Systemic Security and the Role of Heterarchical Design in Cyber-Physical Systems
Trusted Systems Thomas McDermott Jr.
Co-Principal Investigators:
Dr. Valerie Sitterle
Background:
Defense systems in operation and in development today are increasingly cyber-physical in nature. Cyber-physical systems (CPS) combine sensors and actuators to perceive and act in the physical world with communication to enable information and data flow, and computation to drive decision making and control the physical actuation. While CPS offer the potential for tremendous new capabilities, their ‘cyber-ized’ computation and communication backbone coupled with readily available technological advances makes them vulnerable to classes of threats previously not relevant for many defense systems. Cyberattacks are now a tremendous concern for the future of military operations, which has spawned a need to intentionally design “cyber resilience” into these systems at the early stages in ways that are amenable to comparative analysis and verification within the systems engineering process.
Research is needed to advance the theory and practice of systems security design and analysis for cyber-physical systems in ways that will address security concerns at design time. Security is distinguished from the broader concept of resilience in that security focuses on protecting defense systems from sentient adversaries. Cyber systems are generally designed by initially specifying critical and other necessary functionality. The high-level functionality is decomposed into specific functional capabilities, and system requirements derive from these functional needs. The –ilities, or system qualities (SQs) of a system such as maintainability, changeability, survivability, etc. are best understood through their relation to the non-functional performance requirements. From this perspective, security is another non-functional quality. Security is assessed based on how well a given security design pattern protects the system as intended – without adversely impacting the critical functional capabilities.
With that understanding, research is needed to develop a holistic approach integrating the CPS, attack vector(s), and security implementation(s) into a unified ecosystem whereby we may evaluate how well security design choices preserve critical system functionality necessary for mission success. Further, the frameworks and methods created and matured in this effort must serve as a direct complement to existing model-based systems engineering (MBSE) processes and tools and, in turn, themselves be executable within a toolset that enables systems engineers to produce, navigate, and understand the complexity and scope of the problem. The ultimate goal is to extend system models to an assurance test framework and related system design patterns. These model extensions will enable the community to maintain explicit knowledge of vulnerabilities and corrective patterns in design models and begin to build standard libraries of test strategies reusable across different security design and evaluation efforts.