a systems security engineering approach · national institute of standards and technology 9 cyber...
TRANSCRIPT
![Page 1: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/1.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
NIST Special Publication 800-160, Volume 2
Developing Cyber Resilient SystemsA Systems Security Engineering Approach
![Page 2: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/2.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2
The Current Landscape…
Today's systems are very brittle, rely on a one-dimensional protection strategy of penetration resistance, and are highly susceptible to devastating cyber-attacks.
![Page 3: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/3.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3
The adversaries are relentless.
![Page 4: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/4.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4
Exfiltrate information.Preposition malicious code.
Bring down capability.Create deception.
![Page 5: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/5.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5
§ Resilient Military Systems and the Advanced Cyber Threat
§ Cyber Supply Chain
§ Cyber Deterrence
Defense Science Board Reports
![Page 6: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/6.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6
Defending cyberspace in 2020 and beyond.
![Page 7: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/7.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7
The Objective…
Expand the cyber aperture to a multi-dimensional protection strategy that includes developing damage limiting system architectures and cyber resilient systems.
![Page 8: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/8.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8
A New Paradigm…
Cyber resilient systems operate more like the human body than a traditional finite state computing machine.
![Page 9: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/9.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9
Cyber Resiliency Engineering
An emerging specialty systems engineering discipline, applied in conjunction with resilience
engineering and systems security engineering to develop survivable, trustworthy systems.
![Page 10: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/10.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10
Cyber Resiliency.
The ability to anticipate, withstand, recover from, and adapt to adverse conditions,
stresses, attacks, or compromises on systems that use or are enabled by cyber resources.
![Page 11: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/11.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11
Cyber resiliency relationships with other specialty engineering disciplines.
Reliability
Fault Tolerance
Privacy
Security Safety
Resilience and Survivability
![Page 12: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/12.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Reducing susceptibility to cyber threats requires a multidimensional strategy.
SystemHarden the
targetFirst Dimension
Limit damage to the target
Second Dimension
Make the target resilient
Third Dimension
![Page 13: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/13.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13
§ Business or mission analysis§ Stakeholder needs and requirements definition§ System requirements definition§ Architecture definition§ Design definition§ System analysis§ Implementation§ Integration
§ Verification§ Transition
§ Validation§ Operation
§ Maintenance§ Disposal
ISO/IEC/IEEE 15288:2015Systems and software engineering — System life cycle processes
NISTSP 800-160 Volume 1
Cyber Resiliency and Security in the System Life Cycle.
![Page 14: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/14.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14
Cyber Resiliency Constructs…
• Goals• Objectives• Sub-Objectives• Techniques• Approaches• Strategic Design Principles• Structural Design Principles
Updated DefinitionsSP 800-160Volume 2
![Page 15: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/15.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15
Systems Security
Engineering
Risk Management Framework
Bridging Two Communities…
![Page 16: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/16.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16
Relationship Among Cyber Resiliency Constructs…
RISK MANAGEMENT STRATEGY
Organizational LevelMission/Business
Process LevelSystem Level
Prog
ram
mat
ic
WhatWhy
STRATEGIC DESIGN PRINCIPLES
Inform selection and prioritization
Selection, prioritization, and application informed by programmatic, operational, and technical considerations, including threat considerations.
TECHNIQUES
STRUCTURAL DESIGN PRINCIPLES
OBJECTIVESUnderstandPrevent/AvoidPrepareContinueConstrainReconstituteTransformRe-architect
Can be further decomposed into sub-objectives and capabilities.
GOALSAnticipateWithstandRecoverAdapt
Inform selection and prioritization
Interpret, determine priorities of, and define strategies for achieving
Inform selection and prioritization
APPROACHES
How
Inform selection and prioritization
CYBER RESILIENCY SOLUTION
Linkage of constructs
captured in a series of tables
![Page 17: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/17.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17
Coverage Analysis
• Provides a mapping of the NSA/CSS Technical Cyber Threat Framework (NTCTF) against the cyber resiliency techniques and approaches.– Each of the 21 NTCTF adversary objectives is mapped
against each of the 48 cyber resiliency approaches.– Illustrates how cyber resiliency techniques and
approaches can affect threat events using the NTCTF.– Mapping identifies which, if any, of 15 effects on the
adversary are applicable.
![Page 18: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/18.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18
Sample Coverage Analysis
![Page 19: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/19.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19
Use Cases
• Provides several cyber resiliency use cases.– Self-driving car — Enterprise IT — Campus micro-grid
• Discusses representative situations in which cyber resiliency is considered by systems security engineering.
• Shows how cyber resiliency concepts and constructs can be interpreted and applied to that situation.
• Illustrates how cyber resiliency solutions can be defined or how specific solutions can be applied.
![Page 20: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/20.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20
Real World Example: Ukraine Power Grid Attack
For each step of attack, identifies potential cyber
resiliency mitigations and representative
technologies.
![Page 21: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/21.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21
NIST Special Publication 800-160, Volume 2
Developing Cyber Resilient SystemsA Systems Security Engineering Approach
Final Public DraftComment Period: September 4 through November 1
Comments to: [email protected]
![Page 22: A Systems Security Engineering Approach · NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 Cyber Resiliency Engineering An emerging specialty systems engineering discipline, applied](https://reader033.vdocument.in/reader033/viewer/2022050209/5f5c4b36c3741774e96150d4/html5/thumbnails/22.jpg)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22
100 Bureau Drive Mailstop 7770Gaithersburg, MD USA 20899-7770
Email [email protected] 301.651.5083
LinkedIn Twitterwww.linkedin.com/in/ronrossecure @ronrossecure
Web Commentscsrc.nist.gov [email protected]