Observations from a Workshop
This last week was the 14th CRWS Workshop - CRWS historically meaning Cyber Resilient Weapon Systems but as it has evolved that is no longer accurate. Several other gov't bodies and their supporting Federally Funded Research and Development Centers (FFRDC) and other contractors are involved. In fact, National Aeronautics and Space Administration (NASA) had a large control of the program this time. Expect the 15th to be renamed.
While this was something MITRE hosted and did a lot of leg work for on behalf of a sponsor: Unless otherwise stated, all views expressed are mine and don’t necessarily reflect those of my employer or MITRE sponsors.
Coming off the week, three quick observations - many reinforcing past articles
Behavior
It is about the behaviors - what is the system intended to do and the behaviors to do and in doing that.
Security, resilience, survivability, safety, etc - you can talk in theory about them but the bottom line is the behaviors you expect to accomplish a purpose or mission and the behaviors you expect in accomplishing (do no harm to users, etc.).
Thanks to William "Dollar" Young for bringing that up early in the workshop and pounding on it.
Missions
Not "mission" but "missions".
I think this may have been strictly from some sidebars I had.
领英推荐
A system has a purpose, a role, in a mission. But most systems it is really about multiple missions - in national defense, a naval aircraft carrier and its crew will have multiple missions over the life time. Sacrificing the carrier and/or too many of its crew for a single mission is detrimental to future missions and an overall mission
And there is consideration for others' missions a system needs to respect. A system's actions may compromise others missions, or a system may rely on sensitive resources from a partner that if compromised may not harm the immediate mission the system is within but may harm the partner's missions.
The Buck has to stop with Systems Engineering
A 2013 INCOSE Insight had a theme talking to the security buck stops with systems engineering. I've written in this newsletter on related topics. This week reinforced it.
But the nature and culture evolved - things "cyber" tend to be with "helicopter SMEs" - they hover, land briefly, and move on (note - generality here - yes all kinds of exceptions).
By its nature, things "systems engineering" tend to hang around. They are tied to not only the system, but usually the mission - they have months if not years knowing not just the system and what can cause loss of purpose (its fragilities) and mission, but knowing what matters to stakeholders through their engagements. Delegating security is to be derelict in duties.
Thoughts, reactions, comments?
Thinking systems, designing systems
1 个月Aren't the "Behavior" and "Missions" intrinsically linked? As for missionS, I fully support that. Furthermore, it illustrates that a system may be used in different missions than originally intended, and this would require re-evaluation/design of security aspects. Context is king.
Value creation = f(People, Training, Process, Tool, Data). I think in systems and future effects, applying competencies @ INCOSE & Cummins Inc.
1 个月Mark W. I wonder if the IT ‘Product-centric’ concept where year over year persistence in teams is sustained (versus funding projects and completing them ) aligns well with supporting missions in your context here especially as threats, technologies, and other systems vary over time… my guess is yes.
Defending high value targets against disruptive cyber attacks - SABSA TOGAF CEH GCED GRTP ISO27k ISO22k EnCase CISM CGEIT Lean MoR
1 个月Would you agree that the right steps of the Risk Management Framework (RMF) to know the expected behaviors of a system are at least two: 1) categorize asset, by knowing the inherent impact the asset can cause if used or misused (loss magnitude and depth) 2) tailor controls, right after a threat model for the system is done and a list of proposed controls are to be applied.
Cybersecurity Manager | Information System Security Engineer | Systems Engineering
1 个月Thanks for the post, Now I will have to go look for the guide , I am so busy with RMF , is that the latest version and where can I download it?
CISSP, INCOSE CSEP, PMI-ACP, Senior Systems Engineer at NATO Airborne Early Warning & Control Force - E-3A Component
1 个月DoD Engineering Guide (v2.0 / October 2023) talks about "Mission measures and metrics" - as they are the means to assess the end-state or goals of a given mission. It elaborates the well-known MOS/MOE/MOP based approach in there.. A question would be, how best to model "loss" (wrt systems security) within that "measurement" perspective that's mentioned in that document.