Frameworks to Guide Cyber Security Solution Application on a Systems Engineering Basis
Source: Barry M. Horowitz
Frameworks to Guide Cyber Security Solution Application on a
Systems Engineering Basis
Barry M. Horowitz
University of Virginia
February, 2010
1. Problem Definition
There is a need to illuminate the requirement for and conduct the necessary research to
support the development of requirements, solutions and evaluations related to cyber
security. Systems engineering is built upon the principal of achieving the best value from
a system through the integration of policy, process and technology. For a significant
system, the satisfaction of many different objectives results in a competition for resources
that will yield enhancements in various dimensions (e.g., improvements in reliability
compete with improvements in sustainability and security).
A systems engineering team
is expected to reconcile how to trade-off performance across various objectives so as to
achieve the best overall system within a specified scope of budget and time. Critical to
engaging in trade-off assessments regarding cyber security is the need to confidently
evaluate the contributions of alternative security solutions in a manner that can be used to
make choices.
Currently there is no recognized framework for the systems engineering
community to use as a basis for valuing cyber security. Our goal is to establish one or
more systems engineering frameworks to provide systems engineering with an
understanding of cyber security that will help them to reconcile the desired levels of the
system’s security on a value basis that is related to overall system objectives, and would
provide the basis for evaluating the added security provided by potential system security
solutions.
A framework solution would not only be focused on applying component level point
solutions for added security, it would also provide support to systems engineers with
regard to adding new classes of system-level solutions. A systems engineering framework
for cyber security is required to provide guidelines related to system-of-system security
solutions and new dependencies that would result. The framework must provide feasible
activities to enable system engineers to define, manage and budget activities that relate to
system-of-system solutions. Security frameworks also have the potential to introduce a
class of solutions that may help systems engineers contribute to the development of
system architectures that are more receptive to adding new security capabilities and
features, reducing the time and cost for integration through anticipatory system designs.
For example, consider a parallel situation related to system reliability. Systems engineers
must deal with the reliability of the entire system, as well as the reliability of individual
components or sub-systems. System engineers decide on which sub-systems should be
most reliable and how to combine components to gain added reliability. They also decide
on how much reliability is warranted for various parts of a system. The same should be
true for security.
As a result, different systems will seek different levels of security and
correspondingly, their security systems will not have the same qualities. As a result, in
certain situations it may result that a higher quality security sub-system is considered as
insufficient for a specific enterprise system that it supports, while a lower value security
sub-system is considered as more than sufficient for a specific enterprise system that it
supports.
It is important to note that while NIST documents (NIST 800-53 and NIST 800-37 rev1)
have recognized certain needs discussed above, the systems engineering community does
not have the accepted framework related to acting on these needs.
1.1 Defense in Depth
The most pervasive system oriented security framework that is referred to in current
practice is “Defense in Depth”
(1). This approach recognizes that defense must be
achieved through people, technology and operations. It also recognizes that defense must
be achieved for the networks, enclave boundaries, computational environments and
supporting infrastructures that together comprise a system. However, defense in depth
has been treated as an approach for defending the periphery of an organization using
layers of control around categories of assets, as opposed to defending high value system
functions that are achieved through application specific integrations across the networks,
enclaves, computational environments and infrastructures of a system. A systems
engineering framework could refine the defense in depth strategy to focus on more
surgically defined defense needs, and support solutions that seek to assure specific
system functions rather than system assets.
The remainder of this paper will review prior and ongoing efforts related to system
engineering frameworks for cyber security. Section 2 discusses the factors surrounding
the need for a systems engineering framework for cyber security in more detail.
Section 3
discusses a set of systemic security issues that a framework would support and how they
differ from best practice guidelines that already exist. Section 4 provides some initial
ideas regarding the content of a research program that would support the development of
a system engineering framework for cyber security.
Comments to: Barry Horowitz (bh8e@cms.mail.virginia.edu)
It is generally recognized that perimeter security is the mainstay of the current cyber
security solution space, bringing both important values and serious limitations
(2). The
system oriented values of perimeter security solutions include:
• They support a policy of minimizing the interference with the
development of applications, which are usually driven by time to
market pressures, driving designers and developers to avoid the well
known delays that can result from more integrated security solutions.
• They can be added as the need is perceived more readily than more
integrated security solutions. They also avoid the design issues of
system complexity that more integrated solutions would need to face.
• Although a limited resource, an experienced and capable set of
engineers are available to draw upon when applying perimeter
solutions. In addition, documents such as the text “Security
Engineering”
(3) are available to transition experience to the next
generation of security engineers.
• They have been commercialized and commoditized so that the costs
and support structures for the solutions have achieved a level of
economy of scale that other, more application specific solutions might
not offer. The support structure includes industry-based assessment of
successful attacks and rapid patching support
• They include administrative methods and training as part of the
solutions that can be readily adopted by system owners and operators.
• They are supported by standardized sets of best practices.
As a result the systems community has been able to respond to perceived risks and threats
as they arise, by adding perimeter security solutions on a responsive basis.
While this focus on perimeter security has provided many advantages, it also brings with
it disadvantages that have become more and more significant over time. These
disadvantages include:
• Systems are frequently not designed to account for the actual cyber
attack risks that are inherent in their functional and technical designs.
For example, embedded software is becoming a more and more
important element of physical systems so as to permit remote control
through networks; controls that may become accessible to cyber
attackers.
• The use of customized application specific solutions has not been an
important aspect of cyber security solution space, greatly reducing the
toolsets that can potentially address cyber attack risk reduction.
• The cyber security workforce (e.g., designers, operators,
administrators) frequently don’t know enough about the “business”
risks of the systems that their security components support, and the
people who know the “business” risks, frequently don’t have the
needed detailed technical knowledge about solutions. This regularly
leads to misappropriated risk reduction.
• The commercially available perimeter solutions are well known to
cyber attackers, so that the community of attackers can reuse their
solutions across the base of systems that use common products. In the
most perverse cases, cyber attackers can participate in the supply
chains that produce the off-the-shelf software or hardware that is
depended upon to be secure.
• Systems are not designed to anticipate possible new security threats
and solutions, resulting in more than necessary difficulties in
integration of new solutions as they emerge
• As the threats and the rate of successful cyber attacks continue to grow,
systems are typically not designed to withstand attacks through
solutions related to system architecture and system-of-systems
architectures
The disadvantages presented above are likely to become much more important over time.
There are three principal reasons:
• The nature of the threats has been transitioning from being dominated
by individuals initiating attacks to organized cyber attack criminal
groups and nation-state sponsored attack groups. This has increased
both the level of investment and the sophistication of exploits that are
available to attackers.
• Defensive efforts are at a disadvantage to offensive activities, since
defenses must consider protecting against all credible system attacks
that can create important consequences (defender’s dilemma), while
offenses are at greater liberty to pick and choose the specific attacks
that they wish to discharge (attacker’s advantage). This difference puts
selectively deciding on investments in security solutions
• The information technology industry is moving toward more and more
integrated technology in efforts to reduce hardware costs,
administration costs, data management costs, and communications
costs. In addition, these technology advances provide the opportunity
for third party organizations to provide infrastructure for computing as
a service. Cloud computing serves as a major initiative that is related
to achieving these new efficiencies (4). This integration results in
greater concentration of computational functions, which in turn can
result in new and greater risks related to cyber attacks.
The perimeter defense situation described above points to the fact that current security
solutions are most frequently developed through a responsive engineering approach that
can be characterized as bolt-on, starting with the components and working to get the most
security that they have to offer on an as needed basis. The premise for this paper is that:
• the limitations of a responsive approach,
• important trends in the threat,
• trends in increased integration in information systems
• availability of system architectural solutions
• opportunity for customized application specific solutions
taken together, are sufficient to warrant the use of a complementary, holistic, risk-based
systems engineering approach; an approach that develops strategies regarding cyber
security in the broadest sense, starting from the time a new system is developed and
continuing through its entire life cycle.
While significant attention has been paid to best practices for dealing with the bolt-on
portion of engineering security solutions, the systems engineering community has yet to
develop a corresponding framework that enables a more holistic approach for addressing
cyber security. The information security community recognizes the critical need for
common practices (5) that can be continuously improved, highlighting the need for
ultimately developing a commonly used systems engineering framework for cyber
security. The desired framework should provide the basis for the systems engineering
community to integrate information assurance and cyber security as regularized functions
in the broad scope of their overall efforts, dealt with in a comparable manner as systems
engineers are expected to treat other system attributes, such as reliability, maintainability,
availability, supportability and so on.
3. Solution Criteria
While it is generally recognized that the system value achieved through investment in
information security is risk reduction, the capability to evaluate risks is elusive. Risk is
determined by evaluating the consequences and likelihoods of undesirable events (6) in
the context of a system’s overall objectives. Risk reduction occurs through solutions that
result in reductions in consequences and reductions in likelihoods. With regard to cyber
security, it has proven to be very difficult to develop confident evaluations of likelihoods
of attacks, as well as to forecast reductions in likelihood that would result from
implementation of particular solutions. This recognized difficulty creates a barrier
relative to the stimulation of cyber security investment in a regularized manner
comparable to other system attributes, such as reliability. Based on a recent survey and
analysis of a variety of modeling efforts related to the value of cyber security solutions
(7), the assumptions used in models have proven to be far from realistic, and the same
assumptions have been reused across a variety of disparate models. This shortfall
becomes a critical research need for developing a value-based framework that can
systematically trace solutions to value creation.
This situation is confounded by the broad scope of large systems and the corresponding
dependence upon distributed computing. The scope and complexity of a large system
creates difficulties in identifying and understanding the full set of risks that exist. This
circumstance demands that systems engineering teams significantly rely upon many other
system team members (operators, maintainers, component designers, security specialists,
etc.) to identify and rank all of the potential risks that relate to cyber attacks. This
situation has served to stimulate research on the application of collaborative computing
technology to support large scale risk assessments related to cyber attacks (8) and the use
of collaborative risk assessments that include participants who are oriented to defense, as
well as participants who are oriented to the offensive side of cyber attacks (9). While
these collaborative risk analysis efforts have been experimented with in workshop
settings (10), they have not been put to use in actual applications. This situation leads to
the observation that a systems engineering framework for cyber security will likely be
dependent on the development of scalable support tools to support risk identification and
ranking.
With regard to existing work on system engineering frameworks for cyber security, no
existing research could be identified that addresses this need. A search of system
engineering company web sites serves to identify a wide range of system engineering
services that companies provide ( e.g., vulnerability assessments, enterprise level
architectural designs, system wide penetration testing), but no integrated framework
could be found for a value-based approach to cyber security. However, there are a
number of best practice frameworks that have been standardized through recognized
standards organizations. They have permitted the development of standardized best
practices for adopting, supporting, administering, auditing and maintaining solutions
(11,12,13,14,15). Together these standards of practice provide experience-tested
approaches regarding both what to do and how to do it, once a security solution is
adopted. However they do not provide the framework for system engineers to use in
addressing security within the context of the full set of system needs.
As a result, we conclude that research will be needed to define and scope out a new
systems engineering framework.
4. Next Steps
A research effort related to development of a systems engineering framework for cyber
security will require postulating a set of specific systems engineering activities that would
be desirable for achieving enhanced security. In order to “prime the pump” five areas of
activity that a systems engineering framework could include are described below, with
indications of the nature of supporting research that would be required to develop the
framework.
4.1 System-of-System Solutions
Earlier in this paper the application of system-of-system solutions focused on security
was suggested. This class of solutions can provide resiliency features, redundant
capabilities, and cross referencing and continuity checking for information integrity
assurance. Many other system-of-system solutions are possible. For example, in large
scale enterprise systems, dependencies between systems that are owned and operated by
different organizations can be critical. For example, the Air Force requires ground target
surveillance information from the Army in order to support air strikes on relevant ground
targets. Correspondingly, the security capabilities of the Army’s sensor systems are of
great importance to the Air Force. A system-of-systems approach must be taken to assure
that these values are recognized and that appropriate security investments are made. A
similar situation exists in commercial supply chain management systems, where the
security of the integrated supply chain system is dependent upon the individual security
provided by each supplier’s system. In such situations it is possible to imagine situations
where the resource limitations of a particular supplier impact the overall security of a
supply chain that the resource-limited supplier is a member of.
A research effort to identify important categories of system-of-system solutions and
issues that arise when implementing such solutions is needed to support development of
the desired security framework.
4.2 Integration of Multiple Security Solutions
Similar to the best practice standards used for enhancing cyber security, the systems
engineering framework could potentially be used to assure full consideration and analysis
of a broad range of solution categories that can be used for reducing categorized risks.
The framework could include analytical models for estimating the security associated
with defense in depth or other integrated configurations of point defense. Consideration
could be given to the framework including high level descriptions of custom solutions
that have been put to use in other system developments.
Recognizing the potential relationships between the various best practice standards and
the future framework, consideration could be given to developing techniques for
explicitly calling out in the framework the best practices for system engineered designs
developed through the framework. This could result in a system engineered view of the
overall security system that supports the overall system values being considered.
4.3Integration Opportunities with Active Defense
For a variety of reasons, the communities that engage in traditional defensive security
activities are separate from those that are engaged in active defense. This practice of
separation comes at a cost in terms of systems engineering opportunities, and with the
increased threat, this practice might well be worth modifying. Research on the values of
expanding the integration of traditional and active defense efforts could potentially serve
to illuminate important system engineering solution opportunities. Some examples of
potential opportunity areas for system level solutions are presented below:
• Use of US active defense research efforts as a basis for forecasting potential new
areas of adversarial threats, so that systems can be designed to be rapidly expanded to
incorporate potential responses should such threats actually emerge.
• Development of approaches for rapid response to new threats that engage rapid
operational prototyping including system integration, so that US active defense
development efforts can anticipate the ability of adversaries to rapidly respond to
their efforts. These efforts can, in part, be guided by active defense researchers who
can help to forecast threats, and can be used to determine the ability of adversaries to
respond to our active threats.
• Systems can be designed to provide confusion to adversaries that could impact
decisions about attacks. For example, it is possible to design systems for continuous
dynamic reconfiguration, so as to confuse adversaries about the relationships between
system functions and the underlying hardware and software configuration. The ability
and significance of confusion tactics can be evaluated by members of the active
defense community, who can then contribute to the design of more effective
confusion tactics.
• Systems can be designed to measure normal component utilizations (e.g., CPU
utilization, memory access rates) as a function of user demands. With such embedded
measurement capability, irregular utilizations may be used to recognize certain types
of attacks. The active defense community can serve to help system designers to gauge
the limitations of such approaches.
References
1. http://www.nsa.gov/ia/_files/support/defenseindepth.pdf
2. Wulf, W., Jones A., “Reflections on Cyber Security”,
, “Defense in Depth”,
National Security Agency
3.
Science Magazine, Vol 326,
November 2009
4.
Anderson, Ross J., “Security Engineering”, John Wiley and Sons Publication,
Second Edition, 2008
5. Murray, William H., Schou, Corey D., Maconachy, W. Vic, “ Professionalizing
the Practice of Information Security”, Proceedings of the 11
Knorr, E., Gruman, G., “What Cloud Computing Really Means” InfoWorld, 2009
th
6. Haimes, Y.Y., “Risk Modeling, Assessment, and Management”, John Wiley and
Sons , Inc. Publication, Third Edition, 2009
Colloquium for
Information Systems Security Education, Boston University, June, 2007
7. Rue, R., Pfleeger, S.L., “Making the Best Use of Cyber Security Economic
Models”, IEEE Security and Privacy, Vol7, No. 4, July, 2009
8. Horowitz, B.M., Crawford, J., “Application of Collaborative Risk Analysis to
Cyber Security Investment Decisions”, Financial Services Technology
Consortium Innovation Journal, Vol 2(1), 2007
9.
10.
Haimes, Y.Y. and B.M. Horowitz, “Modeling Adaptive Two-Player Hierarchical
Holographic Modeling Game for Counterterrorism Intelligence Analysis” /Journal
of Homeland Security and Emergency Management, 1 (3), pp. 1-21, 2004
Crawford, J., Crowther, K., Horowitz, B.M., Lambert, J., “An Example
Collaborative Exercise for Decision Making in Investment in Cyber Security”,
http://www.sercuarc.org
Workshop on Economics of Securing the Information Infrastructure, Washington,
D.C., October 2006
11. Information Security Forum (ISF), “The Standard of Good Practice for
Information Security”, 2007
12. Information Technology Governance Institute (ITGF), “Control Objectives for
Information and Related Technologies version 4.1 (CoBIT v4.1)”, 2007
13. International Standards Organization, “International Information Security
Management Standard ISO 27001”, 2009
14. International Standards Organization, “International Information Security Code of
Practice ISO27002”, 2009
15. National Institute of Standards and Technology, Information Security Handbook,
December, 2006