ITL Newsletter for September - October 2018




information technology laboratory





From agriculture, to manufacturing, to our homes, to healthcare, and beyond, technology is advancing towards ‘smart’ and ‘smarter’ systems. Generally speaking, ‘smart’ technology refers to numerous sensory devices working together through larger infrastructures. Rapid advances in computer science, software engineering, systems engineering, networking, sensing, communication, and artificial intelligence are not only evolving – they are also converging.

Historically, there has been little in the way of formal, analytic, or even descriptive information about the building blocks that govern the operation, trustworthiness, and life cycle of Internet of Things (IoT). A composability model and vocabulary that defines principles common to most, if not all networks of things, is needed to address the question: "What is the science, if any, underlying IoT?" NIST Special Publication (SP) 800-183, Networks of ‘Things,’ offers an underlying and foundational science to IoT that is based on a belief that IoT involves sensing, computing, communication, and actuation.





Aerial drones might someday deliver online purchases to your home. But in some prisons, drone delivery is already a thing. Drones have been spotted flying drugs, cell phones and other contraband over prison walls, and in several cases, drug traffickers have used drones to ferry narcotics across the border. (Picture credit: Shutterstock)

If those drones are captured, investigators will try to extract data from them that might point to a suspect. But there are many types of drones, each with its own quirks, and that can make data extraction tricky. It would help if investigators could instantly conjure another drone of the same type to practice on first, and while that may not be possible, they can now do the next best thing: download a “forensic image” of that type of drone.




Organizations worldwide stand to lose an estimated $9 billion in 2018 to employees clicking on phishing emails. We hear about new phishing attacks regularly from the news and from our friends. So why DO so many people still click? NIST research has uncovered one reason, and the findings could help CIOs mount a better defense. (Picture credit: Shutterstock)




This summer ITL hosted 28 undergraduate students from 21 colleges and universities in the annual SURF program. Students conducted research in cybersecurity, biometrics, mathematics, statistics, software, and information access. Students concluded the program by giving a scientific talk on their research.






Kevin Stine, Chief

The Applied Cybersecurity Division (ACD)—one of seven technical divisions in NIST’s Information Technology Laboratory—implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities. (Picture credit: NIST)

ACD is known for: establishing cybersecurity standards and guidelines in an open, transparent, and collaborative way; cybersecurity testing and measurement (from developing test suits and methods to validating cryptographic modules); and applied cybersecurity—which applies  NIST’s research, standards, and testing and measurement work.



Congratulations to the following ITL Award winners:

The Outstanding Contribution, for contributions to design, analysis, standards, prototyping, and measurement of new technologies to improve the Robustness of Internet Inter-Domain Routing: Oliver Borchert, Lilia Hannachi, Okhee Kim, Kyehwan Lee, Doug Montgomery, and Kotikalapudi Sriram.

The Outstanding Administrator, for improving the visibility of ITL’s cybersecurity program to diverse stakeholders with new and innovative communications approaches: Kristina Rigopoulos

The Outstanding Technology Transfer, for enabling widespread use of micromagnetic modeling to enhance U.S. innovation in research and product development: Michael Donahue and Donald Porter

The Outstanding Standards Document, for design and specification of the BGPsec protocol and leading the publication of the International Standard “BGPsec Protocol Specification,” IETF RFC 8205: Kotikalapudi Sriram and Doug Montgomery

The Outstanding Journal Publication, for outstanding scholarship in the journal paper “Estimating yield-strain via deformation-recovery simulations.”: Paul N. Patrone, Samuel Tucker, and Andrew Dienstfrey 

The Outstanding Associate, for his dedication and outstanding contribution to the Cloud Program, Internet of Things (IoT) Program, the ITL Platform for Network Innovation (PNI) and many more: Charif Mahmoudi

The Outstanding Conference Proceedings, for their outstanding work that resulted in a high-quality conference proceedings paper accepted for presentation and publication at a highly selective conference: NDN-Trace: A Path Tracing Utility for Named Data Networking, Proceedings of the 4th ACM Conference on Information-Centric Networking, Berlin, Germany, September 26-28, 2017: Siham Khoussi, Davide Pesavento, Lotfi Benmohamed, and Abdella Battou

The ITL Diversity Award, for serving as a tireless advocate of diversity and inclusion of under-represented groups in science, technology, engineering and mathematics: Fern Hunt


Bootstrap method versus analytical approach for estimating uncertainty of measure in ROC analysis on large datasets (NISTIR 8218)
The nonparametric two-sample bootstrap is employed to estimate uncertainties of statistics of interest in receiver operating characteristic (ROC) analysis on large datasets with/without data dependency due to multiple use of the same subjects in many disciplines, based on our studies of bootstrap variability. On the other hand, it would seem that the analytical method might be used for the same purpose. However, comparing these two methods, the differences are noteworthy. (1) The bootstrap method takes account of how genuine scores and impostor scores are distributed, which is associated with how the matching system works; but the analytical method does not. (2) If datasets involve data dependency, the bootstrap method can take it into account; but the analytical method cannot. (3) The covariance term that occurred in the speaker recognition evaluations while estimating the standard error of the measure can be taken into account intrinsically by the bootstrap method; but it is very hard to estimate analytically. (4) The analytical method generally underestimates the uncertainties of statistics of interest; but the bootstrap method estimates them more conservatively. To demonstrate these observations, the data used in this article were generated from a variety of sources: speaker recognition evaluations, biometrics evaluations, simulated data with normal distributions, and simulated data with nonparametric distributions.

Guidance for Evaluating Contactless Fingerprint Acquisition Devices (NIST Special Publication 500-305)
This document details efforts undertaken by the National Institute of Standards and Technology (NIST) to develop measurements and a protocol for the evaluation of contactless (touchless) fingerprint acquisition devices. Contactless fingerprint capture differs fundamentally from legacy contact fingerprinting methods and poses novel problems for image quality evaluation and challenges relative to interoperability with contact fingerprints that populate large repositories maintained by law enforcement and Federal Government organizations. For contact acquisition, the fingerprint impression is a first-order transfer of the 3D friction ridge structure to the recording surface. The third dimension of the curved finger surface is effectively removed by pressure against the planar recording surface. The 3D topography of the ridges and furrows are transferred with low ambiguity to the recording surface as dark ridges (points of contact) and lighter furrows (lesser or no contact). Contactless images by comparison, in most cases, are third-order renderings of an original photographic representation, itself a 2D optical projection of the 3D structure of the finger. The appearance of this projection is subject to variability as low- or moderately-controlled lighting interacts with the 3D geometry of the finger, the friction ridge structure superimposed on the finger, and the geometry of the presentation of the finger to the contactless device. The photograph must then be subjected to various image processing methods to infer the ridge structure for rendering as a fingerprint similar in appearance to legacy contact captures. The rendering process is the source of numerous errors relative to contact captures. Despite problems with image quality, this early study finds contactless fingerprints of the devices examined to be usable in some applications, with qualifications, including one- to-many matching against small databases.

 Guidelines for the Use of PIV Credentials in Facility Access (NIST Special Publication 800-116rev1)
This document provides best practice guidelines for integrating the PIV Card with the physical access control systems (PACS) that authenticate the cardholders in federal facilities. Specifically, this document recommends a risk-based approach for selecting appropriate PIV authentication mechanisms to manage physical access to federal government facilities and assets.

Identity and Access Management for Electric Utilities (NIST Special Publication 1800-2)
To protect power generation, transmission, and distribution, energy companies need to control physical and logical access to their resources, including buildings, equipment, information technology (IT), and operational technology (OT). They must authenticate authorized individuals to the devices and facilities to which they are giving access rights with a high degree of certainty. In addition, they need to enforce access control policies (e.g., allow, deny, inquire further) consistently, uniformly, and quickly across all their resources. This project resulted from direct dialog among NCCoE staff and members of the electricity subsector, mainly from electric power companies and those who provide equipment and/or services to them. The goal of this project is to demonstrate a converged, standards-based technical approach that unifies identity and access management (IdAM) functions across OT networks, physical access control systems (PACS), and IT systems. These networks often operate independently, which can result in identity and access information disparity, increased costs, inefficiencies, and loss of capacity and service delivery capability. This guide describes our collaborative efforts with technology providers and electric utility stakeholders to address the security challenges energy providers face in the core function of IdAM. It offers a technical approach to meeting the challenge and incorporates a business value mind-set by identifying the strategic considerations involved in implementing new technologies. This NIST Cybersecurity Practice Guide provides a modular, open, end-to-end example solution that can be tailored and implemented by energy providers of varying sizes and sophistication. It shows energy providers how we met the challenge using open source and commercially available tools and technologies that are consistent with cybersecurity standards.

NIST Big Data Interoperability Framework: Vol. 1, Definitions, Revision 1 (NIST Special Publication 1500-1r1)
Data is a term used to describe the large amount of data in the networked, digitized, sensor-laden, information-driven world. The growth of data is outpacing scientific and technological advances in data analytics. Opportunities exist with Big Data to address the volume, velocity and variety of data through new scalable architectures. To advance progress in Big Data, the NIST Big Data Public Working Group (NBD-PWG) is working to develop consensus on important, fundamental concepts related to Big Data. The results are reported in the NIST Big Data Interoperability Framework (NBDIF) series of volumes. This volume, Volume 1, contains a definition of Big Data and related terms necessary to lay the groundwork for discussions surrounding Big Data.

NIST Special Database 301: Nail to Nail Fingerprint Challenge Dry Run (NIST Technical Note 2002)
In April 2017, the Intelligence Advanced Research Projects Activity (IARPA) held a dry run for the data collection portion of its Nail to Nail (N2N) Fingerprint Challenge. This data collection event was designed to ensure that the real data collection event held in September 2017 would be successful. To this end, real biometric data from unhabituated individuals needed to be collected. The National Institute of Standards and Technology (NIST), on behalf of IARPA, has released a dataset of the biometric images obtained during the N2N Fingerprint Challenge dry run data collection. The image distribution, entitled Special Database 301 (SD 301), can be freely downloaded from the NIST website.

Securing Wireless Infusion Pumps in Healthcare Delivery Organizations (NIST Special Publication 1800-8)
Medical devices, such as infusion pumps, were once standalone instruments that interacted only with the patient or medical provider. However, todays medical devices connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization (HDO). Connecting devices to point-of-care medication systems and electronic health records can improve healthcare delivery processes; however, increasing connectivity capabilities also creates cybersecurity risks. Potential threats include unauthorized access to patient health information, changes to prescribed drug doses, and interference with a pumps function.

Shape Analysis, Lebesgue Integration and Absolute Continuity Connections (NISTIR 8217)
As shape analysis of the form presented in Srivastava and Klassens textbook Functional and Shape Data Analysis is intricately related to Lebesgue integration and absolute continuity, it is advantageous to have a good grasp of the latter two notions. Accordingly, in these notes we review basic concepts and results about Lebesgue integration and absolute continuity. In particular, we review fundamental results connecting them to each other and to the kind of shape analysis, or more generally, functional data analysis presented in the aforemetioned textbook, in the process shedding light on important aspects of all three notions. Many well-known results, especially most results about Lebesgue integration and some results about absolute continuity, are presented without proofs. However, a good number of results about absolute continuity and most results about functional data and shape analysis are presented with proofs. Actually, most missing proofs can be found in Royden’s Real Analysis and Rudin’s Principles of Mathematical Analysis as it is on these textbooks and Srivastava and Klassens textbook that a good portion of these notes are based. However, if the proof of a result does not appear in the aforementioned textbooks, nor in some other known publication, or if all by itself it could be of value to the reader, an effort has been made to present it accordingly.

Voices of First Responders – Identifying Public Safety Communication Problems (NISTIR 8216)
The public safety community is in the process of transitioning from the use of land mobile radios to a technology ecosystem including a variety of broadband data sharing platforms. Successful deployment and adoption of new communication technology relies on efficient and effective user interfaces based on a clear understanding of first responder needs, requirements and contexts of use. The project employs a two-phased data collection approach for an in-depth look at the population of first responders, along with their work environment, their tasks, and their communication needs. This report documents the data collection of Phase 1 and the first iteration of data analysis. Phase 1, the qualitative component, focuses on interviews with approximately 240 first responders (law enforcement, fire fighters, emergency medical services, communications/dispatch) across the country. Results include: approximately 90 user needs and requirements expressed by first responders; five categories of technology opportunities; six principles for technology development; and the role of trust in usage of communication technology.







Named Data Networking Community Meeting 2018




Controlled Unclassified Information Security Requirements Workshop




Safeguarding Health Information: Building Assurance through HIPAA Security - 2018


for more events click on calendar