Systems Security Engineering: A Critical discipline of
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Special Feature
Systems Security Engineering: A Critical Discipline of
Systems Engineering Kristen Baldwin, kristen.baldwin@incose.org
I
n order to adequately address the We had turned the corner from strategy The DoD System Assurance Con-
comprehensive set of threats to its and planning and moved solidly into cept of Operations consists of five areas
acquisition programs, the United implementation. in which to address risk: prioritization
States Department of Defense (DoD) The journey began in earnest in (focusing on what is most critical for
must include systems security engi- 2005, when the Office of the Secretary protection), supplier assurance (bet-
neering as a critical element of systems of Defense (OSD) chartered the DoD ter understanding supply chain risk),
engineering. Security specialties have Software Assurance Tiger Team to focus engineering-in-depth (designing systems
emerged over time as responses to new on the threat of malicious software with security in mind), industry (gaining
threats and risks; for example, special- tampering. Concern had been growing as industry buy-in to build secure systems),
ties include information security to the production of software had become a and technology (researching investments
protect information and information global capability. In parallel, the depart- to advance our capability to detect vul-
systems from unauthorized access, use, ment established a Globalization Task nerabilities and combat the threat).
disclosure, disruption, modification Force, and the Defense Science Board The Tiger Team concluded that sys-
or destruction; physical and person- issued two reports recounting the threat, tems engineering was the core mecha-
nel security to protect information and one on microchip supply and one on nism for implementing the CONOPS.
other valuable assets physically stored software. One of the reports summarized Systems engineering underlies the DoD
within facilities and installations; and the problem in this way: lifecycle acquisition process, and systems
communications and network security The Department of Defense faces a dif- security engineering is a natural means
to protect electronic information in ficult quandary in its software purchases for implementing the CONOPS areas.
transit over networks. Security has now in applying intelligent risk management, The following example shows the central
become a system-level risk. Twenty years trading off the attractive economics of importance of systems engineering in
ago, systems were relatively stand-alone, COTS and of custom code written off- the security enterprise. Imagine that
software was critical but not prevail- shore against the risks of encountering the DoD deems a certain system to be
ing, and the supply base was known malware that could seriously jeopardize critical based upon the potential impact
and traceable. Prime contractors build future defense missions. The current sys- of its loss of integrity or availability on
today’s complex, software-controlled, tem designs, assurance methodologies, mission success. In addition, a complex
highly networked systems by integrating acquisition procedures, and knowledge weapons platform involves numer-
hundreds of suppliers and commercial- of adversarial capabilities and intentions ous sub-tier suppliers. The government
off-the-shelf (COTS) components, whose are inadequate to the magnitude of the systems engineering team identifies and
origin and level of integrity are difficult threat. (Defense Science Board 2007) documents critical information, technol-
to ascertain. Security vulnerabilities ogy, and components requiring protec-
now exist beyond the mitigations that A System Assurance Strategy tion. As the engineers develop the system
information assurance controls typi- Upon studying the solution space, the architecture, they perform make-or-buy
cally provide. They present themselves Tiger Team issued a DoD Concept of risk tradeoff analyses for critical com-
in embedded software and hardware Operations (CONOPS) for system assur- ponents, choosing in-house fabrication
components and in system-of-systems ance. The team recognized what others where the architecture and design cannot
architecture designs. The discipline of had highlighted: that although software offer enough protection and making
systems security engineering provides an is integral to system performance and commercial purchases where the risk
important mechanism for the engineer- presents opportunities for tampering, and design allow. The contract references
ing team to assess and mitigate the DoD programs must also account for security standards, and systems engi-
vulnerabilities of the system and subsys- vulnerabilities in the system hardware, neers allocate security requirements to
tems. We must grow and resource this firmware, and integration. The team components. Government and supplier
discipline and capability. defined system assurance as a measurable engineering teams design, prototype, and
attribute of a system: evaluate critical components for vulner-
Call to Attention System assurance is the justified abilities, mindful of the security of the
For the past several years, the Depart- confidence that the system functions integrated system. During and through
ment of Defense has organized initiatives as intended and is free of exploitable the end of the engineering design phase,
to focus on security, culminating in 2007 vulnerabilities, either intentionally or the DoD program manager brings in
when the Deputy Secretary of Defense unintentionally designed or inserted as DoD scientists and engineers to apply
declared that the department must “stop part of the system at any time during techniques to address security require-
the bleeding,” referring to the threat of the life cycle. (NDIA System Assurance ments, such as anti-tamper features, and
network attacks on DoD and industry. Committee 2008) » continues on next page
INCOSE INSIGHT July 2009 11Special Feature
Baldwin continued from page 11
to evaluate security using emerging tools refines information protection require- information assurance). The committee
and techniques. The program manager ments and ensures their integration into produced and published the guidebook
then develops and implements plans IT acquisition processes through pur- Engineering for System Assurance in fall
for secure deployment and sustainment poseful security design or configuration” 2008.
operations, and fields the capability to (U.S. Department of Defense 2003). The guide provides two perspectives
the warfighter. Academic engineering departments do for systems security engineering. First, it
not generally include security as a part provides an explanation of how critical-
State of the Practice of their systems engineering curricula, ity analysis and security engineering are
The U.S. Naval Air Systems Command but this is changing: several universities, integral to the technical and manage-
defines systems security engineering in including Southern Methodist Univer- ment processes of systems engineering as
MIL-HDBK-1785 (1995) as “an element sity, now offer degrees in systems security defined in ISO/IEC 15288: Systems and
of systems engineering that applies scien- engineering that are associated with Software Engineering – System Life Cycle
tific and engineering principles to identify the computer science and engineering Processes. It is hoped that this recogni-
security vulnerabilities and minimize or departments, and several colleges now tion of security relationships with these
contain risks associated with these vulner- offer Bachelor of Science degrees in soft- processes will lead to the maturing of
abilities. It uses mathematical, physical, ware engineering with a security focus. guidance for systems engineering teams
and related scientific disciplines, and the It is important for the systems engi- faced with security as a design require-
principles and methods of engineering neering community to understand that ment. The second perspective detailed
design and analysis to specify, predict, and information and computer security are in the guide is the overlay of security
evaluate the vulnerability of the system to but two of the key subdisciplines of sys- throughout the life-cycle. It is critical
security threats.” Despite this definition tems security engineering. As the DoD for program and systems engineering
and foundation, security is not consis- Tiger Team concluded, these elements teams to address security requirements
tently recognized as a key subdiscipline cannot be the sole focus to ensure system while the largest possible trade space
of systems engineering and therefore is security. The standard ISO/IEC 21827: exists, and ensure the technical maturity
not consistently implemented as part of Information Technology – Systems Security of the security solution throughout the
the systems engineering team’s design, Engineering – Capability Maturity Model acquisition life-cycle. We expect that this
trade, and risk considerations. [SSE-CMM®], identifies the following list understanding will also help us with set-
There appear to be several reasons why of subdisciplines: ting and enforcing measures for security.
systems security engineering is not rou- • Operations security The publication of this guide is a first
tinely a focus in the systems engineering • Information security step toward motivating the community
processes used by systems engineering • Network security to adopt systems security engineering as
teams in defense and industry. Security is • Physical security a recognized consideration in systems
more often associated with information • Personnel security engineering. Our next steps include
technology and software, as opposed to • Administrative security updating the content of guidance with
major weapons systems or their hardware • Communications security experience from pilots and applications.
components. This perception has led to • Emanation security We must also further investigate systems
gaps in systems science and engineer- • Computer security security engineering methods and
ing principles for this discipline, and in techniques. One area needing particular
guidance and tools for non-information Looking through this list and the attention is verification and validation.
technology solutions. Furthermore, there associated definitions, it is hard to place We must develop ways to measure and
has been inconsistent identification and the engineering activities that would evaluate security, considering component
enforcement of security as a key system fully embody the System Assurance criticality and maturity. There is also a
requirement. CONOPS, or the example implemen- need for tools and techniques to support
The association of security with tation that we envision for a complex design for security, such as methods for
information systems and software is weapon system. decomposing systems to identify critical
most likely a result of the current urgent components, architectural approaches to
focus and demand for information The Defense Department’s Response and neutralize threats, and ways to optimize
system security engineers to combat the the Way Ahead life cycle security costs.
cyber threat. In industry and govern- In response to a demand for more Department of Defense policies
ment, information system security practical guidance for system security, revised and signed in 2008 reaffirm
engineers (ISSEs) are in high demand as the National Defense Industrial Asso- the requirement to instill protection
the National Security Agency and other ciation formed a System Assurance into our acquisition programs. DoD
organizations combat the emerging cyber Committee in 2006 with the charter to Instruction 5200.39: Critical Program
threat to information systems. Informa- expand the definition of system assur- Information (CPI) Protection within the
tion systems security engineering is “an ance and clarify its relationship to other Department of Defense (2008) is the
engineering process that captures and important disciplines (e.g., reliability, overarching protection policy that sets
12 Volume 12 No. 2 INCOSE INSIGHTSpecial Feature
forth the requirement to protect “critical tools for our engineering teams; defining . 2008. Department of Defense instruction
program information,” which it defines core competencies for systems security 5000.02. 2008: Operation of the defense acquisi-
tion system. Washington, DC: Department of
as “elements or components of an RDA engineering, and evaluating university Defense. http://www.dtic.mil/whs/directives/
[Research, Development, and Acquisition] curricula against them; setting standards corres/pdf/500002p.pdf.
program that, if compromised, could and best practices for key issues such . 2008. Department of Defense instruc-
cause significant degradation in mission as, How much security is enough?; and tion 5200.39. 2008: Critical program informa-
tion (CPI) protection within the Department
effectiveness; shorten the expected assisting program management and of Defense. Washington, DC: Department of
combat-effective life of the system; reduce resourcing communities to understand Defense. www.dtic.mil/whs/directives/corres/
technological advantage; significantly alter the cost and benefit of designing assured, pdf/520039p.pdf.
program direction; or enable an adversary secure systems. As threats evolve, so must ISO and IEC (International Organisation
for Standardisation and International
to defeat, counter, copy, or reverse our advancements in the field of systems Electrotechnical Commission). 2002. ISO/IEC
engineer the technology or capability.” security engineering. 21827: Information technology–systems security
Critical program information also engineering–capability maturity model [SSE-
CMM®].
includes “information about applications, References
. 2008. ISO/IEC 15288: Systems and
capabilities, processes, and end-items; Defense Science Board. 2007. Report of the defense software engineering – system life cycle processes.
elements or components critical to a science board task force on mission impact of foreign
influence on DoD software. Washington, DC: U.S. Naval Air Systems Command. 1995. MIL-
military system or network mission Department of Defense. http://www.acq.osd. HDBK-1785: System security engineering program
effectiveness,” and “technology that would mil/dsb/reports/2007-09-Mission_Impact_of_ management requirements. Washington, DC:
Foreign_Influence_on_DoD_Software.pdf. Naval Air Systems Command.
reduce the US technological advantage if
U.S. Department of Defense. 2003. Department National Defense Industrial Association (NDIA)
it came under foreign control.” System Assurance Committee. 2008. Engineering
of Defense Instruction 8500.2: Information assur-
In the DoD’s Instruction 5000.02: ance (IA) implementation. Washington, DC: for system assurance. Arlington, VA: NDIA.
Operation of the Defense Acquisition Department of Defense. www.acq.osd.mil/sse/pg/guidance.html.
System, the department requires RDA
programs to identify critical program
information early in the lifecycle as part
of a program’s technology development
strategy, and requires a program manager
to prepare a program protection plan
for approval by the milestone decision
authority prior to initiation of engineering Preparing Professionals for
and manufacturing. The department is
now in the process of updating associated
guidance, techniques, and tools to assist INCOSE CSEP Certification
program teams with these responsibilities. Stockholm, October 21-23, 2009
As described by the defense depart-
ment, systems security engineering plays
an important role in ensuring that our
CSM’s proven Preparation Program
systems function as intended and are free available in Europe through Syntell!
of exploitable vulnerabilities. This threat
is challenging and different in kind from
the traditional kinetic and capability Let us support your preparations to become a
overmatch threats, or even from nontradi- Certified Systems Engineering Professional (CSEP)
tional threats seen in present contingency in accordance with INCOSE’s certification program
in Systems Engineering! In collaboration with the
operations. This information-age threat
Center for Systems Management (CSM), Syntell
challenges the engineering community organizes a three-day intensive CSEP preparation
to treat security as a consideration in the course, October 21-23, 2009, in Stockholm, Sweden.
risk and design trade space. Given this The course provides a comprehensive walkthrough
situation, INCOSE’s decision to charter of INCOSE Handbook version 3.1 which constitutes
a working group on systems security the body of knowledge for the CSEP certification test.
engineering is timely and responsive.
For more information and registration
This decision shows that the international
training@syntell.se
systems engineering community recog- www.syntell.se
nizes the importance of security as a key
practice in systems engineering. Our
community can meet these challenges
in several ways: augmenting existing
guidance with detailed processes and Syntell AB, PO Box 100 22, SE-100 55 Stockholm, Sweden. Tel +46(0)8 660 0280, Fax +46(0)8 660 0965
INCOSE INSIGHT July 2009 13Article Extract Reprinted with Permission of INCOSE
July 2009 Vol 12 Issue 2
SPECIAL FEATURE
The Interplay of Architecture,
Security, and Systems Engineering
here was a time when architects thought about security …
and perimeter defense was sufficient. Systems architects
must reclaim the practice. Today, all systems are prey.President’s Corner
President’s Corner
INSIGHT
Publication of the International
STEMming the Coming Crisis in
Technical Capabilities
Council on Systems Engineering
Pat Hale, patrick.hale@incose.org
A
Chief Editor Bob Kenley
insight@incose.org +1 260 460 0054 s those of you who in STEM subjects and degrees,
Assistant Editor Andrew Cashner
andrew.cashner@incose.org regularly read the particularly engineering degrees,
Theme Editor Rick Dove “President’s Corner” among students under 18
rick.dove@incose.org
Advertising Editor Christine Kowalski in INSIGHT know, I usually (termed “K–12” in the U.S. for
advertising@incose.org +1 858 541 1725 write about matters directly “Kindergarten through twelfth
Layout and Design Chuck Eng
chuck.eng@comcast.net +1 206 364 8696
related to our profession of grade,” roughly equivalent to
Member Services INCOSE Central Office systems engineering or to our ages 5 through 18). Dan drew his
info@incose.org +1 858 541 1725 organization and its future. I data primarily from the U.S., but
On the Web http://www.incose.org
Article Submission INSIGHT@incose.org depart from this pattern in this issue to compared and related it to non-U.S. data
Publication Schedule. INSIGHT is published four times per year. discuss a matter that may gradually, but as well. Dan has given me his permission
Issue and article/advertisement submission deadlines are as follows: profoundly, become of critical interest to quote extensively and reproduce data
October 2009 issue – 13 August; December 2009 issue –15 October;
April 2010 issue – 15 February; July 2010 issue – 15 May.
to both our profession and our organiza- from his thesis in order to illustrate the
For further information on submissions and issue themes, visit the tion: education in science, technology, import and extent of this phenomenon,
INCOSE Web site as listed above. engineering, and mathematics (STEM). and I hope to convince you, our members,
Advertising in INSIGHT. Please see http://www.incose.org/Products Many of you know that my “day that this challenge is worth a considerable
Pubs/periodicals/advertisinginformation.aspx – or e-mail advertising@
incose.org. job” is running a graduate professional amount of your attention and energies
Subscriptions to INSIGHT are available to INCOSE members as part of program at MIT, concerned with systems to create an environment where our “raw
their membership. Complimentary copies are available on a limited basis. design, management, and systems think- material” for systems engineers is nur-
Back issues are available on the members area of the INCOSE Web site. To
inquire about membership or to order a copy, contact Member Services. ing. One of the great joys and opportuni- tured and sustained.
©2009 Copyright Notice. Unless otherwise noted, the entire con ties in this job is continually interacting Dan introduces his thesis with this
tents are copyrighted by INCOSE and may not be reproduced in whole or with very bright, professionally experi- troubling description of the current state
in part without written permission by INCOSE. Permission is given for use
of up to three paragraphs as long as full credit is provided. The opinions enced students in the program. By virtue of engineering education (Sturtevant
expressed in INSIGHT are those of the authors and advertisers and do not of my job as their academic advisor, I have 2008, 16):
necessarily reflect the positions of the editorial staff or the International
Council on Systems Engineering. the responsibility of reviewing all program The percentage of students earning
Who are we? INCOSE is a 7000+ member organization of systems theses to ensure that they meet the goals bachelor’s degrees in engineering is
engineers and others interested in systems engineering. Its purpose is to of the program that I direct. The pro- almost half what it was in 1985. This
foster the definition, understanding, and practice of world class systems
engineering in industry, government, and academia. INCOSE is comprised gram requires that “theses must address a decline has occurred despite the fact
of chapters located in cities worldwide and is sponsored by a corporate advi- topic or topics which contain significant that wages for engineering graduates are
sory board and led by elected officers, directors, and membership board.
elements of technical and managerial higher than those of any other degree-
2008 INCOSE Board of Directors
President: Pat Hale, M.I.T. challenges relevant to current industry type. Unemployment for scientists and
President-Elect: Samantha Brown, BAE Systems challenges.” I always enjoy learning about engineers has just hit a record low.
Secretary: Bob Kenley, Kenley Consulting, LLC
Treasurer: Ricardo Valerdi, M.I.T. new fields and approaches to solving these What is being studied in this thesis is an
Director for Leadership and Organizational Development: Bill Ewald, relevant industry problems, but one recent apparent contradiction: people decreas-
Macro International thesis in particular captured my atten- ingly willing to go into a field in which
Director for Communications: Cecilia Haskins, Norwegian University of
Science and Technology tion and provoked a new sense of urgency wages are extremely strong. On its sur-
Director for International Growth: Tat Soon Yeo, Temasek Defence regarding a problem INCOSE has face, this situation appears to fly in the
Systems Institute
Director for Commercial Outreach: Henk van der Linden, SRON become increasingly aware of in the past face of the law of supply and demand.
Director for Strategy: Ralf Hartmann, EADS Astrium GmbH few years, and a problem that profoundly
Corporate Advisory Board Chair: Art Pyster, Stevens Institute of
Technology impacts our future professional well- The situation is especially bad because
Member Board Chair: Jonette Stecklein, NASA being: the STEM education system. a decrease in science and engineering
Member Board Co-Chair: Richard Grzybowski, Corning
Technical Director: Dick Kitterman, Northrop Grumman In his recently completed master’s jobs leads to a decrease in the whole state
Managing Executive: Holly Witte, Universal Management Services, LLC thesis, Dan Sturtevant (who is now pursu- of the economy (Sturtevant 2008, 17):
Past Presidents ing his doctorate in MIT’s Engineering According to the recent report jointly
Paul Robitaille, 2006/07
Heinz Stoewer, 2004/05
Ken Ptack, 1999
William W. Schoening, 1998
James Brill, 1995
George Friedman, 1994
Systems Division) used system dynamics published by the [U.S.] National
John Snoderly, 2002/03 Eric C. Honour, 1997 Brian Mar, 1993 modeling to explore underlying causes Academy of Sciences, National Academy
John Clouet, 2001 V. A. (Ginny) Lentz, 1996 Jerome Lake, 1992
Donna H. Rhodes, 2000 (and potential remedies) of the decline » continues on next page
INCOSE INSIGHT July 2009 3Presort Std
INSIGHT U.S. Postage
International Council on Systems Engineering
7670 Opportunity Road, Suite 220
PAID
Seattle, WA
San Diego, CA 92111-2222 Permit #4
What’s Inside
President’s Corner Fellows’ Insight
STEMming the Coming Crisis in Technical Capabilities 3 Using Technology to Access a World of Speakers
INSIGHT Special Feature for Chapter Meetings 43
The Interplay of Architecture, Security, and Systems Forum
Engineering 7 How to Ruin Your Own Survey and Waste
System Security Engineering: A Critical Discipline Others’ Time 45
of Systems Engineering 11 Observations of the Resilience Architecture of the
Embedding Agile Security in System Architecture 14 Firefighting and Emergency Response Infrastructure 45
Toward a Dynamic System Architecture for Technical Activities
Enhanced Security 18 INCOSE Research Plan: 2008-2020 47
Resilient Control Systems: A Basis for A Proposed Road Map for Research in
Next-Generation Secure Architectures 20 Systems Engineering 49
Secure Architecture and Design of Component-Based Report from the 2009 Workshop of INCOSE’s
Systems 23 Systems Engineering and Architecting Doctoral
Using the U.S. Department of Defense Architecture Student Network (SEANET) 50
Framework to Build Security into the Lifecycle 27
An Architecture of Information Assurance Processes 30 INCOSE Operations
Standardized Practices for Embedding Security from Certification Advisory Group Report 53
Concept Through Development 33 INCOSE Events
Balancing Security and Other Concerns within a INCOSE Spring 09 56
Systems Architectural Approach 36
In Memoriam – John Wisbinski 59
Developing a System Architecture for Managing the
Nuclear Weapons Enterprise in the Context of a Final Thoughts 61
Comprehensive Policy Portfolio 39
Establishing Security Strategy Using Systems Thinking 41You can also read
