taking data in from everywhere.

They’re spitting stuff out the other end. All these agents are running wild. Then you got the wireless components that are there with the new small form factor components.

It’s a nightmare. And it’s not always pleasant to want to reduce that attack source because it goes against our, hey, let’s go out there and do everything we can and push the envelope. But pushing the envelope is one thing. But when the adversary can bring down the envelope, that’s the real problem. And we’re trying to get a handle on that. It’s not an easy decision. And I do think that it’s going to take us a while to get to where we get good at attack surface reduction.

Yeah, that makes sense.

I wanted to hear your thoughts too on–

I heard a couple of things that you mentioned, above the waterline, below the waterline. And you mentioned that wireless for many of us is below the waterline. It sounds like maybe it shouldn’t be.

But you also talked about wireless visibility as being almost like a superpower. If we have night vision goggles, that gives us that distinct advantage on the battlefield. Wireless visibility sounds like it could be a night vision experience for the security professional.

And I wondered, do these two thoughts go together in your mind? And should we be considering that what is below the waterline should maybe be above the waterline? Or I’m not sure if I’ve got the analogy reversed. But what are your thoughts on that?

No, I think, it’s right. I use that analogy because above the waterline usually in my view, characterizes what organizations can do–

what they typically do when they build their security plans. To be honest, organizations don’t have a lot of ability to affect commercial products. If there are security safeguards and countermeasures built into the products, good for industry. They should be doing that.

A lot of them do that, and we take advantage of that.

But when you’re doing a security control assessment, most of our security control assessors, they don’t have the ability to go below the waterline. And for example, at NSA in the old days, they would do these common criteria and Orange Book evaluations, where you look at the design documentation of the actual component or the system that’s going through the evaluation.

So you can at most, when you’re an assessor, do a blackbox test. You give it a stimulus, and you expect the response. If you don’t get it, the control fails. But white and gray box testing goes below the waterline where you actually understand, how was that component built?

Did they use secure coding techniques? Is it a memory safe programming language? So all the things that are out of our control are below the waterline.

Now, wireless is a capability that goes above the waterline and below the waterline. When I talked about that, I’m really thinking about bringing in all these components from the commercial space.

And they end up being part of your system. And you’re just not managing those. So that, in some sense, is below the waterline.

And I use the analogy of night vision because I want to have–

I need technology to help me understand when I’ve missed those things. It may have been intentional. I may be accepting the risk, but my experience says a lot of those instances are things that just fly below the radar. They’re not being managed.

They’re not part of your understanding of what you have and why it’s critical.

When you talked about the drone technology and getting close to that physical perimeter, which is, part of our defense in depth is the physical access controls around–

we call those the guards, guns and gates around facilities.

The wireless is going everywhere, as you stated. And so with drone technology, you want to get close to where those signals are, and then being able to exploit those. We’ve got to think the next generation through this problem because all that new technology is right up on top of us right now.

Good. Well, Ron, thank you. This has been fantastic. I know we’re not done, but I just wanted to thank you again. Your insights on this publication are incredibly helpful, and hopefully the audience would agree.

So let me jump into defensive measures because we want to talk a bit about how we can begin to bring visibility to this domain, that we’ve hopefully motivated the risks associated with them and we’ve drilled down to 800-53 and the controls that impact our understanding of the wireless world.

So let’s start to bring visibility. And how do we do that? Well, at Bastille, what we do is we create sensors that are based on software-defined radio architectures that allow us to scan the RF spectrum continuously and detect, identify and localize individual wireless emissions.

So what we’re doing is we’re scanning all these frequencies that these terrestrial communications protocols operate on. And I mentioned it before, but I’ll just highlight again–

cellular, Bluetooth Classic, Bluetooth Low Energy, Wi-Fi, Zigbee, et cetera.

All these protocols, we want to detect the packets that are flying around.

And then we want to extract metadata from those packets. And we do that by decoding the headers of those packets, just whatever information is sent in the clear. And this gives us a rich understanding of the device’s identity, its capabilities, its connectivity, who it’s talking to and what the nature of its behavior is in a lot of different aspects.

And then we’re going to use these sensors to cooperatively localize those emissions in space. So now we have spatial information where you can see a depiction of a UI in the center of this slide, where icons are located on a floor plan indicative of where the system has localized those emissions to be.

So we have space. We have time. We have behavior. And the metadata that we extract runs the gamut from manufacturer, device ID, frequency of operation, what access point it’s talking to, what networks it’s connected to in the past, what cellular carrier it has–

all kinds of data like this, and again, enhanced with both spatial and temporal information as well.

So this is multi-dimensional data set now. It’s available to us. Once we have cracked this nut of bringing visibility to the wireless environment, now we can identify devices and do some sort of inventory associated with what’s within our space.

And we can begin to analyze this multi-dimensional data set to understand what is going on that might be of concern, that might be threatening in some sense–

whether that be behavior that could be indicative of some compromise in terms of access, or an ongoing attack vector, or maybe some behavior that indicates some device is acting in a way that might create a denial of service condition, or whatever it might be.

We have now access to all of this data where we can overlay it with analytics and begin to bring insight into this domain and highlight where people should pay attention and what they should investigate to mitigate threats.

The sensors are very broadband.

They operate with some intensive processing capabilities to manage all of this massive amount of data. As I mentioned, there’s a lot of wireless around us. We have more than our fair share in the US. If you’re coming to us from a developed country, you probably have more than your fair share.

So we have a lot of stuff to process. And it is a bit mind-boggling once you begin to put monitoring in place, just how much is going on in your environment. So it requires a fair bit of processing. We have, again, an architecture that allows us to change the behavior of the radios themselves to modify our ability to handle protocols as they evolve and other kinds of processing enhancements.

Most importantly for a lot of our customers is that these sensors are 100% RF-passive, meaning they don’t transmit anything. They’re not corrupting the airwaves. They’re not complicating things for your environment and for many secure environments.

The idea is that if you’re not transmitting, then you’re not creating additional risks. We don’t want these to be an extension of the wireless attack surface. So we mitigate that so that secure computing customers don’t have to worry about that.

There’s some other nice features that I won’t go into. But just suffice it to say, there’s a lot of great technology behind this that has taken a long time to develop, things like enabling comprehensive cellular detection so that we can use all of the cellular packet types–

not just maybe control packets like ratchets, but also any data traffic to allow us to detect, locate individual emissions so that we’re looking at a comprehensive view of all of the cellular activity.

It turns out that’s a challenging thing to do. We’ve cracked that nut. And similarly, we’ve been able to crack the nut of identifying and locating individual Bluetooth devices when they’re paired. And the reason that’s interesting is that Bluetooth, once it connects to another device, that device then starts hopping in frequency across 40 to 79 channels, depending on the protocol. And it’s difficult to make sense of all of that.

So what we’ve done is with our broadband software-defined radios, we take the vacuum-cleaner approach to the spectrum. And then we have some IP that allows us to disambiguate those communications on the backend and stitch them all together to do individual device detection and localization.

So again, a lot of work has been done to bring comprehensive visibility to this very complex attack surface.

We have a lot of integrations that we’ve built up over the years that allow us to push data to other systems and accept data from other systems to address various types of use cases–

integrations with controllers on the Wi-Fi side, for example, that allow us to gather information about authorized devices and maybe push alerts to [? NAKA ?]

device or other things.

And of course, we would like to push this data into tools like Splunk that allow us to aggregate all of the information from all of your security tools so that you have one place to go to get all of that insight, whether it be just asset identification or ongoing monitoring, and alert management. So all those integrations are really useful.

Thank you for your time. If you stuck with us this far, I hope you’ve enjoyed this conversation as much as I have. Ron, this has been really insightful for me to talk through some of these controls. And I think, we may have some time for some questions. So I’ll turn it back to Justin to manage that.

Thank you so much, Brett. We do have a few questions. Interest in wireless control updates to NIST SP 800-53. What has changed/improved?

What I was referring to earlier, that link that I provided on one of the earlier slides. If you just Google NIST, N-I-S-T, space, C-P-R-T–

it stands for the Cybersecurity Reference tool. That will give you the real-time updates to all of the NIST controls. They’re doing those in almost–

not daily, but they’re very frequent.

Now any time that there’s a new threat that comes out, whether it’s wireless or whatever the threat might be, NIST will propose a new control or control enhancement. And they will vet that publicly to make sure that the entire community has a chance to look at that control that they built before it goes live on the website.

And so when you go to that website today, you’ll see the latest controls. They’re not updating–

it used to take two or three years for a NIST publication to go through the update cycle, but now you’re seeing interim updates when they’re needed. So it’s like a dynamic way of producing standards and guidelines that’s needed today.

Thank you, Ron. Someone else working in one of the defense areas asks a question. What are the primary risks and specific exceptions necessary for wireless in SCI environment?

Well, if you’re in a safe environment, that’s going to be a local decision. I mean, it’s a huge risk, the wireless threat for SCI. So you’re talking about Sensitive Compartmented Information, the highest level of nation state-level secrets in that SCI.

So are there exceptions? Possibly, but that’s going to be a local decision, a risk management decision by the organization that owns and operates that SCI.

There’s a whole website, the Committee on National Security Systems, that dictates a lot of the cybersecurity policies and things for the National Security community. So that’s why I would recommend that you go to take a look at that.

But let me just chime in on the risks. So the risks are many. But the first things that come to mind include any device that has a microphone or a camera can be surreptitiously used to extract audio or video information that could be of a national security interest.

Typically, less of a concern would be network penetration, unless you are a bad actor, a malicious actor who is intentionally introducing forbidden devices. And that could include–

there have been examples actually, where people have been charged for introducing cell phones into secure spaces and then using those phones to take pictures of classified information and exfiltrate them wirelessly right out of the building. So that can be a concern.

And then of course, if you introduce media into a system, you can potentially extract information that way as well. So the risks are many. And as Ron said, it’s really up to each organization to determine what devices they will authorize. But then I would just point out that whether authorized or not, without having some visibility, you’re just hoping that the policy is being followed. So that’s where wireless monitoring really comes into play.

Brett, another question, perhaps for yourself, what are the best RF mitigation practices while traveling in or near adversarial territories?

Depending on the territory, you might consider burner devices. And as far as wireless security best practices, really, because of what I mentioned before that these signals, you can’t control where they go–

they really will go pretty much everywhere.

If you don’t want to be observed in whatever it is that you’re doing, the best security is simply to shut down those interfaces. Don’t allow the device to transmit. And that is pretty straightforward on a lot of platforms, but it’s surprisingly challenging to do on a phone. You have to make sure you go in and disable every interface.

And sometimes, like on an iPhone, just the Command Center, I think it’s called, is not sufficient to shut everything down. So depending on how concerned you’re feeling, if you’re really worried, I would say just go in and shut down all those interfaces because they’re constantly beaconing out information. And if you’re worried about surveillance, then maybe you just don’t want to face that.

That’s the questions we have for today. Thank you both very much. Look forward to holding more sessions with Ron and with Brett.

Thanks, Justin. Thanks, Ron.

Thank you.