Methods to Evaluate Cost/Technical Risk and Opportunity Decisions for Security Assurance in Design

Thomas McDermott Jr.
Co-Principal Investigators:
Dr. Cody Fleming
This research addresses research needs defined by the Office of the Undersecretary of Defense for Research and Engineering (OUSD/R&E), Strategic Technology Protection and Exploitation (STPE) Division. The proposal closely aligns with the OUSD/R&E’s Digital Engineering (DE) Strategy and the Cyber Resilient Weapon Systems (CRWS) initiative. It extends ongoing Systems Engineering Research Center (SERC) research in Security Engineering to address a gap in current systems engineering methods and tools associated with cost assessment in Cyber Resilience system trades.
There are two primary goals of this research. The first is to derive a set of methods for combined safety/security analysis capturing the rigor of existing safety assurance processes. The second is to define appropriate metrics, particularly cost estimating relationships, that can support the necessary trades and decision-making processes. The research will leverage approaches and methods of systems safety to improve security systems engineering in response to DoD Instruction DoDI 5000.02 enclosure 14 section 1b “Design for Cyber Threat Environments” [Reed and McEvilley, 2018]. The sponsor seeks to optimize system performance with respect to combined aspects of safety and security given cost, schedule, and performance constraints. The safety communities’ processes to analyze and remove, reduce, or accept vulnerabilities and associated risk within these constraints should also inform the selection of security countermeasures within the systems engineering process. The research will begin and remain rooted in existing safety assurance methods but will need to diverge in approaches that consider the cybersecurity threat environment. The research will determine the additional concepts, methods and tools, evidence, and metrics that address these threats in a mission resilience context. The research must define an effective process and appropriate quantifiable metrics so the cost, schedule, and performance trades can produce both effective rigor and evidence.
Trusted Systems (TS) is one of the four primary focus areas in the SERC’s research strategy. The focus area is further specified into two programs, Systemic Security and Systemic Assurance. This proposal addresses both of those areas, with a stronger focus on Systemic Security.
BACKGROUND: Digital Engineering is seeing increased applications in the conception, design, integration, verification and validation (V&V) of mission-critical systems. The CRWS initiative is developing engineering design, implementation and assessment standards and procedures to minimize system vulnerabilities. Recognizing that system level vulnerabilities cannot be completely eliminated, it may be necessary to conduct a mission level analysis to evaluate the impact to the operational mission from a cyber-attack on the known system vulnerabilities. However, the relationships between mission-level resilience and the design of the subsystems is still poorly understood. In the development of Systems-of-Systems today, one must account for the various costs of interwoven layers of security from the mission level down to the network and mission system architecture levels. The costs of mission cyber resilience are often simplified for evaluation of risk to the weapon system, but the implications of adding security and the need to account for the impacts of loss of data, information, function, capability and process (risk) creates increased design and recurring production costs in hardware and software systems. In addition, most military systems have interrelated security and safety concerns. Metrics are needed to assess the quality of different requirements and design solutions based on safety and security risks in the presence of a determined cyberattack. System methods are needed that trade requirements and design decisions based on the evaluation of hazard/risk (loss of equipment, property, damage to the environment, death, injury and occupational illness), cost, and an understanding of the threat, which requires timely, accurate, credible and relevant threat information. In particular, the dependencies between cybersecurity and system safety are poorly understood. We must strive to leverage system safety methods and tools to address relevant cybersecurity needs. In the cyber-security domain, traditional assurance processes are inadequate, and research is needed on new metrics and methods and tools for hazard mitigation.