RT 204: Systemic Security and the Role of Heterarchical Design in Cyber-Physical System
Report Number: SERC-2019-TR-007
Publication Date: 2019-06-07
Project: Systemic Security and the Role of Heterarchical Design in Cyber-Physical Systems
Thomas McDermott Jr.
Background: This effort constituted Phase 1 of RT-204, Systemic Security and the Role of Heterarchical Design in Cyber-Physical Systems. Previous work, conducted in the pilot investigation of RT-180: "Research Incubator", envisioned a multi-year progression of research and associated development to support analysis of security protection strategies for cyber-physical systems (CPS). RT-180 proposed an approach based on the abstraction and subsequent simulation of dynamic processes on functional graph models. Extending RT-180 into RT-204, the ultimate goal is to produce systems engineering methods, processes, and tools that enable co-development of system models and threat attacker models to inform requirements and design of complex engineered systems, specifically CPS.
Purpose: The work performed under Phase 1 of RT-204 takes the first steps toward developing and gradually maturing a capability to define and analyze security threats and counter-threat design patterns for cyber-physical systems. The envisioned approach aims to enable the greater community to rationally compare and select security implementations (a) in the early stages of design, ‘designing in security,’ and is (b) also applicable to already designed systems where security solution are needed.
Phase 1 of RT-2014 developed the initial foundation for a holistic approach to integrating the CPS, attack vector(s), and security implementation(s) into a unified ecosystem model. The model is an abstraction of the greater system functional behavior, able to show how different types of failures may propagate through the system and what observable conditions these failures may manifest. The initial efforts of Phase 1 focused on two concurrent lines of approach: 1) methods to support generation of dynamic graph models from information extracted from existing MBSE formalisms, and 2) augmenting these structures with appropriate abstraction of functional characteristics (including from threats and protection patterns) and a means through which the dynamics associated with these structures and characteristics can be evaluated. The approach seeks to reveal how well security design choices preserve critical system functionality necessary for mission success.
Findings: A primary discovery revealed through this Phase 1 effort is need to look more deeply into how to model system functionality to develop simulations of cyber-physical systems. Several fundamental questions vital to modeling CPS in a formal MBSE sense as well as make these models amenable to a dynamic analysis of security design evaluation must be addressed. Specifically, how should a functional architecture be defined in the form of an activity diagram that brings cyber and physical function types together with threat attack patterns in a meaningful and representative way and at what level of decomposition? Maturing future work under RT-204 from this focal point will better position the research to answer the bidirectional problem of formal MBSE specification and simulation of the specified functional architecture. As part of the maturation of this work task, a pilot library for cyber-physical systems, their potential threat attack patterns, and associated security protection patterns should be specified. This would enable systems engineers to partially automate the assembly of a new meta-model from existing component libraries containing key CPS components and/or associated functions, common threat vectors and associated attack libraries, and libraries of security design patterns. Additionally, future work will still need to mature the threat characterization and modeling space. This is a monumental gap in current understanding and practice. Specifically, how can various threat types be best expressed as functional patterns themselves? Research is still needed for a consistent, repeatable way to extract relationships between threat vectors and functional assets common to cyber-physical systems.
Conclusions: RT-204 established that a functional model extracted from a formal system description, augmented with attack graphs, and a library of protective functional patterns, may provide an effective path toward earlier-stage design and analysis of security for cyber-physical systems. Further, the general approach developed in this work may serve as the basis for a repeatable, yet flexible approach. It is abstract enough to scale with increased model size, especially if the notion of a function library for CPS is established for community maturation. Dynamic simulation of an ecosystem view – comprised of the original (unprotected) cyber system, the threat functional capabilities and attack vectors revealing the critical cyber assets they will target – can provide insight concerning the health of the functional state space at a level of abstraction that should prove meaningful for design.
The framework and foundations developed in Phase 1 of RT-204 are extensible to future maturation and use with different “truths,” or views that comprise the MBSE process and practice. Together, they provide a path forward for simultaneous exploitation of MBSE, Digital Engineering, and Model-Based Design. Specifying an activity diagram view – a directed graph model of a functional architecture depicting functional elements and the resource, logical, or causal flow between them – as done in this work has tremendous implications for future practice. This approach may lead to a definition of best practices for transforming functional architectures into true, active analytical tools and not merely reference design templates.