Rethinking Our View of System Security

The Urgent Need for More Cyber Linebackers

We have the best cyberdefenders in the world. So let’s give them a world-class “cyber defense” to match. As we watch the latest fallout from the recent SolarWinds attack with Team USA up against Team Nation-State, it occurred to me that we may need to modify our defensive strategy a bit, and more important, give Team USA a full defensive unit for a change. In previous articles [1] [2], I discussed the importance of systems security engineering and how the adversaries use subversion to penetrate our best defenses and roam freely inside our systems and networks. They are successful because they are smart, patient, play the long game, and often understand our systems better than we do. Our defenses are focused mostly on cyber-hygiene activities that include the implementation of the technical safeguards available in commercial products and the employment of management and operational safeguards by the enterprise. Enterprises also scan and monitor their systems in an attempt to detect anomalous events and respond accordingly. These types of activities can be characterized as “above the waterline” efforts—that is, safeguarding measures that consumers can control. Let’s call these defenders our “defensive front line.” This part of our defense in most cases, works pretty well. But…

Houston, We Have a Problem

Well, Houston, we actually have two problems. The first problem is we are employing a one-dimensional protection strategy that relies on cyber-hygiene but fails to adequately address the security architecture and design issues “below the waterline” where the hardware, firmware, and software components come together to provide a system capability. It’s really a physics problem. Our systems are overly complex and that one dimensional protection strategy makes it very difficult to manage and reduce such complexity. System complexity equates to “attack surface” or the parts of our systems that we expose to the adversary. Complexity has additional issues—when operators cannot understand the system, they fail to be a part of the warning system when things go awry. Complexity also makes analyzing systems for vulnerabilities, trustworthiness, and assurance more difficult—whether for security or other purposes. Moreover, for systems we have an opportunity to evolve over time, complexity makes evolving those systems for stronger security—or even maintaining the current state—harder. Relying solely on a “stop ‘em at the system boundary” strategy does not help organizations limit the damage adversaries can do when the inevitable breach occurs—and even more important, ensure their systems are resilient. The absence of a systems security engineering approach in consumer and development organizations is like running a defense in football without linebackers and safeties. Once the adversaries get through your front line, it’s game over.

The second problem is the traditional definition of a “system” is no longer operative or relevant—and that effects our current cybersecurity approach of “perimeter defense.” The world has evolved into a complex assemblage of interconnected systems with hundreds and thousands of hardware, software, and firmware components (a.k.a. system elements) and a multitiered supply chain that provides a never ending source of new products, services, and technologies. Today’s concerns regarding losses from cyber-attacks on systems include four basic asset classes—system capability, human and material, technology (US technical advantages), and data and information [3]. And, the reality is in many cases, the system is wherever your data is processed or stored. Our future success in the cyber defense realm may depend on rethinking this traditional view of a system and expanding that view to an “eco-system” or “systems-of-systems” perspective with a multidimensional protection strategy. This is where a systems security engineering perspective is critical to bringing a “strategic” versus a “tactical” view of system protection.

It's Time to Bring in the Security Engineers

The engineering view of a system is both broad and narrow. Systems security engineers can work with mission and business owners to ensure the system is “securable” from day zero or “secure by design.” They look at the needs of the enterprise, the system components required to achieve the mission and business objectives, how the system components will interact with each other, how information will flow through the system, system extensibility, integration and interoperability with other essential capabilities, dependencies on and interactions with external systems to include suppliers in the supply chain, and potential single points of failure. The systems security engineers go “below the waterline” to develop a security architecture for the “system-of-interest” which has many component parts as shown in the graphic below from NIST Special Publication 800-160, Volume 1.

What's Under the Hood?

The parts in the “eco-system” include:

• System-of-interest or the “system” that is the focus of the systems engineering effort, designed to achieve one or more stated purposes (e.g., general and special-purpose information systems; financial, transportation, manufacturing, banking, healthcare, and merchandising transaction systems; industrial control systems; space systems; weapons systems; command, control, and communication systems; social networking systems; medical and IoT devices)
• System elements that make up the system-of-interest (e.g., hardware, software, firmware, data, facilities, materials, personnel, processes, and procedures)
• Enabling systems within the environment of operation that provide direct support to the system-of-interest (e.g., modeling, simulation, and design tools; test scenario generators and test harnesses; training system and tools; documentation; software and firmware compilers; hardware design tools, and fabrication and manufacturing systems)
• Other systems within the environment of operation that interact with the system-of-interest (e.g., a global positioning system space vehicle interacting with a GPS receiver system; network management systems; human resource systems; payroll systems)
• Enabling systems external to the enterprise that provide direct support to the system-of-interest (e.g., supplier systems, supply chain partner systems, contractor systems)

Locking Down the System and Early Detection

Working with all of the system stakeholders, systems security engineers employ the appropriate security design concepts and engineering practices to deliver a system that is both defensible and resilient. The engineering objectives are two-fold: (1) make a successful attack difficult, and (2) detect an attack when it is underway. If an attack is possible but difficult, the cost to the adversary increases—and sometimes dramatically. This may deter the adversary and when combined with the "damage limitation" component of a multi-dimensional protection strategy, reduce the adversary’s return on investment. Detecting an attack when it is underway rather than after the fact (i.e., post-forensics), enables a real-time organizational response. A real-time detection capability may deter an attack—because for many adversaries, stealth is critical.

The Secret Sauce

During the systems engineering process, security engineers conduct extensive “systems analyses” to examine the effects of both known threats and threats that could emerge (i.e., the unexpected threats). The war gaming and “what if” scenarios allow the security engineers to “think like the adversaries” and secure the functions of the system—making security, like safety, an inherent property of the system. The security engineers are working “below the waterline” to minimize the attack surface, eliminate the dependency on the trust of one system element to serve another element (i.e., employ zero trust concepts), limit system functionality to only essential functions (i.e., implement the concept of least functionality), minimize privileges for system users and administrators (i.e., employ the concept of least privilege), and ensure logical and physical component isolation.

To return to the football analogy, the security engineers are like the linebackers and defensive safeties who “back stop” the defensive front line, providing a defense that can stop the runners when they break those initial tackles. The security engineers employ disciplined and structured engineering concepts and processes to help stop attacks, limit the damage of those attacks when they occur, and ensure the system is sufficiently secure to carry out its essential missions and business operations—making the system “resilient.”

Security Engineering—Good for Me, Good for You, Good for Everyone

Employing state-of-the-art practices in systems security engineering is important in every part of the eco-system. This includes enterprises that are conducting day-to-day business and suppliers in the supply chain who are providing key components for the systems supporting those businesses. Protection of commercial product development processes in the supply chain and trusted distribution are every bit as important as protecting the systems on the front lines supporting mission essential operations. Adversaries look for weaknesses in the eco-system and ways to target and scale their attacks to receive the maximum return on their investment.

It is important that systems are designed securely from day zero to meet mission and business needs, so adversaries don't go around your designed infrastructure and introduce additional risk. That said, maybe it’s time to rethink our defensive cybersecurity strategy and bring in some linebackers and defensive backs to help strengthen our front line defenders. Good defenses can stop the running game. Very good defenses can stop the running game and the passing game. Championship defenses can stop the running game, the passing game, and the unexpected plays that the other team may throw at them. What does your defense look like?

[1] Ross, R., "The Mysterious Disappearance of Systems Security Engineering."

[2] Ross, R., "The Adversaries Live in the Cracks."

[3] McEvilley, M., MITRE Public Release Case 20-2768, Defense Industrial Association 23rd Annual Systems and Mission Engineering Conference, "Design Principles for Weapon Systems Engineering," November 10-13, 2020.

A special note of thanks to Mark Winstead, Keyaan Williams, Victoria Pillitteri, Tony Cole, Michael McEvilley, and Greg Touhill, long-time cybersecurity and SSE colleagues, who graciously reviewed and provided sage advice for this article.