Environ Syst Decis (2015) 35:291–300 DOI 10.1007/s10669-015-9540-y
Systems engineering framework for cyber physical security and resilience Daniel DiMase • Zachary A. Collier Kenneth Heffner • Igor Linkov
•
Published online: 8 February 2015 Ó Springer Science+Business Media New York (outside the USA) 2015
Abstract As our infrastructure, economy, and national defense increasingly rely upon cyberspace and information technology, the security of the systems that support these functions becomes more critical. Recent proclamations from the White House, Department of Defense, and elsewhere have called for increased resilience in our cyber capabilities. The growth of cyber threats extends well beyond the traditional areas of security managed by Information Technology software. The new cyber threats are introduced through vulnerabilities in infrastructures and industries supporting IT capital and operations. These vulnerabilities drive establishment of the area of cyber physical systems security. Cyber physical systems security integrates security into a wide range of interdependent computing systems and adjacent systems architectures. However, the concept of cyber physical system security is poorly understood, and the approach to manage vulnerabilities is fragmented. As cyber physical systems security is better understood, it will require a risk management framework that includes an integrated approach across physical, information, cognitive, and social domains to ensure resilience. The expanse of the threat environment will require a systems engineering approach to ensure wider, collaborative resiliency. Approaching cyber physical system security through the lens of resilience will enable the application of both integrated and targeted security measures and policies that ensure the continued
D. DiMase K. Heffner Honeywell Aerospace, Phoenix, AZ, USA Z. A. Collier I. Linkov (&) US Army Engineer Research and Development Center, Vicksburg, MS, USA e-mail:
[email protected]
functionality of critical services provided by our cyber infrastructure. Keywords Information security Product life cycle management Risk analysis Systems engineering System-level design
1 Introduction Cyber security risks are prevalent in today’s information age, and new cyber incidents appear regularly in the news. In fact, many people may have been directly affected by cyber incidents. Most notably, as much as one-third of the population of the United States was impacted due to the recent cyber attack on the retail store Target (Wallace 2014). In this situation, hackers attacked the system with credentials stolen from a Target vendor (Finkle 2014). The type of attack that impacted Target and their consumers is but one example of the numerous methods by which cyber attacks may be carried out. While the mega-breaches, like Target, grab the national headlines, smaller breaches are still costly, averaging $5.4 million in 2012, and the average cost of data theft in the United States in 2012 was $188 per customer account (Ponemon Institute 2013). There has been a significant increase in attacks on cyber physical systems (CPS) as evidenced through public information. The average American company fielded a total of 16,856 attacks in 2013 (Grossman 2014). Industry data breaches and cyber attacks increased in 2014 by 23.9 % compared with 2013 to 761 reported breaches exposing 83,176,279 records (Identity Theft Resource Center 2015). McAfee (2014) estimates that the annual cost to the global economy from cybercrime is more than $400 billion and could be as much as $575 billion. In the United States alone, the report
123
292
indicates a 0.64 % impact on 2013 GDP, equating to $108B. The study of how employment varies with export growth suggests that the losses from cybercrime could cost as many as 200,000 American jobs, roughly a third of 1 % decrease in employment for the US (McAfee 2014). For the Target breach, analysts are forecasting $1 billion in losses. Since the breach was discovered, the company has incurred $88 million in breach-related expenses, its filings say (Perlroth and Harris 2014). The recent Sony attack in 2014 created tension among nation states that resulted in the United States invoking economic sanctions against North Korea. The scale of the attack is egregious due to the amount of personal identifiable information stolen per victim associated in the hack. Information included payroll, bank account numbers, social security numbers, confidential emails and communications, and medical history for over 47,000 individuals (Identity Theft Resource Center 2015). The consequences of information leakage from this attack are ongoing. Cyber warfare from North Korea highlights how a technologically subdued nation state can strategically use hacking against a technology rich nation through identified vulnerabilities. These cyber attacks are costly to consumers as well as to the nation. More importantly, our nation’s critical infrastructure is dependent upon information technology and communication systems, as well as the supply chains that support them (Lambert et al. 2013). Consider the importance of the power grid in providing electricity for our nation. Almost all critical infrastructures supporting modern life is dependent on the power grid, yet it is disturbingly vulnerable. A study published by West Point’s Network Science Center discusses how hackers can cause blackouts by targeting a handful of small substations that are often overlooked and poorly defended. This can result in a cascading failure affecting millions of customers (Shakarian et al. 2014). Ezell et al. (2001) used event trees and fault trees to quantify the risks of water utilities, another vulnerable critical infrastructure asset. Not only are cyber attacks costly but also attackers are notoriously adaptive, learning the defenses and concept of operations of the host system, and more importantly, the adjacent systems that enabled vulnerabilities of the host system and Information Technology (IT) security. The dispersed attack vectors and the patient nature used for an effective approach to cyber crime and espionage render traditional IT security insufficient and ineffective. These security concerns have prompted attention from the government, leading to calls for enhanced cyber security such as Executive Order 13636—‘‘Improving Critical Infrastructure Cybersecurity’’ (EO 13636 2013). This Executive Order mandates the development of risk-based standards for identifying and protecting critical infrastructure assets from cyber risks. The 2012 National Defense
123
Environ Syst Decis (2015) 35:291–300
Authorization Act (NDAA) similarly calls for a ‘‘riskbased approach’’ to secure the electronics hardware supply chain from counterfeit parts (NDAA 2011). Counterfeit parts also pose a significant security risk (Collier et al. 2014a; Sood et al. 2011; Pecht and Tiku 2006). The common thread among these calls for enhanced security is that they are driven by risk. The traditional approach to risk assessment is with risk being defined by a triplet of what can go wrong, how likely is it to happen, and what are the consequences of it happening (Kaplan and Garrick 1981). While this framework has historically been useful for many applications in the past, it becomes difficult to apply for cyber risks (Collier et al. 2014b; Linkov et al. 2014a). Traditional risk assessment approaches tend to break down when it is difficult to clearly identify the threats, assess vulnerabilities, and quantify consequences (Cox Jr. 2008; Frick 2012). Cyber threats cannot be clearly identified and quantified through historical measures due to the rapidly changing threat environment. Moreover, cyber security risk management is extremely difficult to implement, since cyber systems exist within and between multiple physical, information, cognitive, and social domains (Linkov et al. 2013a, b) and are interdependent on a number of areas of concern in these domains. Assessing cyber vulnerabilities can be daunting and depends on where one draws the boundaries. Cyber system vulnerabilities include software, hardware, firmware, adjacent systems in the network, energy supplies that power it, supply chains that provide materials to produce it, and users who interface with it. Consequences impact both the users and societies. Economic sectors dependent upon the sustainment of these systems can be quite broad and tightly interconnected—increasing the likelihood of cascading impacts (Kelic et al. 2013; Rinaldi et al. 2001). These deep uncertainties necessitate a holistic, systems engineering approach to cyber physical systems security (CPSS) (Karvetski and Lambert 2012). Cyber vulnerability grows with industrial advancements in systems network integration, high performance computing, and software. The threat is further exacerbated by the rapid evolution of advancements in microelectronics manufacturing technology used for the computer, communications, and IT industries that do not incorporate cyber security measures. The host system is no longer vertically integrated by one organization and is reliant on the global supply chain. Organizations often experience complications when trying to control or maintain CPSS as they outsource procurements, manufacturing, services, and intellectual property and lose the associated visibility and control. Advancements in technology at today’s fast pace have become weapons in the cyber attacker’s arsenal due to the unintended vulnerabilities introduced with the integration of complex hardware, software, and firmware. It is therefore increasingly difficult to align an organization’s
Environ Syst Decis (2015) 35:291–300
293
internal risk assessment, risk management, and risk communication processes to meet the evolving threat landscape without a coordinated approach to business processes modeling, priority setting, and decision making (Teng et al. 2012, 2013). Before risks can successfully be assessed and managed, it is necessary to clearly understand the cyber landscape. In particular, we propose to define the concept of CPSS through a systems engineering perspective and provide a framework for understanding the related interconnections and relationships between the many necessary areas of concern, especially for critical infrastructure sectors. A construct is needed to address the risks and build resiliency into the electronic systems that drive our economy and support our way of life. To close the gap between CPS security baseline assessment and the CPS systems engineering design process, a proposed CPS security systems engineering perspective (SEP) is offered for consideration. In its final implementation, the proposed SEP approach should yield a CPSS that meets the operational systems requirements of the User and systems provider that includes cyber security. These requirements include secure data flow, compliance to regulatory policies, and resiliency from cyber attacks.
2 Cyber physical systems security framework 2.1 Definitions and areas of concern CPS used within critical infrastructure need a cyber security framework with common terms to assess risk and ensure resiliency (Ames et al. 2011). Systems engineering provides a process for designing the CPSS framework. The CPSS systems engineering framework uses a hierarchical approach from traditional systems engineering for capturing and designing in accordance with User requirements. The framework will also use a design scorecard approach to measure the CPSS residual risk (Patil et al. 2013). CPS are defined as electronics systems that operate as a single, self-contained device, or within an interconnected network providing shared operations. An added distinction of this CPS definition is a requirement affecting a tangible output through command and control electronics embedded in the device or distributed across network nodes (NERC 2009). Figure 1 illustrates a notional CPS network. Some industries provide guidance that parses the electronic perimeter of a CPS to cover the internal functional portion of the system (represented by the dashed line in Fig. 1) and allows other established standards to address external communications (NERC 2009). Industry guidance (e.g., NERC 2009) has flexibility for compressing the CPS
Fig. 1 Notional network CPS
electronics security barrier to a smaller collection of defined critical assets, or expanding coverage to external routers identified as critical assets. A CPS can be expected to communicate and conduct transactions with other electronics systems that include cloud resources, wireless systems, and other CPS. Each external CPS will need its own CPSS that is capable of preserving the integrity of the original internal CPS electronics perimeter. A system assessment should address the entire notional CPS network. These systems are complex, with 10 areas of concern that need to be addressed to ensure robust, resilient systems security (Fig. 2).
123
294
Environ Syst Decis (2015) 35:291–300
Electronic & Physical Security
Informaon Sharing & Reporng
Prognoscs, Forensics & Recovery Plans
Track & Trace
Informaon Assurance & Data Security
Cyber-Physical Security
An-Malicious & An-Tamper
Soware Assurance & Applicaon Security
Asset Management & Access Control
An-Counterfeit & SCRM Life Cycle & DMSMS
Cross Cung Capabilies Risk Assessment and Management
Risk-Informed Decision Making
Training
Educaon and Outreach
Fig. 2 Cyber physical systems security framework
1. Electronic and physical security: Addresses the insider threat that includes physical, technical, and administrative controls including system privileges (Olzak 2013). It incorporates measures designed to deny unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (e.g., espionage, theft, or terrorist attacks) (US Department of Army 2001). It includes protection resulting from measures designed to deny unauthorized individuals information derived from the interception and analysis of noncommunications electromagnetic radiations (Committee on National Security Systems 2010). 2. Information assurance (IA) and data security: Measures that protect and defend information and information systems by ensuring their availability, integrity,
123
authentication, confidentiality, and nonrepudiation. It ensures protection of data from unauthorized (accidental or intentional) modification, destruction, or disclosure (Committee on National Security Systems 2010). Information assurance is the trust that information presented by the system is accurate and is properly represented; its measure of the level of acceptable risk depends on the critical nature of the system’s mission (Longstaff and Haimes 2002). Provides processes and systems that assure confidentiality, integrity and authentication of information, and that manage risks related to the use, processing, storage, and transmission of information. Protections apply to data in transit, both physical (spectrum) and electronic domains, as well as data at rest in various types of physical (document control) and electronic storage facilities.
Environ Syst Decis (2015) 35:291–300
3. Asset management and access control: Manages critical assets in the system that exhibit potential to introduce vulnerability through a functional role in the CPS operating environment where interaction with the CPS is required. It provides systems for an inventory of critical assets maintained by monitored access using verification credentials. This includes management of information relevant to the operation of the asset (e.g., software revision, firmware revision) and the process of granting or denying specific requests: (1) for obtaining and using information and related information processing services; and (2) to enter specific physical facilities (Committee on National Security Systems 2010). 4. Life cycle and diminishing manufacturing sources and material shortages (DMSMS): Provides sustainment processes for assets in a CPS threatened by loss or impending loss of manufacturers of items or suppliers of items, services, or raw materials necessary to sustain availability of the asset. This includes updating the asset to address the latest vulnerabilities and ensuring hardware and software configuration and functionality (e.g., patches in software and updating firmware or hardware to repair or replace broken assets). 5. Anti-counterfeit and supply chain risk management (SCRM): Maintains systems and processes associated with CPS protection from counterfeit parts and supply chain vulnerabilities. It mitigates the risk that material is not authentic and that suppliers do not produce or use products that introduce vulnerabilities to the host CPS. Counterfeit parts include components which have been intentionally or maliciously modified from its intended design to enable a disruption in performance or an unauthorized function, which can be introduced anywhere in the supply chain. Supply chain risk management ensures pedigree to the original manufacturer and adequate controls against counterfeiting. It is unique to anti-Tamper, antiMalicious, and the Track and Trace CPS constructs. 6. Software assurance and application security: Level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at anytime during its lifecycle and that the software functions in the intended manner (Committee on National Security Systems 2010). It also provides controls that limit the source code access to authorized individuals. It controls flow down to applications and the underlying system where vulnerabilities are enabled through flaws in design, development, deployment, upgrade, or maintenance of the application. 7. Forensics, prognostics, and recovery plans: Provides processes and tools for gathering of CPS operations data for use in the examination and analysis of cyber incidents,
295
thereby characterizing the CPS operational cyber security baseline. The baseline provides the basis for tools used in forensics (internal to the CPS), prognostics, and recovery plans (including resiliency). An adjacency provision for external forensics serves the cooperative effort with other industrial CPS organizations and government agencies responsible for pursuing root cause of an attack vector external to the CPS operating environment. 8. Track and trace: Provides the internal and networkbased process and tools for determining the current and past locations and logistics security controls that prevent the introduction of malicious content to CPS software and hardware. 9. Anti-malicious and anti-tamper: A systems engineering process that includes CPS vulnerability to tampered hardware or malware introduction achieved through reverse engineering. It provides tools and processes for the integration and assessment of protective technology features in the CPS electronics systems that mitigate the impact and consequences of reverse engineering attacks that could include an attacker’s assessment of vulnerabilities on an otherwise, unprotected CPS. 10. Information sharing and reporting: Provides tools and shared database resources for reporting and rapid exchange of cyber attack events and the mitigation measures to minimize the breadth of impact of the attack in the CPS network. Addresses the communications plan and information sharing necessary to report a cyber incident and prevent an issue from reoccurring. Since each of these areas of concern are so broad and have their own governing bodies, policy, and guidance, we have included them in our SEP to provide a cohesive construct to address the problem. In addition, there are a number of crosscutting capabilities necessary in our construct to fully address CPS security, such as risk assessment and management, risk-informed decision making, training, and education and outreach. 2.2 Operational, functional, and architectural requirements Identification of critical assets and areas of concern only partially completes the requisite list of CPS attack targets. The approach to CPS security analysis also requires investigation of the flow of sensitive data and critical command/control functions within an organization specific to affecting the expected CPS tangible output (Teng et al. 2012, 2013). Using the CPS critical assets and command/control functions, an assessment baseline should be made that concurrently achieves system security in accordance with vulnerability analysis and systems engineering
123
296
requirements. There is no formal process for conducting the assessment baseline, rendering a key gap in establishing resilient CPSS for the current and future cyber threat environment. To address the gap, the CPSS SEP uses operational, functional, and architectural systems engineering design requirements tiers. The operational requirements define what the customer wants from the CPS in a User-defined operational environment that includes CPSS sustainability (can the company support it?), policies, guidance, and regulatory requirements. The exit artifacts include the high-level requirements for the CPS and CPSS (Fig. 3). The functional level provides the systems engineering requirements that will enable what the customer wants in the operational environment, including vulnerability analysis and how the system will perform (Fig. 4). The architectural requirements provide the assembly and components physical layout and model for enabling the functional level system performance (Fig. 5). The SEP of CPS security also includes analysis of the system operating environment defined by the operational, functional, and architectural systems engineering elements needed by the system to generate the tangible output for the user(s). The CPS operating environment influences the functional requirements provided in the CPS security framework shown in Fig. 2. CPS security depends on compliance to the guidance governing each of the CPS areas of concerns for CPS component(s) and interfaces connecting the CPS notional network. At each level, the CPSS systems engineering approach yields important artifacts for overcoming the challenge of managing the threat environment for a large CPS with a wide area of coverage. The prospective CPS systems engineering approach leads to the security measures needed to defend CPS critical assets and command and control functions. The process does this by delivering documentation, modeling, and a path to CPSS traceability,
Fig. 3 Flowchart for CPS-CPSS operational requirements
123
Environ Syst Decis (2015) 35:291–300
Fig. 4 Flowchart for CPS-CPSS functional requirements
Fig. 5 Flowchart for CPS-CPSS architectural requirements
inspectability, and sustainment management throughout the lifecycle of the CPS. Understanding the tangible output of the host CPS and the concept of operations to produce and sustain that output is critical to designing the optimum CPS security solution. The concept of operations produced under the operating environment describes numerous external factors relevant to where and how the CPS must perform while maintaining the output of the system. Using large power grids as an example, there are physical environmental concerns, equipment wear, load capacity, and human factors that all contribute to forming the grid. From the aspect of the CPS provider, this is the environment the CPS is operating which needs to generate the CPS output for purchase and use by the User. To sustain the CPS output, the CPS provider should develop a risk assessment for sustaining the CPS output as part of the final design. A resilient CPS security design must incorporate the CPS operational requirements to ensure that the system can survive in the operational environment while minimizing security risk.
Environ Syst Decis (2015) 35:291–300
Another contribution to the CPS security risk analysis is determining the range of emergent attack vectors and vulnerabilities possible in the CPS operating environment (Lambert et al. 2006). It is here that gaps in CPS security exist as there is little availability of compliance guidance for an integrated CPS network. The problem is compounded by the uniqueness of each CPS network system design and the interdependencies with the systems attached to the network being evaluated. To address the gaps in compliance guidance, a baseline vulnerability assessment should be completed. In the assessment, attack vectors could be overlaid into the CPSS framework to identify gaps in the operating environment that enable security vulnerabilities. The systems engineering process that includes the assessment will assist in prioritizing resources to close the gaps. 2.3 Scorecard tool Having the appropriate metrics, or key performance indicators, is necessary for the successful management of any enterprise (Seager et al. 2007; Williamson 2006), in this case with a goal to gauge the vulnerability of the CPS design. A modified six sigma decision tool can be applied to generate a CPSS design scorecard. The CPSS scorecard evaluates areas of concern throughout the CPS systems engineering process. Further, the tool provides the CPS User with a highly flexible means to develop and assess the effectiveness of the CPSS in mitigating the risk of attack vectors on the host CPS critical assets and command/control functions. A notional representation of the final CPSS scorecard for the CPSS baseline assessment is shown in Fig. 6. The tool produces visual data and metrics that allow the analyst to quickly identify weakness in the CPSS. In Fig. 6, the
297
low general performance (red) of CPSS at the operational level could suggest that the User’s company infrastructure is underperforming or may be incapable of executing the CPSS implementation plan. The summary assessment also shows marginal weakness in protecting critical assets A and C. Here, an improvement by the CPSS User in internal performance of CPSS operations could lead to a better CPSS score. Figure 6 also shows a very weak CPSS performance in the components protecting Critical Asset A. The summary scorecard should be performed under the operational requirements tier of a CPSS design effort. It should be updated at milestones tied to the functional and architectural requirement tiers and at implementation. As the CPS continues to perform year over year, the assessment should be conducted on a predetermined schedule. The tool also allows for immediate assessment of the impact of a new CPS attack vector that emerge at any point in the CPS life cycle thereby building CPSS resiliency into the CPS design. The data used in the CPS summary assessment scorecard derive from scorecards representing more detailed evaluation of the CPSS design and include each systems engineering tier (Fig. 7). The CPS operational tier tool assesses the CPSS Areas of Concern in the User’s operating environment. Process features, such as control of a manufacturing line or test station would be assessed for vulnerability to remote insertion of malware. The functional tier assessment tool would examine hardware assemblies used or produced in the CPS network. Finally, the architectural tier assessment would evaluate microchips throughout the CPS supply chain life cycle. The weighting factors feature scores and minimum expectations used in the CPSS baseline assessment tool. The tool will need common criteria guidelines achieved through industry and government collaboration. The CPSS
Fig. 6 Notional CPSS summary scorecard
123
298
Environ Syst Decis (2015) 35:291–300 Functional Requirements - Assembly Threats
CPS Area of Concern
Weighting Factors
Discreet Devices
PWB
Weighting Factors
Storage
Incoming Inspection
Weighting Factors
Storage
OEM
Interconnect
Assembly Features Mother Interphase Board Devices
Software & Firmware
…
Other
Actual CPSS Score
Minimum Required Score
…
Other
Information Sharing and Reporting Electronic and Physical Security Information Assuirance and Data Security Software Assurance and Data Security Asset Management and Access Control Anti-Counterfeit and SCRM Life Cycle and DMSMS Anti-Malicious and Anti-Tamper Track and Trace Prognostics Forensics and Recovery Plans
Totals Weighted Totals
Operational Requirements - Internal Processes Threats
CPS Area of Concern
Process Features Process Inspection Controls Points
Functional Environmental Test Test
Information Sharing and Reporting Electronic and Physical Security Information Assuirance and Data Security Software Assurance and Data Security Asset Management and Access Control Anti-Counterfeit and SCRM Life Cycle and DMSMS Anti-Malicious and Anti-Tamper Track and Trace Prognostics Forensics and Recovery Plans
Totals Weighted Totals
Architectural Requirements Threats
CPS Area of Concern
Architectural Features Distributor
…
…
…
Information Sharing and Reporting Electronic and Physical Security Information Assuirance and Data Security Software Assurance and Data Security Asset Management and Access Control Anti-Counterfeit and SCRM Life Cycle and DMSMS Anti-Malicious and Anti-Tamper Track and Trace Prognostics Forensics and Recovery Plans
Totals Weighted Totals
Fig. 7 Notional CPSS tier scorecards
assessment tool is but one of the notional concepts supporting the introduction of this system engineering perspective to CPSS.
3 The path to resilience As we assess the current state of preparedness for CPSS, the lexicon of terms and SEP enables stakeholders to holistically assess the health status for all areas of concern. As we overlay the attack vectors, defense mechanisms and technologies that counter attacks, we can create a roadmap that can assess the current state of the art and identify the gaps that introduce vulnerabilities. This will help prioritize
123
our resources to build the future state needed in resilient systems. This could be applied to a piece part all the way up to a system level. While the CPSS SEP theoretically addresses threats associated with CPS, the construct needs further development to be effective. Each of the areas of concern in our construct is currently managed in its own silo, with standards, governing bodies, policies, and guidance documents geared specifically to a single area of concern. In addition, many of the specific standards, policies, and guidance we have identified to address each area of concern are sector specific (e.g., energy, retail, banking, defense). A holistic approach that interweaves measures to address each area of concern identified in the CPSS SEP framework is needed.
Environ Syst Decis (2015) 35:291–300
The approach should include measures to ensure resilience is built into the framework. However, to ensure resilience, it is necessary to first accurately define and measure it. The National Academy of Sciences (NAS) defines resilience as ‘‘The ability to prepare and plan for, absorb, recover from, or more successfully adapt to actual or potential adverse events’’ (NAS 2012). In addition, insights from research in the field of Command and Control reveal that CPS can be thought of as spanning four domains: physical, information, cognitive, and social (Alberts 2002, 2011). Implicit in the concept of resilience, as opposed to the related concept of risk, is that resilience considers both known and unknown threats, focuses on a critical system function, and is explicitly time dependent (Park et al. 2012; Linkov et al. 2014b). Based on these principles, Linkov et al. (2013a, b) developed an approach to generate resilience metrics for systems. This approach couples the four actions described by NAS (plan/prepare, absorb, recover, adapt) with the four domains to create a 4 9 4 matrix. Each cell in the so-called Resilience Matrix can be populated with metrics that describe the system’s overall ability to show resilience within each domain and can be integrated using decision analytic techniques (Collier and Linkov 2014). Metrics have been generated using this approach for cybersecurity (Linkov et al. 2013b) and energy systems (Roege et al. 2014). Moreover, current CPSS lacks empirical data regarding risk, and in cases where it exists, is often difficult to acquire, given its sensitive and/or proprietary nature. Challenges include difficulty in quantification of the threat, vulnerability, and consequence. There is high uncertainty and variability associated with dynamic, emerging threats from persistent cyber criminals and state actors. There is also a disconnection between traditional risk assessments and risk management. Thus, in the absence of empirical data, where a traditional probabilistic risk assessment could be performed, a semi-quantitative method is a way to fill in data gaps with subject matter expertise. The semi-quantitative framework could be used to assess the health and well-being of a system’s CPS with the help of our SEP. As we assess the current state of preparedness for CPSS, the lexicon of the terms specific to the state of the art from the SEP and the construct enables stakeholders to holistically assess the health status for all areas of concern. Standardization is needed to codify the CPSS framework and to provide requirements and guidance for implementation. A standard can be created to incorporate industry best practice and guidelines from the many different policies and standards addressing the areas of concern in silos and from industry specific sectors. The standard should be written with the perspective of applying to any sector needing CPSS.
299
4 Conclusions CPS security is a new and growing field. The field has to take into consideration the persistent, dynamic threat that impacts critical applications and the critical infrastructure. Cyber adversaries are evolving. As we develop better ways to detect and evade problems, the adversaries develop better ways to evade detection and penetrate systems. As we develop solutions to address the risk of cyber physical system security, we will need to incorporate the systemsbased view that interweaves the various areas of concern in a construct that is robust and resilient. When we think about the problem, we will need to identify where we have weaknesses and gaps in policy, services, and technologies in all the areas of concern as we formulate solutions for a more robust, resilient system that protects our critical infrastructure. Taking a systems engineering based view of CPS security is the first step toward this goal. Cyber physical system security is a multi-scale issue, starting at the piece part level to the assemblies and subsystems that are included in the notional CPS network. There is a separate effort addressing electronic piece part vulnerabilities occurring within Society of Automotive Engineers G-19A Test Laboratory Standards. These identified part vulnerabilities should be addressed in the architectural tier evaluation. In summary, the framework described in this paper could be used to assess the well-being of CPS security with the help of our SEP. As we develop the lexicon of terms specific to CPS security and standardize the practice, the SEP will enable stakeholders to holistically assess the health status for all areas of concern. In addition, the approach could assist in prioritizing our resources to build more resilient systems. Acknowledgments Permission was granted by the USACE Chief of Engineers to publish this material. The views and opinions expressed in this paper are those of the individual authors and not those of the US Army, or other sponsor organizations.
References Alberts DS (2002) Information age transformation: getting to a 21st century military. DOD Command and Control Research Program, Washington Alberts DS (2011) The agility advantage: a survival guide for complex enterprises and endeavors. DOD Command and Control Research Program, Washington Ames AL, Glass RJ, Brown TJ, Linebarger JM, Beyeler WE, Finley PD, Moore TW (2011) Complex adaptive system of systems (CASoS) engineering framework. SAND 2011–8793. Sandia National Laboratory, Albuquerque Collier ZA, Linkov I (2014) Decision making for resilience within the context of network centric operations. Presented at 19th
123
300 International Command and Control Research and Technology Symposium, Alexandria, VA, USA, 16–19 June, 2014 Collier ZA, Walters S, DiMase D, Keisler JM, Linkov I (2014a) A semi-quantitative risk assessment standard for counterfeit electronics detection. SAE Int J Aerosp 7(1):171–181 Collier ZA, DiMase D, Walters S, Tehranipoor M, Lambert JH, Linkov I (2014b) Cybersecurity standards: managing risk and creating resilience. Computer 47(9):70–76 Committee on National Security Systems (2010) National Information Assurance (IA) Glossary. Instruction Number 4009, Committee on National Security Systems: Fort George G. Meade, MD Cox LA Jr (2008) Some limitations of ‘‘risk=threat x vulnerability x consequence’’ for risk analysis of terrorist attacks. Risk Anal 28:1749–1761 Executive Order No 13636 (2013) 78 Federal Register 11739-11744, 19 Feb 2013 Ezell BC, Haimes YY, Lambert JH (2001) Risks of cyber attack to water utility supervisory control and data acquisition systems. Mil Oper Res 6(2):23–33 Finkle J (2014) Target says criminals attacked with credentials stolen from vendor. Reuters, Originally published 29 Jan 2014. http:// www.reuters.com/article/2014/01/29/us-target-cyberattackidUSBREA0S25Z20140129 Frick DE (2012) The fallacy of quantifying risk. Def AT&L 228:18–21 Grossman L (2014) World war zero: how hackers fight to steal your secrets. Time magazine, Originally published 10 June 2014. http://time.com/2972317/world-war-zero-how-hackers-fight-tosteal-your-secrets/ Identity Theft Resource Center (2015) Identity theft resource center breach report hits record high in 2014. http://www.idtheftcenter. org/ITRC-Surveys-Studies/2014databreaches.html Ponemon Institute (2013) 2013 Cost of data breach study: global anaylsis. Ponemon Institute, Traverse City Kaplan S, Garrick BJ (1981) On the quantitative definition of risk. Risk Anal 1(1):11–27 Karvetski CW, Lambert JH (2012) Evaluating deep uncertainties in strategic priority-setting with an application to facility energy investments. Syst Eng 15(4):483–493 Kelic A, Collier ZA, Brown C, Beyeler WE, Outkin AV, Vargas VN, Ehlen MA, Judson C, Zaidi A, Leung B, Linkov I (2013) Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environ Syst Decis 33(4):544–560 Lambert JH, Jennings RA, Joshi NN (2006) Integration of risk identification to business process models. Syst Eng 9(3):187–198 Lambert JH, Keisler JM, Wheeler WE, Collier ZA, Linkov I (2013) Multiscale approach to the security of hardware supply chains for energy systems. Environ Syst Decis 33(3):326–334 Linkov I, Eisenberg DA, Bates ME, Chang D, Convertino M, Allen JH, Flynn SE, Seager TP (2013a) Measurable resilience for actionable policy. Environ Sci Technol 47(18):10108–10110 Linkov I, Eisenberg DA, Plourde K, Seager TP, Allen J, Kott A (2013b) Resilience metrics for cyber systems. Environ Syst Decis 33(4):471–476 Linkov I, Anklam E, Collier ZA, DiMase D, Renn O (2014a) Riskbased standards: integrating top-down and bottom-up approaches. Environ Syst Decis 34(1):134–137 Linkov I, Bridges T, Creutzig F, Decker J, Fox-Lent C, Kro¨ger W, Lambert JH, Levermann A, Montreuil B, Nathwani J, Nyer R, Renn O, Scharte B, Scheffler A, Schreurs M, Thiel-Clemen T (2014b) Changing the resilience paradigm. Nature Clim Change 4:407–409
123
Environ Syst Decis (2015) 35:291–300 Longstaff T, Haimes Y (2002) A holistic roadmap for survivable infrastructure systems. IEEE Trans Syst Man Cybern A Syst Hum 32(2):260–268 McAfee (2014) Net losses: estimating the global cost of cybercrime. http://www.mcafee.com/us/resources/reports/rp-economic-impactcybercrime2.pdf National Academy of Sciences (2012) Disaster resilience: a national imperative. National Academic Press, Washington National Defense Authorization Act for Fiscal Year (2011) 2012 Public Law No. 112-81, 125 Stat. 1298, 2011 NERC (2009) Cyber security—electronic security perimeter(s). NERC Standard CIP–005–3 Olzak T (2013) Insider threats: implementing the right controls. TechRepublic, Originally published 21 Feb 2013. http://www. techrepublic.com/blog/it-security/insider-threats-implementingthe-right-controls/ Park J, Seager TP, Rao PSC, Convertino M, Linkov I (2012) Integrating risk and resilience approaches to catastrophe management in engineering systems. Risk Anal 33(3):356–367 Patil VS, Andhale SR, Paul ID (2013) A review of DFSS: methodology, implementation and future research. Int J Innov Eng Technol 2(1):369–375 Pecht M, Tiku S (2006) Bogus: electronic manufacturing and consumers confront a rising tide of counterfeit electronics. IEEE Spectr 43(5):37–46 Perlroth N, Harris EA (2014) Cyberattack insurance a challenge for business. New York Times, Originally published 8 June 2014. http://www.nytimes.com/2014/06/09/business/cyberattack-insur ance-a-challenge-for-business.html Rinaldi S, Peerenboom J, Kelly T (2001) Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst Mag 21(6):11–25 Roege PE, Collier ZA, Mancillas J, McDonagh JA, Linkov I (2014) Metrics for energy resilience. Energy Policy 72(1):249–256 Seager TP, Satterstrom FK, Linkov I, Tuler SP, Kay R (2007) Typological review of environmental performance metrics (with illustrative examples for oil spill response). Integr Environ Assess Manag 3(3):310–321 Shakarian P, Lei H, Lindelauf R (2014) Power grid defense against malicious cascading failure. Presented at 13th International Conference of Autonomous Agnets and Multiagent Systems, Paris, France, 5–9 May 2014, arXiv:1401.1086 Sood B, Das D, Pecht M (2011) Screening for counterfeit electronic parts. J Matar Sci 22(10):1511–1522 Teng K, Thekdi SA, Lambert JH (2012) Identification and evaluation of priorities in the business process of a risk or safety organization. Reliab Eng Syst Saf 99:74–86 Teng K, Thekdi SA, Lambert JH (2013) Risk and safety program performance evaluation and business process modeling. IEEE Trans Syst Man Cybern A 42(6):1504–1513 United States Department of Army (2001) Field manual 3-19.30: physical security. United States Department of Army, Washington Wallace G (2014) Target and Neiman Markus hacks: the latest. CNN money. Originally published 13 Jan 2014. http://money.cnn.com/ 2014/01/13/news/target-neiman-marcus-hack/ Williamson RM (2006) What gets measured gets done: are you measuring what really matters? Strategic Work Systems Inc., Columbus