The Bureaucracy Can't Protect You…

But Sound Systems Security Engineering Will

So here we are. Well into 2021 and it seems as if we are reliving the same stories on destructive cyber-attacks that we were talking about two decades ago, and may be talking about in two more decades without significant change. Frustration levels are high, feelings of desperation are setting in, and some folks are even resigned to their ongoing situation. Yet, we hold out hope that new players, new legislation, new executive orders, new directives, and new regulations may be just what it takes to turn around this unwelcome cyber tide.

Unfortunately, the reality on the ground has not changed. Speed, agility, innovation, and sound engineering are among the keys to defeating cyber hackers and nation-state threat actors. Adversaries don’t care about laws, executive orders, directives, or regulations. All they care about is your system—how they can get in, how they can exploit your vulnerabilities, and how they can create effects for their benefit, including stealing your data and inflicting significant damage to your organization [1]. And, there are at least six ways from Sunday you can lose to cyber adversaries: failure to simplify; failure to innovate; failure to automate; failure to modernize; failure to understand modern cyber threats; and failure to understand risk.

So What's the Game Plan?

As we wait for things to unfold at the top, it is critical to start making things happen within your organization now—beginning with a strategic shift to a systems security engineering mindset—that is, adopting a “secure-by-design” approach [2][3]. Designing, building, and improving systems to provide multidimensional protection and defense-in-depth is an aspirational objective. It requires a different way of thinking about the problem to understand that some sophisticated attackers will occasionally break through your perimeter defenses and engineering your systems accordingly.

A multidimensional protection strategy focuses on penetration resistance at the outset (protecting systems from the outside in), damage limiting architectures and operations (protecting systems from the inside out), and system resilience (protecting systems by anticipating, withstanding, recovering from, and adapting to adverse conditions, stresses, attacks, or compromises). That is true defense-in-depth. Great. But where’s the on ramp to the mysterious world “below the waterline” where the hardware, firmware, and software reside?

As you have probably concluded by now, there are no silver bullets, secret sauces, or shortcuts to solving this problem. You don’t have to be overwhelmed by the enormity of the infrastructure or the complexity of your systems. Systems security engineering provides an effective roadmap on how to begin the long journey that can help create organizational systems that are more secure and resilient. Common sense approaches, divide-and-conquer strategies, and an attitude that “small successes produce larger successes” provide a good starting point.

If Everything Is Important, Nothing Is Important

In a world of highly complex, interconnected systems and diverse missions and business processes, how can organizations begin the shift to an engineering mindset? Here are a few basics from NIST SP 800-160, Volume 1 to help initiate the transition:

1. Conduct a criticality analysis to determine what effects or consequences are unacceptable to your organization based on the organization’s core missions or business functions. Or, alternatively, what level of asset loss is your organization willing to sustain?
2. Identify the conditions that may lead to the undesirable consequences and loss of assets.
3. Define the relationships and possible interactions among all systems and system components that would lead to the conditions the organization desires to avoid.
4. Identify the constraints to avoid the conditions or limit the effects of those conditions if avoidance is not possible.
5. Determine how to reengineer the system to avoid the conditions that may lead to the undesirable consequences and loss of assets or limit the conditions (i.e., make the system inherently robust and resilient).
6. Select the mechanisms that must be employed to complement what can’t be successfully engineered out. 

The systems security engineering steps described above apply to all types of systems from enterprise servers to systems constrained for size, weight, and power (e.g., avionics systems and IoT devices). The requirements, architecture, and design processes (at the heart of systems engineering) can guide and inform the transition to a more secure system—where well-defined assurance arguments can be made about the system’s overall trustworthiness. An engineering approach will help your enterprise evolve to counter changing threats and effectively manage risk—and most important, obtain the assurance necessary for mission and business success.  

Zero Trust—Back to the Future

Recently, there has been a great deal of discussion about zero trust. How does zero trust fit into this strategic shift to a systems security engineering mindset? Simple. Zero trust concepts as defined in the Forrester Report, emphasize a secure-by-design approach and building a sound security architecture so systems can be defended from the inside out as well as from the outside in [4][5]. This reinforces the second dimension of system protection that focuses on limiting the damage adversaries can do once they have penetrated the initial system boundary—by impeding their lateral movement, increasing their work factor, reducing their time on target (through rapid refreshes of virtualized components to known secure states), and decreasing their confidence to be able to complete a successful attack. NIST SP 800-207 defines seven foundational zero trust concepts:

• All data sources and computing services are considered resources.
• All communication is secured regardless of network location.
• Access to individual enterprise resources is granted on a per-session basis.
• Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes.
• The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
• All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
• The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture.

The zero trust concepts described above, bring together and reflect the classic security design principles in NIST SP 800-160, Volume 1, Appendix F.

To help jump start the zero trust transition, each system within the enterprise can be decomposed to the system component (i.e., system element) level, providing an opportunity to build new security domains component by component and introducing zero trust concepts and supporting technologies into a redesigned security architecture. This approach facilitates a strategic design and tactical implementation which allows for prioritization, allocation of resources, experimentation, and an incremental increase in trust or assurance. Having an overarching zero-trust view of the systems within the enterprise architecture and employing a “plug-and-play” strategy for all components in the "system stack" can provide a reasonable path toward modernization—demonstrating small successes and building a strong security foundation based on systems engineering and core security design principles at the heart of the multidimensional protection strategy. 

Conclusion

It is important that organizations adopt a systems security engineering mindset and design robust security architectures to stop breaches whenever possible, detect adversaries when they “cross the wire” and are moving inside of your perimeter defenses, limit the damage the adversaries are able to inflict, and ensure your systems have sufficient resilience so they don't collapse at critical times. You can’t change the bureaucracy but you can reengineer your systems. Let’s get started.

[1]  R. Ross, “The Adversaries Live in the Cracks”

[2]  R. Ross, “Rethinking Our View of System Security”

[3]  R. Ross, “The Mysterious Disappearance of Systems Security Engineering”

[4]  R. Ross, “Defending Systems from the Inside Out”

[5]  R. Ross, “Defending Enterprise Systems from the Inside Out: A Multidimensional Cyber Protection Strategy for the 21st Century”

A special note of thanks to Mark Winstead, Tony Cole, Victoria Pillitteri, Greg Touhill, and Keyaan Williams, long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.