The Mysterious Disappearance of Systems Security Engineering
A National Blindspot with Potential Adverse Consequences
I recently downloaded a copy of the Aspen Cybersecurity Group Report and read all of the content with great anticipation. Much to my surprise, I noticed a conspicuous absence of references to systems security engineering as part of the report’s recommendations. This prompted me to go back and look at variety of previous reports and grand strategies from cybersecurity commissions, advisory committees, and Blue-Ribbon panels. A couple of the more notable ones I reviewed included the Cyberspace Solarium Commission Report and the NSTAC Report to the President on a Cybersecurity Moonshot. Once again, references to systems security engineering are totally absent from these reports as well. The foundational engineering principles, concepts, and processes that form the bedrock for trustworthy, secure, and resilient systems are nowhere to be found in the recommendations. I started thinking about why these omissions are important and whether it is possible that we have a national “blind spot” in our attempts to safeguard the systems that are critical to protecting our economic and national security interests. Here are a few observations that will hopefully add to the national conversation on this important topic.
The Stakeholders
There are many stakeholder perspectives when addressing the topic of system security. These include the “developers” who build the systems, the “consumers” who acquire and use the systems, the “sustainers” who operate and maintain the systems, and the “regulators” who enforce the policies and requirements for the systems. Each of these stakeholders has specific needs, equities, and priorities; solving complex security problems requires an understanding and appreciation of the various stakeholder perspectives and approaches. Let's take a closer look at a few of these stakeholders.
Tactical and Reactive Security from Consumers and Regulators
Consumers and regulators spend a significant amount of time, effort, and resources on cybersecurity compliance (a.k.a., cyber hygiene). This is largely a “tactical” approach to the problem and addresses security from the perspective of ensuring the confidentiality, integrity, and availability of information processed, stored, and transmitted by organizational systems. It typically involves continuous monitoring of an ever-expanding universe of cyber threats and vulnerabilities, implementing ever-increasing numbers of software patches, and managing a mountain of security incident and event information that can overwhelm the most capable organizations. The security toolbox in this realm includes a variety of frameworks, controls, and assessment procedures to demonstrate compliance and manage cybersecurity risk. This view of cybersecurity is long standing, has provided significant value historically, and is an important component in a well-rounded protection strategy for organizations. However, while necessary, a cybersecurity compliance and risk management approach—largely “reactive” in nature—is not sufficient for the types of protections we need for the systems and system components that are part of the United States critical infrastructure—systems that are ongoing targets of sophisticated adversaries and the advanced persistent threat.
Strategic and Proactive Security from Developers
In contrast to consumers and regulators, many system developers employ a “strategic” and “proactive” approach to security—viewing security as a “system property” and achieving system security through the application of rigorous security design principles, development models, security architectures, and disciplined and structured systems engineering processes. Systems engineers must address complex cyber-physical systems that collectively include trillions of lines of code, billions of devices, and ubiquitous connectivity across ever-expanding networks. These systems could include weapons systems supporting the Defense Department, industrial control systems supporting the manufacturing, transportation, or energy sectors, or medical technology supporting the healthcare sector.
Working in the world of systems engineers and addressing security issues requires a totally different mindset. Systems are designed to provide specific capabilities for stakeholders to be able to conduct organizational missions and business functions. Such systems must be engineered to protect all the assets that stakeholders value. The needs, equities, and priorities to achieve security as a fundamental property of the system must be based on sound engineering principles akin to how systems engineering addresses safety considerations.
Engineering involves making informed trades and decisions—which demand the application of rigorous systems analysis methods based on the cyber-physical characteristics of systems, not the nature of the adversarial threat. Systems engineering is about proactive, assured control of the intended behaviors and outcomes of system functions. Achieving security is an intentional by-product of the systems engineering process and not something that can be treated as an afterthought and therefore, either “added in” or “bolted on.” These systems engineering concepts are codified in NIST Special Publication 800-160, Volume 1.
Why It Matters
The danger for organizations focusing primarily on security compliance—and failing to recognize the importance of systems engineering—is an assumption that everything in the underlying system is built to “appropriate” engineering standards or best practices. If that assumption turns out to be false, then the organization’s security efforts centered around compliance and risk management are constructed on a weak and flawed foundation. Best case, this can give organizations a false sense of security. Worst case, it can result in a system failure—either from a successful cyber-attack or from weaknesses in a poorly engineered system—resulting in potentially severe or catastrophic adverse impacts for organizations and the nation.
Conclusion
So, what is the bottom line from these observations? The systems engineering view of security is rather invisible in many of the strategic reports on cybersecurity and cyber resiliency—a potentially serious “blind spot” in our long-term, strategic national planning efforts. It is important that we have confidence in the systems we acquire and use—including the engineering processes, development models, and approaches used to build those systems. A renewed focus on systems and security engineering as central components in any future recommendations in these types of reports will go a long way toward helping to ensure our cybersecurity compliance and risk management expectations are aligned with the engineering activities forming the basis of secure systems. And, at the end of the day, every “moonshot” including a “cyber moonshot” requires sound engineering.
A special note of thanks to Mark Winstead, Michael McEvilley, Keyaan Williams, and Tony Cole, long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.
Adjunct Professor of Cybersecurity at Collin College
1 年Ron: Perhaps one of the missing parts is that many look at cybersecurity and view from the vantage point of IT Security or enterprise cybersecurity. In my career I have seen a stark contrast from the world of system’s security engineering involved in DoD or Intelligence Community systems, not their infrastructure but the weapon systems or other systems used in operations or intelligence production. The world of IT Security or Enterprise Cybersecurity is not the world of systems security engineering much less systems engineering. Again, this is my perspective working over the years in those communities. Moreover, IT security is a subset of Cybersecurity. Truth be told I’m an old dinosaur that clings to the world of information security. So, where do we stand! Perhaps it’s a matter of point of view, or could it be that there are two at least two distinct worlds of Cybersecurity, the one of securing the enterprise and the other of developing specialized systems supporting different communities, such as the DoD, Intel and others. Again this is just a view shaped over many years in both communities. Again
Cybersecurity Executive / Board Advisor / Fractional CTO
1 年Excellent article.? Very accurate content, very valuable advice.
Curious about systems' interconnectedness, emergence, and impact
1 年Beautifully articulated Ron Ross ,?We live in a world where first-to-market engineering pressures take higher precedence; hence application of "system view of security" is short-sighted to just defending against threats rather than working to support the assurance of business functions/values those same threats would seek to target continuously. Thanks to Patrick Simon for articulating the ground reality with Product engineering vs systems engineering. Like Mark W. mentioned on the other article, the ambiguous definition of Cyber?is the crux of the problem. Because the actual value of Cyber in assuring the business value to the customer is lost in the proliferated market for reactive threat hunting-based conversations/technologies.? #systemsengineering #securebydesign #cyberresiliency #securityengineering
CTO and Co-Founder at SSEng Group Inc. and president of PGD Enterprise Inc.
3 年As security consultant primarily to the defence industry in Canada I agree with your point of the absence of Systems Security Engineering (SSE) and the proactive integration of security within the systems engineering (SE) processes. I also agree it is a reluctance to move away from a compliance 'bolt on' approach to a proactive integration throughout approach. I see this equally a failure of knowledge and competency in primarily SE and certainly SSE. In one of our largest programs it has been staggering to see the lack of "systems" think and the dearth of knowledgeable and experienced Systems Engineers and critical SE insight even though 160 seamlessly aligns to 15288:2015. What is more surprising is the entrenchment into "solution ing" rather than SE. A huge population of persons unwilling to follow the standards. Hopefully a determination of fundamental SE and SSE knowledge and experience will help as we have found that is the critical element to gaining acceptance to standards based development. Trying to move persons, both acquirer and supplier, into standards based contracting is proving to be hard due to the entrenched ignorance of standards for SE and SSE - this despite the DND Defence policy Initiative #87 - "Protect critical military networks and equipment from cyber attack by establishing a new Cyber Mission Assurance Program that will incorporate cyber security requirements into the procurement process." Using modern standards, particularly NIST SP 800-160 vol 1, it should be easy to create a program to risk manage the integration of cybersecurity from Need/requirements generation, Architectures, Designs and to then manage the product realization, systems integration with a systems and cybersecurity risk framework to give progressive management for the cost effective and efficient integration of adequate security to achieve operationally manageable cyber mission assurance and resilience throughout the platforms lifecycle.