Systems Security Systems Security EngineeringEngineering

An Updated ParadigmAn Updated Paradigm

INCOSE Enchantment ChapterINCOSE Enchantment ChapterNovember 8, 2006November 8, 2006

John W. WirsbinskiJohn W. Wirsbinski

22

Today’s ExperimentToday’s Experiment

The purpose of the model is not to fit the data, but to sharpen the questions.

33

OutlineOutline

• What is Systems Security What is Systems Security Engineering (SSE)Engineering (SSE)

• The DilemmaThe Dilemma

• Relationship with Systems Relationship with Systems EngineeringEngineering

• Future Planning Future Planning

The Defenders’ Dilemma…The Defenders’ Dilemma…

Threats

Resources

Assets?Guns,

Guards,Gates &

Technologies

EmergentTechnologies

EmergentDesign Basis Threats

Including Technologies

……a complex, dynamic resource a complex, dynamic resource allocation problemallocation problem

55

What is SecurityWhat is Security

• Security is defined as freedom from Security is defined as freedom from danger or riskdanger or risk– Focus is on Malevolent dangersFocus is on Malevolent dangers– Benefits for natural and accidental Benefits for natural and accidental

dangers is considered, but not primary dangers is considered, but not primary focusfocus

66

What is SSEWhat is SSE

An element of system engineering that An element of system engineering that applies scientific and engineering principles applies scientific and engineering principles to identify security vulnerabilities and to identify security vulnerabilities and minimize or contain risks associated with minimize or contain risks associated with these vulnerabilities. these vulnerabilities. It uses mathematical, physical, and related scientific It uses mathematical, physical, and related scientific disciplines, and the principles and methods of engineering disciplines, and the principles and methods of engineering design and analysis to specify, predict, and evaluate the design and analysis to specify, predict, and evaluate the vulnerability of the system to security threats.vulnerability of the system to security threats.11

1 Handbook for Systems Security Engineering Program Management Requirements, D.o. Defense, Editor. 1995, Headquarters Air Force Systems Command, Office of the Chief of Security Police.

77

Systems Security Engineering Systems Security Engineering ManagementManagement

An element of program management that ensures An element of program management that ensures system security tasks are completed. These tasks system security tasks are completed. These tasks include developing security requirements and include developing security requirements and objectives; planning, organizing, identifying, and objectives; planning, organizing, identifying, and controlling the efforts that help achieve maximum controlling the efforts that help achieve maximum security and survivability of the system during its security and survivability of the system during its life cycle; and interfacing with other program life cycle; and interfacing with other program elements to make sure security functions are elements to make sure security functions are effectively integrated into the total system effectively integrated into the total system engineering effort.engineering effort.22

2 Handbook for Systems Security Engineering Program Management Requirements, D.o. Defense, Editor. 1995, Headquarters Air Force Systems Command, Office of the Chief of Security Police.

88

Purpose of SSE?Purpose of SSE?• Provide systems engineered solution Provide systems engineered solution

for asset protection investmentsfor asset protection investments• Protect AssetsProtect Assets

– Prevent Undesirable EventsPrevent Undesirable Events– Prevent Undesirable ConsequencesPrevent Undesirable Consequences– Mitigate Undesirable ConsequencesMitigate Undesirable Consequences– Disaster RecoveryDisaster Recovery

• Facilitate OperationsFacilitate Operations• Meet Regulatory RequirementsMeet Regulatory Requirements

99

SSE ApplicationsSSE Applications

• Apply SE to Security problemApply SE to Security problem

• Apply SE to integrate protection Apply SE to integrate protection measures into non-security projectsmeasures into non-security projects

1010

SSE ResponsibilitiesSSE Responsibilities

• Threat AssessmentThreat Assessment

• Consequence AssessmentConsequence Assessment

• Vulnerability AssessmentVulnerability Assessment

• Systems Analysis and DesignSystems Analysis and Design

• Bridge Between SE and Security Bridge Between SE and Security DisciplinesDisciplines

1111

Threat assessmentThreat assessment

• Two Types of Threat AssessmentTwo Types of Threat Assessment

• Threat CharacterizationThreat Characterization

• Threat QuantificationThreat Quantification

1212

Two Types of Threat Two Types of Threat AssessmentAssessment

• Evaluation of a spanning set of Evaluation of a spanning set of threats relevant to an organization or threats relevant to an organization or assetasset

• Evaluation of one or more specific Evaluation of one or more specific threatsthreats

1313

Threat CharacterizationThreat Characterization• Real ThreatReal Threat• Perceived ThreatPerceived Threat• Management ThreatManagement Threat

– Acceptable RiskAcceptable Risk– Acceptable costAcceptable cost– Acceptable operational impactAcceptable operational impact– ExamplesExamples

•Design Basis ThreatDesign Basis Threat•Postulated ThreatPostulated Threat

1414

Characterization ContinuedCharacterization Continued

• CapabilityCapability– SkillsSkills– EquipmentEquipment– KnowledgeKnowledge– Organizational skillsOrganizational skills

1515

Characterization ContinuedCharacterization Continued

• Motivation Motivation – Desired End StateDesired End State

• Tactically - mission objectiveTactically - mission objective

• Strategic - purpose of missionStrategic - purpose of mission

– Level of commitmentLevel of commitment• Willing to die?Willing to die?

• Willing to kill?Willing to kill?

– World view that supports committing the World view that supports committing the undesirable eventundesirable event

– Triggering eventsTriggering events

1616

Threat QuantificationThreat Quantification

• LikelihoodLikelihood

• FrequencyFrequency

1717

Vulnerability AssessmentVulnerability Assessment

• Characterize system vulnerabilitiesCharacterize system vulnerabilities– ComponentsComponents– SystemSystem– Skills neededSkills needed– Equipment neededEquipment needed– Knowledge neededKnowledge needed

• Map vulnerabilities to management Map vulnerabilities to management threatthreat

1818

Consequence AssessmentConsequence Assessment

• Asset definitionAsset definition

• Definition of the undesirable eventsDefinition of the undesirable events

• Consequence definitionConsequence definition

• Consequence rating/rankingConsequence rating/ranking

1919

System Analysis & DesignSystem Analysis & Design

Traditional MethodsTraditional Methods• Blast EffectsBlast Effects• Performance TestingPerformance Testing

– SystemsSystems– SubsystemSubsystem– ComponentComponent

• Red TeamsRed Teams• BalanceBalance• Defense in DepthDefense in Depth• Fault TreesFault Trees

New MethodsNew Methods• Complexity TheoryComplexity Theory• Agile SecurityAgile Security• Network TheoryNetwork Theory• Risk ManagementRisk Management• Soft Systems Soft Systems

MethodologyMethodology

2020

The BridgeThe Bridge

EnterpriseIncluding Systems Engineering

SecurityEngineering

SSESSE

2121

Security disciplinesSecurity disciplines

• PhysSecPhysSec• COMPUSEC/ COMPUSEC/

Information Information Systems Security Systems Security

• COMSECCOMSEC• INFoSEcINFoSEc• OPSECOPSEC• ProdsecProdsec• KeySECKeySEC

• TSCMTSCM• Counter-intelligenceCounter-intelligence• PsyopsPsyops• Insider ProtectionInsider Protection• Anti-terrorismAnti-terrorism• Counter-terrorismCounter-terrorism• Business Continuity Business Continuity

and Disaster and Disaster RecoveryRecovery

2222

PhysSecPhysSec

• Intrusion DetectionIntrusion Detection

• Contraband DetectionContraband Detection

• AC&DAC&D

• Access DelayAccess Delay

• Access ControlAccess Control

• ResponseResponse

• InvestigationsInvestigations

2323

COMPUSEC/ Information COMPUSEC/ Information Systems securitySystems security• CryptographyCryptography

• Access ControlAccess Control

• Application SecurityApplication Security

• Information Security Information Security and Risk Managementand Risk Management

• Legal, Regulations, Legal, Regulations, Compliance and Compliance and InvestigationsInvestigations

• Security Architecture Security Architecture and Designand Design

• Telecommunications Telecommunications and Network Securityand Network Security

• System AdministrationSystem Administration

• Audit and MonitoringAudit and Monitoring

• Data CommunicationsData Communications

• Malicious Code / Malicious Code / MalwareMalware

2424

Path ForwardPath Forward

• The Goal: SSE Working Group The Goal: SSE Working Group

• Possible Starting PointsPossible Starting Points– Mil-Hdb-1785Mil-Hdb-1785– This PresentationThis Presentation

• Next StepsNext Steps– Identify VolunteersIdentify Volunteers– January 2007, INCOSE IWJanuary 2007, INCOSE IW

The difference between 'involvement' and 'commitment' is like an eggs-and-ham breakfast: the chicken was 'involved'

but the pig was 'committed'.

2525

Questions - DiscussionQuestions - Discussion