The Black Book: A Starter Guide to Systems Security Engineering for Acquisition Bradley Doohan (Australia); Steve Sterling, Mark Jennings, Frederic Painchaud, LCol Yves Turcotte, LCdr Marc Lanouette (Canada); Paul Caseley, Gerard Talbert and Edward Bush (United Kingdom); and, Melinda Reed, Dana Franz, Jean-Paul LeSaint, Glenda Turner (United States). TTCP Document DOC-JSA/TP4-1-2016 Defence Research and Development Canada Reference Document DRDC-RDDC-2016-D061 October 2016 © Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2016 © Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2016 Abstract This booklet is an introduction to systems security engineering management concepts, terms and activities and supports the TTCP four national strategic drivers: Interoperability; Affordability; Effective Decision Making; and Agility (flexible adaptable systems). It is intended to help systems engineers within TTCP Nations and defense contractor personnel understand how security issues affect their role within the systems acquisition process. The contents of this booklet is intended for information purposes only and must therefore not be used as the basis for any contract or instruction to contractors. i Résumé Le présent livret est une introduction aux concepts, aux modalités et aux activités de gestion en matière d’ingénierie de la sécurité des systèmes et appuie les quatre facteurs stratégiques nationaux du TTCP : interopérabilité, viabilité financière, prise de décisions efficaces et agilité (systèmes adaptables et souples). Ce document vise à aider les ingénieurs de systèmes au sein des pays membres du TTCP et du personnel de l’entrepreneur de la défense à comprendre comment les problèmes de sécurité ont une incidence sur leur rôle dans le cadre du processus d’acquisition de systèmes. Le contenu de ce livret a été rédigé aux fins d’information seulement; c’est pourquoi il ne doit pas servir de fondement à tout contrat ou directives à l’intention des entrepreneurs. ii The Technical Cooperation Program Australia - Canada - New Zealand - United Kingdom - United States of America TTCP DOCUMENT The Black Book: A Starter Guide to Systems Security Engineering for Acquisition 11 October 2016 DOC-JSA/TP4-1-2016 This document contains Information authorized under the auspices of The Technical Cooperation Program (TTCP) for unlimited release and distribution. 1 BACKGROUND Defense acquisitions organisations need to give systems security engineering a high priority due to increased dependence on commercial components in mission critical systems, the fast pace of change in information systems and the emerging cyber threats to military systems, and system of systems. This dependency is being driven by a number of factors such as globalisation in the supply chain and the transition of cost effective manufacturing from traditional first world environments. This report is a product of The Technical Cooperation Program, Joint Systems Analysis group, Technical Panel 4, Systems Engineering for Defense Modernization, Systems Security Engineering work-stream. PURPOSE This booklet is an introduction to systems security engineering management concepts, terms and activities and supports the TTCP four national strategic drivers: Interoperability; Affordability; Effective Decision Making; and Agility (flexible adaptable systems). It is intended to help systems engineers within TTCP Nations and defense contractor personnel understand how security issues affect their role within the systems acquisition process. The contents of this booklet is intended for information purposes only and must therefore not be used as the basis for any contract or instruction to contractors. ACKNOWLEDGEMENTS This booklet concept is based on the “Introduction to System Safety Management in the MOD” known colloquially in the UK MOD as the ‘Safety White Book’. This ‘Black Book’ was developed and written by the Systems Security Engineering (SSE) Work Stream of The Technical Cooperation Program (TTCP) Technical Panel (TP) on Systems Engineering for Defense Modernization, and their National organizations. Panel members include David Oxenham (Chairman, United Kingdom); Mark Unewisse (Australia); Robert Burton (Canada); David Dean (United Kingdom); and Kristen Baldwin (National Leader) and Robert Gold (United States). The SSE work stream members include Bradley Doohan (Australia); Steve Sterling, Mark Jennings, Frederic Painchaud, LCol Yves Turcotte, LCdr Marc Lanouette (Canada); Paul Caseley, Gerard Talbert and Edward Bush (United Kingdom); and, Melinda Reed, Dana Franz, Jean-Paul LeSaint, Glenda Turner (United States). The work stream members also gratefully acknowledge the suggestions and critique from other experts within their national organizations. The combined efforts of these individuals and organizations made possible the development of this guide. Suggestions for improvement should be sent to: TTCP JSA TP4 SE chair Professor David Oxenham e-mail: [email protected] 2 CONTENTS 1 INTRODUCTION ........................................................................................................................................................ 5 1.1 What is Systems Security Engineering? ................................................................................................................................................................. 5 1.2 The Importance of Early Systems Security Engineering ........................................................................................................................................5 2 INTRODUCTION TO SYSTEMS SECURITY ENGINEERING ........................................................................... 7 2.1 Systems Security Engineering Perspective .............................................................................................................................................................7 2.2 Threats and Vulnerabilities ....................................................................................................................................................................................8 2.3 Systems Security Engineering Risk .......................................................................................................................................................................9 2.4 How Much Systems Security Engineering is Enough? ..........................................................................................................................................9 2.5 Systems Security Engineering Protection Scheme ...............................................................................................................................................10 3 SECURITY/LEGAL RESPONSIBILITIES ............................................................................................................. 11 4 SECURITY COMPETENCE AND CULTURE ...................................................................................................... 12 4.1 Systems Security Engineering Competence .........................................................................................................................................................12 4.2 The Culture of Systems Security ..........................................................................................................................................................................12 5 OVERSIGHT OF SYSTEMS SECURITY ENGINEERING ................................................................................. 14 5.1 Who Builds Security In? (Systems Engineers) .....................................................................................................................................................14 5.2 Pre-requisites to Successful Systems Security Engineering ................................................................................................................................. 14 5.3 Stakeholder Requirements Definition and Requirements Analysis Processes ...................................................................................................... 15 5.4 Architectural Design Process ...............................................................................................................................................................................15 5.5 Verification and Validation Processes ................................................................................................................................................................. 15 5.6 Incident Handling and Applying the Lessons.......................................................................................................................................................15 6 SYSTEM SECURITY ENGINEERING RISK MANAGEMENT ......................................................................... 17 6.1 Security Risk Management Introduction ..............................................................................................................................................................17 6.2 Risk Assessment ..................................................................................................................................................................................................17 6.3 Risk Register ........................................................................................................................................................................................................17