The New Old Discipline of Cyber Security Engineering

Thomas A. Fuhrman Senior Vice President, Booz Allen Hamilton, Herndon, VA, USA

Agency (NSA) and the Department of Homeland Security Abstract - Although cyber security engineering is an jointly sponsor a program to designate schools whose established and diverse engineering field, it is not widely curriculums meet certain standards as Centers of Academic understood, and is under-applied in practice. The large and Excellence in Information Assurance Education. Yet while growing need to secure IT networks has been the primary these and other programs are making progress in increasing driver across society in developing the cyber security the cyber workforce, the demand continues to outpace supply. workforce from high school through college and in the continuing education programs of industry and professional The body of knowledge for cyber security today is societies. However, this emphasis on building the workforce unquestionably centered on enterprise networks and IT skills for securing IT networks neglects the distinct technical systems. In fact, what is striking about the qualifications and skills needed to secure complex systems other than traditional deployment of cyber security practitioners is that only a small IT systems. This paper focuses on the urgent need for the percentage is focused beyond IT networks. This emphasis on discipline of cyber security engineering and its relevance to securing traditional IT systems is not misplaced, but it is these complex systems, using mis-use case analysis as an important to realize that systems other than traditional IT also example of systems engineering methods that can be have critical and often distinct cyber security needs. Those employed. systems are the purpose-built systems that exist to perform functions in the physical world—tasks other than pure data Keywords: security engineering, systems engineering, cyber, processing. This includes a large class of systems called by mis-use case, tradeoff analysis names such as closed-loop systems, embedded systems,

complex systems, realtime systems, realworld systems, distributed systems, and unmanned systems. Specific 1 Introduction examples include power grids, smart cars, aircraft, air traffic The growing recognition of the threat that hackers pose management systems, manufacturing process control systems, to IT networks and the enterprise data that they hold and Supervisory Control and Data Acquisition (SCADA) systems, process has attracted a great number of professionals to the oil drilling platforms, nuclear power plants, autonomous field of cyber security. This workforce is widely deployed underwater vehicles, Unmanned Aircraft Systems (UAS), against the difficult task of protecting IT systems and space vehicles, healthcare tools and systems including software, corporate network infrastructures, and network implantable medical devices, military weaponry, and a great resources (e.g., “clouds”). Because this challenge requires a many others. These systems are designed to perform specific wide range of different skills, the cyber security workforce is functions in the physical realm rather than in cyberspace, highly diverse. Professional cyber security practitioners range though certainly onboard computing and external network from entry-level analysts to experienced System Security interfaces are almost universally critical to their functions. Engineers with multiple professional certifications. Managers In the absence of an accepted all-encompassing term, often view this set of specialists as the cyber “experts” in the the term “mission systems” is used here in referring to this organization, to be brought in when problems occur on the class of systems.1 network, sometimes without regard to their particular expertise. Assigning people with the right skill levels to the right positions is uneven in both government and industry. [1, 2 The Cyber Challenge for Mission 2, 3] Systems

Compounding the cyber security challenge is that there The cyber challenge for mission systems today has two are not enough cyber security professionals in the workforce. dimensions. First, buyers and owners of mission systems Many reports describe how the nation is critically short of often do not have sufficient appreciation of the threats facing people with these skills. [4, 5] Since the late-1990s, the U.S. their systems in the cyber realm and the damage they can government has made a concerted effort to increase the size and depth of this workforce by establishing numerous 1 Many such mission systems, including those that are termed programs aimed at increasing the pipeline of qualified cyber “critical infrastructures,” have connections to IT networks for the security professionals. Cybersecurity scholarship programs purpose of control and communication. In these cases, the IT have been set up across the civil agencies and within the network provides the automated control of the realworld system— Department of Defense. Additionally, the National Security reflecting Norbert Wiener’s original usage of the term cybernetics, from which today’s word cyber is derived. [6] inflict. Second, the cyber security workforce has difficulty disciplines and domains, especially power systems specialists delivering its expertise in ways that are compatible with the in this case, and to take a broad systems view of cyber risks. main engineering effort so that the overworked adage about For mission systems, the cyber engineer needs to know the security being “built in, not bolted on” can be realized. systems engineering process, the tools used, and the artifacts produced. 2.1 The Buyer/Owner Dimension There have been many cases in recent years in which cyber vulnerabilities in mission systems were only discovered when they were exploited. Recent newsworthy examples include the 2011 case of the in-theater military UAS sensor system whose live streaming intelligence video was intercepted by the adversary using software downloaded from the Internet; the 2011 landing in Iran of a classified UAS, which at least one Iranian engineer claimed was achieved by cutting the command link and changing the vehicle’s GPS position; and the widespread reporting in 2010 of a sophisticated virus that targeted computers of the Siemens product line for managing large-scale industrial control systems used by manufacturing and utility companies. Further, a 2007 test conducted by the Idaho National Laboratory proved that the so-called “Aurora Vulnerability” in a certain class of large electric generators and turbines that serve the U.S. power grid could in fact be exploited in a way that would lead to their physical self-destruction. [7, 8, 9]

These events and others like them indicate that the cyber security community often has had too small a voice in the design decisions made in the development of mission systems. But cyber security needs have not been ignored totally, and there is widespread agreement on the general concept that cyber security engineering should be part of a broader system engineering effort. In the Department of Defense, for example, cyber security for mission systems is called out in certain areas, such as in the cyber security policy for space systems, which says that Information Assurance Figure 1. Smart Grid Cyber Security Engineering Tasks

(IA) ‘shall be applied in a balanced manner by performing One aspect of cyber security engineering that Information System Security Engineering (ISSE) as an differentiates it from other engineering fields is that its focus integral part of the space system architecture and system is primarily (though not exclusively) on the potential engineering process to address all IA requirements in the disruption of system performance caused by the deliberate intended operational environment.’ [10] actions of human actors intent on doing harm. Designing for security is different in this way from designing against Similarly, the National Institute of Standards and environmental effects, unreliable components, or external Technology (NIST) has developed draft guidelines for hazards. The unique value that the cyber expert can bring to securing the vastly complex and emerging Smart Grid. [11] an engineering effort is a technical understanding of the threat The three-volume guidelines document describes a set of and an ability to identify potential vulnerabilities in the tasks for assessing cyber security issues and identifying cyber mission system that could be exploited by the threat, as well security requirements. (See Figure 1.) It also contains top- as the range of options for mitigating the risk posed by the level security requirements for the smart grid and defines the threat. logical reference model for interfaces and interactions between the organizations, buildings, individuals, systems, Figure 2 shows some of the threat vectors that mission and devices that make up the Smart Grid domains. The systems need to address. Additionally, cyber security amount of content alone is an indication of the magnitude of considerations can lead to requirements for implementing the cyber challenge in this highly complex mission system. special features such as a command disable function or anti- tamper technologies to guard against compromise and reverse The cyber security engineer cannot effectively work in engineering if the system is physically exploited. isolation. These tasks clearly require the cyber security engineer to work side-by-side with engineers from other mission systems, are not normally used in the development of . Exploitation of vulnerabilities in embedded mission platform IT networks, and cyber security specialists are not usually software and firmware (e.g, Operational Flight Program) and expected to have this skill. Cybersecurity needs to be part of its development and maintenance the tradespace. Advocates recognize that more formalization of the cyber security engineering career field, patterned on the . Exploitation of vulnerabilities of on-platform operating systems features of established engineering fields, will take time.[2, 3] . Exploits against the attack surface of the connected network Among the most mature of the efforts to advance the . Data protocol exploitation systems engineering approach to cyber security is the . Insiders (both witting and unwitting) Systems Security Engineering—Capability Maturity Model . External interfaces/communications links (SSE-CMM) standard. Codified as an International Organization for Standardization (ISO) standard (ISO/IEC . Portable media (e.g., CDs, USB devices) 21827:2008), SSE-CMM describes the security engineering . Local “plug-in” devices (e.g., peripherals, special purpose processes that organizations need to ensure good security probes, sensors, test and diagnostic tools) engineering. The standard provides a reference model for system security engineering throughout the entire system life . Supply chain cycle and the entire organization, including interaction with Figure 2. Example Cyber Threat Vectors other disciplines and with other organizations. It is designed Affecting Mission Systems to be congruent with the Systems Engineering process. [13]

2.2 The Workforce Dimension 3 A Synthesis of Disciplines The workforce challenge for the cyber security of Systems Engineering is inherently interdisciplinary. As mission systems is particularly difficult. Not only are there such it provides an overarching framework in which multiple too few cyber security professionals in total, but only a disciplines can productively operate and integrate towards a minority of those in the workforce today have the engineering common design goal. Figure 3 summarizes some of the key training and credentials to credibly engage in the engineering features of Systems Engineering. process. It is still somewhat unusual to find a cyber professional with experience in mission systems engineering, Systems Engineering is an interdisciplinary approach that focuses on and who is able to blend with an engineering team to develop defining customer needs and required functionality early in the meaningful requirements and operate in the trade space development cycle, documenting requirements, then proceeding with through which the design is evolved. design synthesis and system validation while considering the complete problem: These tasks would challenge many cyber specialists . Operations today because systems engineering methods differ in . Performance . important respects from the way cyber security services are Test . Manufacturing typically delivered. The structure within which IT security . Cost & Schedule specialists operate is the well-thought-out Risk Management . Training & Support Framework (RMF) described in Special Publication 800-53 . Disposal of the National Institute of Standards and Technology Systems Engineering integrates all the disciplines and specialty groups (NIST). The framework helps the specialist define required into a team effort forming a structured development process that levels of assurance, select the appropriate security controls proceeds from concept to production to operation. Systems from a comprehensive catalog, assess that the controls are Engineering considers both the business and the technical needs of all implemented correctly, support a formal decision by a customers with the goal of providing a quality product that meets the designated owner to authorize operation, and then user needs. continuously monitor the security of the system throughout its Source: International Council on Systems Engineering life cycle. [12] Figure 3. What is Systems Engineering? While the RMF and controls catalog form an essential foundation, more is expected of the cyber security engineer. Cyber Security Engineering has strong affinity with two First, the systems engineering environment expects a more other disciplines found in this environment—System Safety interdisciplinary focus and even more engineering creativity Engineering and Reliability Engineering. These disciplines than the RMF structure fosters. For systems of any have long histories and active professional communities. All appreciable complexity, inevitably there are competing three are oriented towards managing throughout the full operational and technical considerations. One of the key tools system life cycle, and integrate very well into the overarching of engineering for complex systems is the formal tradeoff System Engineering framework. All three operate generally study to examine alternatives and make design choices. in the realm of nonfunctional requirements, with the goal of Tradeoff studies, while common in the engineering of making the design inherently resistant to failures. In practice, concerns may be in tension with the performance objectives that the system is being designed to meet—and therefore may be overlooked or overcome by the pressure to deliver performance. Figure 4 shows a Venn diagram indicating the relationship among cyber security, safety, and reliability components. [14, 15, 16, 17, 18]

Good examples of the integration of these disciplines are found in two government agencies: the mission assurance program of NASA and the surety programs of the Department of Energy. Both explicitly seek to integrate safety, security,

reliability, and quality across the system life cycle and have proven records of success. [19] Table 1 summarizes some of the key features and fundamental methods of Systems Engineering, Reliability Engineering, System Safety Engineering, and Cyber Security Engineering.

4 Cyber Security in the Tradespace:

An Example

Figure 4. Convergence of Disciplines Within the Systems “Use case” analysis is one of the tools of Systems Engineering Framework Engineering that has particular relevance to cyber security, used for both requirements identification and in tradeoff many of the tools (such as Risk Assessment) used within studies over alternative solutions. A use case is a description these disciplines are very similar to each other. They also of the employment of the target system in an operating have in common the fact that the non-functional requirements scenario with emphasis on its functions and interactions with that emerge from safety, cyber security, or reliability the external environment including human actors. It provides

Table 1. Summary of Four Systems Engineering Disciplines

Background Fundamental Methods

Systems Engineering . Interdisciplinary by design . Program integration and management tools . International Council on Systems Engineering (INCOSE) . Use Case Analysis develops and disseminates best practices for . Design Trade-off Analysis (Figures of successful systems. Merit/Evaluation Measures) . Publishes the Systems Engineering Handbook and . Life Cycle management tools maintains the Systems Engineering Body of Knowledge . Certification programs [14] Reliability Engineering . Emerged in the 1950s . Statistical modeling . Relationship to Surety Engineering and NASA Mission . Reliability Physics (Physics of Failure) Assurance [15] . Failure Modes and Effects Analysis . Industry-recognized Certified Reliability Engineer (CRE) . Fault Tree Analysis and Certified Reliability Professional certifications through American Society for Quality (ASQ) [16] . IEEE Reliability Society provides numerous professional development opportunities [17] System Safety Engineering . International System Safety Society fosters the . Qualitative Analysis to anticipate failure application of systems engineering and systems potential during the design phase management to the process of hazard, safety, and risk . Hazard, Safety, and Risk analyses (qualitative analysis [18] and quantitative) . Certification programs . Designing ways to contain failures . Safety of software as a special area of focus

Cyber Security Engineering . Major industry-recognized certifications through . Mis-Use Case Analysis (ISC)2, SANS, ISACA, and other organizations . Threat Identification and Characterization . System Security Engineering Capability Maturity Model . Risk Management Framework and controls (ISO/IEC 21827:2008) model for organizations [13] catalog . Continuous management of system security throughout the life cycle a structured way of thinking about how the system will be diagrams as well, ultimately leading to additional system used in its operating environment that helps in defining the requirements. [20, 21] functional requirements. Both analyses—use case and mis-use case—can help In practice, use cases are usually expressed using the with the trade studies through which the design evolves in Unified Modeling Language (UML) that depicts both the addition to their role in requirements definition. actors and the process flow, facilitating information exchange and enabling the use of automated support tools. However, it An example of the use case and mis-use case operational can be helpful to begin by developing a top-level conceptual views is shown in Figures 5 and 6. These figures depict a picture similar to the “operational view” of the Department of notional case in the Air Traffic Management System: the pre- Defense Architecture Framework (DODAF). This can then takeoff preparation of the aircraft, filing of the flight plan, and provide a structured way of thinking about the problem to the ground operations associated with starting the engines and illuminate needs, enable creative cross-disciplinary taxiing. Coordination with the air traffic management discussion, and produce insights into the cyber security and facilities of the Federal Aviation Administration (FAA) is a other non-functional requirements. It can be a pre-cursor to necessity, as are programming the onboard navigation the UML Use Case Diagrams. computer, getting authorization from the airline operations center, and obtaining taxi clearance from the control tower.

Figure 5. Operational View of a Pre-Takeoff Use Case (Air Traffic Management)

A tool that is particularly suited to the cyber security These process steps are accomplished by people at a wide engineering challenge is “mis-use case” analysis. Initially range of locations and facilities.2 The operational view of the developed in the 1990s, the mis-use case turns the use case around by focusing on what a malicious actor could do to 2 This scenario is for illustration only. In reality, most of the disrupt, subvert, or negate the performance of the system. The requirements of today’s Air Traffic Management System are already top-level operational view can also be used for the mis-use known and specified by standards and regulatory requirements of the FAA and other agencies. Nonetheless, specific implementation case. These insights can later be developed into UML details would typically still need to be decided as part of the system engineering effort, and a regular review of mis-use cases is advisable as threats change. use case and its associated misuse case allow all members of 5 Summary and Prescription the systems engineering team to work together from a common starting point. Although the intellectual groundwork for cyber security engineering for mission systems is solidly in place, the degree Examination of the mis-use case should involve every of true engagement by cyber security engineers still falls short component and link within the system, and every relevant of what it should be. Evidence indicates that acquiring threat vector with the goal of illuminating the cyber security organizations do not have a clear picture of the value challenges. These results should be brought forward for proposition of the cyber security engineer, and, frankly, there further consideration and analysis. are not enough qualified cyber security engineers to meet the needs even if the value proposition were recognized. If cyber In the example shown in Figure 6, possible cyber security specialists are to have an impact on mission systems, challenges suggested by the operational view include they must have the skills to engage in the system engineering interception of mission data by intruding into the process as franchised members, not as dabblers. This will be communication links in the system; exploitation of the insider difficult to achieve as the cyber community is already leading to compromise of access controls or other critical struggling to develop the workforce to address the more security controls; penetration of the ground-based networks obvious needs of securing networks and IT systems. that communicate and process critical system data; and

Figure 6. Operational View of a Pre-Takeoff Mis-Use Case (Air Traffic Management) malicious exploitation of vulnerabilities in the supply chain of More emphasis is therefore needed on the specific the avionics equipment. These insights are just the start of the challenge of cyber security engineering for mission systems process, and a full use/mis-use case analysis using accepted through existing university programs, U.S. government cyber systems engineering tools should be the next step. scholarship initiatives, and professional certification programs. Cyber security specialists themselves need to be part of [7] Peter Neumann. Moderator, Risks Digest, the solution. They should strive to learn the practices of http://catless.ncl.ac.uk/Risks. systems engineering, encourage their organizations to embrace SSE-CMM, and work hard at their own professional [8] Robert McMillan. “Virus targeted at Siemens industrial development. They should learn and internalize the unique control systems”, IDG News Service, July 17, 2010. value that the cyber security engineering community can http://www.networkworld.com/news/2010/071710-new- bring to the systems engineering arena. And they should gain virus-targets-industrial.html. experience in the use of systems engineering tools. [9] Brent Kesler. “The Vulnerability of Nuclear Facilities to Lastly, the similarities and strong overlaps among Cyber Cyber Attack,” Strategic Insights, Vol. 10, Issue 1, pp. 15 – Security Engineering, System Safety Engineering, and 25, Spring 2011. Reliability Engineering should prompt those professional communities to work together in an effort to find greater [10] DoD Directive 8581.1. “Information Assurance (IA) synergy in the systems engineering environment. The Policy for Space Systems Used by the Department of professional societies and associations that represent these Defense,” June 21, 2005. stakeholders should join together under the auspices of the International Council on Systems Engineering (INCOSE) to [11] The Smart Grid Interoperability Panel – Cyber Security tackle this together to enhance the profession and produce Working Group. Guidelines for Smart Grid Cyber Security, mission systems with better performance in any NISTIR 7628, August 2010. environment—normal, abnormal, or hostile. [12] NIST Special Publication 800-53 Revision 3. “Recommended Security Controls for Federal Information 6 References Systems and Organizations,” National Institute of Standards [1] Cyber IN-security: Strengthening the Federal Cyber and Technology, Gaithersburg, MD. security Workforce; Partnership for Public Service and Booz Allen Hamilton, July 2009. [13] ISO/IEC 21827:2008. Systems Security Engineering— Capability Maturity Model®. [2] Brian Dutcher. “Determining the Role of the IA/Security Engineer,” SANS Institute; InfoSec Reading [14] International Council on Systems Engineering Room. March 15, 2010, (INCOSE). http://www.incose.org http://www.sans.org/reading_room/whitepapers/assurance/det ermining-role-ia-security-engineer_33508. [15] NASA Office of Safety and Mission Assurance. http://www.hq.nasa.gov/office/codeq/. [3] Robert Ayoub. The 2011 (ISC)2 Global Information Security Workforce Study, Frost & Sullivan Market Survey [16] American Society for Quality. Certified Reliability Sponsored by (ISC)2, 2011. Engineer, http://prdweb.asq.org/certification/control/reliability- [4] Karen Evans and Franklin Reeder. “Human Capital engineer/index. Crisis in Cybersecurity Technical Proficiency Matters,” A Report of the CSIS Commission on Cybersecurity for the [17] IEEE Reliability Society. http://rs.ieee.org/. 44th Presidency, Center for Strategic and International Studies, November 2010. [18] The International System Safety Society. http://www.system-safety.org/. [5] Eric Beidel and Stew Magnuson. “Government, Military Face Severe Shortage Of Cybersecurity Experts”, National [19] Nancy Leveson. “White Paper on Approaches to Safety Defense (National Defense Industrial Association), August Engineering.” Nancy Leveson’s Home Page at MIT, April 23, 2011, 2003; http://sunnyday.mit.edu/caib/concepts.pdf. http://www.nationaldefensemagazine.org/archive/2011/Augus t/Pages/Government,MilitaryFaceSevereShortageOfCybersec [20] Guttorm Sindre and Andreas Opdahl. Eliciting Security urityExperts.aspx. Requirements by Misuse Cases, Proceedings of TOOLS Pacific 2000, pp. 120-131, 20-23 November 2000, IEEE [6] Norbert Wiener. Cybernetics: or Control and Computer Society Press. Communication in the Animal and the Machine, The Massachusetts Institute of Technology, Cambridge, MA, [21] Ian Alexander. “Use/Misuse Case Analysis Elicits Non- 1948 and 1961. Functional Requirements,” Computing & Control Engineering Journal, Volume 14, Issue 1, pp. 40 – 45, Feb. 2003.