Systems Security Rules of Engagement

Taking something from my book draft I expect to publish sometime in 2024. Changing to fit to this format and I'll also likely change the draft so in 2024 you can check how close this ends up to the book

Unless otherwise stated, all views expressed are mine and don’t necessarily reflect those of my employer or MITRE sponsors.

A principal tenet of military rules of engagement is that of graduated response. If force is necessary, it is applied as a last resort, gradually in relation to the extent of demonstrated aggression, and with only necessary force to accomplish the mission when used. [MW1]?

In designing a system for security, the opposite is needed – an ungraduated response to the potential for loss, or hazards. Borrowing from military language, the first course of action is to “kill” – eliminate the hazard. For example, rather than permit e-mail on a laptop used for maintenance and risk a phishing attack that plants malware, design maintenance systems to not require e-mail on the laptops directly interacting with operational systems.???

The second course of action is “apprehend and restrain” – control or reduce the possibility. Finally, the third course of action: If it does occur, limit the loss.

The ungraduated response approach is a practice in systems safety engineering referred to as the hierarchy of preferences for safety interventions (Saleh, Marais, & Favaro - System Safety Principles: A multidisciplinary perspective). The figure below shows the Saleh, et al hierarchy . The U.S. Department of Defense’s Standard Practice System Safety MIL-STD-882E can be seen as deriving a design order of precedence from the hierarchy[1], which has been adapted for security (NIST SP 800-160 Vol 1 Rev 1).

SecDOP

The security design order of precedence (SecDOP) provides a prioritized approach to secure design. The approach seeks to reduce design-based susceptibility, vulnerability, and other hazards and effectively control susceptibility, vulnerability, and hazards that cannot be eliminated. SecDOP identifies options (including options to be executed in operations) and lists those options in order of decreasing effectiveness in a manner paralleling the hierarchy for security interventions.

Reflecting an ungraduated response mindset, the design order prefers the pre-emptive versus the reactive, as pre-emptive is generally more effective. Pre-emptive addresses actions taken to prevent and limit loss before the event could occur, including avoiding it, while the reactive addresses actions taken to limit loss and its effects once an event has occurred. Pre-emptive recognizes the conditions where loss may occur and addresses the scenarios before loss occurs, whether in engineering (preferred) or in building in capability to respond in operations to potential loss. If loss occurs, pre-emptive actions can limit the consequences and pre-emptive planning, such as the engineering of military ships with many watertight compartments that can be sealed off in operations after being hit. The defined actions in such cases are independent of any specific knowledge of attacks or attacker objectives and are focused simply on what is possible in the system’s life cycle.

The reactive recognizes that loss will sometimes occur despite any effort to prevent it. This is often due to new, unanticipated, and otherwise unforeseen adverse consequences that occur despite best due diligence. Engineering needs to plan the enabling informed operational decision making for the system in use and a loss or loss condition occurs, proactively giving operational organizations greater capability to response when loss or failure is imminent or occurs.

Realizing mechanisms can fail and can produce unintended emergence and side effects, the prioritization is to those architectural solutions not exhibiting behavior and enabling more confident evidence-producing analysis. For example, segmentation (partitioning such as a system to subsystems) other architectural features often support avoidance and limitation of exposures, defects, weaknesses, and flaws that may constitute a vulnerability, and those limiting the propagation of loss when it does occur, and also can enable better mediated access and system control.

Still, mechanisms are still necessary for functions such as enforcing constraints on system behaviors and outcomes. When rigorously engineered, these mechanisms can be effective so long as they function as intended.

From highest priority to lowest, SecDOP is:

1.?????Eliminate hazards and limit extent of loss through design alternative creation and selection.

2.?????Optimize the ability to avoid loss and limit loss’s extent through design alteration.

3.?????Incorporate engineered features and devices to control the hazards and to control the effect of loss that does occur.

4.?????Provide visibility and feedback to external entities.

5.?????Incorporate signage, procedures, training, and proper equipment.

SecDOP should be applied iteratively as system design matures and recursively as the system is decomposed into to lower levels of detail (e.g., subsystems, components, and elements).

Applying SecDOP also considers defense-in-depth (coordinated employment of multiple design features and mechanisms to handle hazards) when a hazard cannot be eliminated.

Closing

Thoughts, comments?

With the summer coming, writing a book, and needing to prepare a tutorial for INCOSE International Symposium (#INCOSEIS) in July, I may slow this posts down to 3 times per month or every other week. Of course, I can share draft excepts from the book as well so maybe I can keep it up.

If you are going to #INCOSE IS, the tutorial is on Sunday, July 16th. Skip the beach, you don't need the sunburn (though I may spend time there on Saturday so may come in a bit pink if I'm not careful).

[1] Author’s note: I do not know if this is the origin of the safety design order of precedence, but it might be.?

?[MW1] Chairman of the Joint Chiefs of Staff Instruction (CJCSI) 3121.01B. (2005). Standing rules of engagement/standing rules for the use of force for U.S. forces.