cyberfmeca an adaptation of the fmeca process to cyber effects criticality determination ·...
TRANSCRIPT
![Page 1: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/1.jpg)
Page-1
CyberFMECA
An Adaptation of the FMECA Process to
Cyber Effects Criticality Determination
19th Annual NDIA Systems Engineering Conference
24 – 27 October 2016
Roy E. Wilson, CISSP, CEH, Sec+
NAVAIR 4.5.18.3
![Page 2: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/2.jpg)
Page-2
• Build a tool that DOD and industry can use to assess consequences
of a cyber attack on a weapon system
• Support risk based decisions for vulnerability remediation
• Repeatable
• Objective
• User friendly
• Provide results as consequence value on risk cube
• Evaluate cyber attack criticality effects on
• Integrity & Availability (mission impacts)
• Confidentiality
Objective
![Page 3: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/3.jpg)
Page-3
• Analysis of independent single item failures
• Impact on mission success, performance, safety, and
maintainability
• Bottom-up analytical method
• Performed at either the functional or piece-part level
• Charts the probability of failure modes against the severity of their
consequences
• Highlights failure modes with relatively high probability and
severity of consequences
• Typically assumes S/W functions as programmed
• Repeatable
• Objective
• User friendly
FMEA/FMECA
![Page 4: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/4.jpg)
Page-4
FMEA/FMECA Report Format
![Page 5: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/5.jpg)
Page-5
CyberFMECA Genesis
FMEA
FMECA
S/W FMECA
CyberFMECA
Failure Modes and Effects
Assess Criticality
Assess Software
Assess Cyber Attack Effects
![Page 6: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/6.jpg)
Page-6
CyberFMECA Process
System
System Decomposition
SubSystem 1 SubSystem N
CSCI 1 CSCI 2 CSCI N
SubSystem 2
![Page 7: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/7.jpg)
Page-7
CyberFMECA Table
ID
#
CSCI
ID
Function Malfun
ction
Means
Malfun
ction
Mode
Local
Effect
Next
Level
Effect
System
Effect
Criticality
Level
Mitigation
1 CSCI
1
2 CSCI
2
N CSCI
N
![Page 8: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/8.jpg)
Page-8
CyberFMECA Criticality Level
Criticality Level Description
5 Loss of life or aircraft
4 Loss of full mission capability
3 Loss of partial mission capability
2 Minimal loss of capability
1 No impact
Mission Criticality Level
Criticality Level Description
5 Exfiltration of TS/SAP or TS/SCI information
4 Exfiltration of TS information
3 Exfiltration of Secret information
2 Exfiltration of Confidential information
1 Exfiltration of CUI/FOUO/SBU information
Confidentiality Criticality Level
![Page 9: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/9.jpg)
Page-9
Mission Risk
Lik
elih
ood
Consequence 1 2 3 4 5
1
2
3
4
5
M1 – Loss of aircraft due to cyber attack on CSCI #4
M2 - Total mission failure due to cyber attack on CSCI #25
M3 – Partial mission failure due to cyber attack on CSCI #14
M1
M2
M3
![Page 10: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/10.jpg)
Page-10
Confidentiality Risk
Lik
elih
ood
Consequence 1 2 3 4 5
1
2
3
4
5
C1 – Exfiltration of TS/SAR data due to cyber attack on CSCI #15
C2 - Exfiltration of Confidential data due to cyber attack on CSCI #20
C3 – Exfiltration of Secret data due to cyber attack on CSCI #11
C1
C2
C3
![Page 11: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/11.jpg)
Page-11
• Based upon proven FMEA and FMECA processes
• Repeatable, objective, and user friendly
• Output supports risk based vulnerability mitigation
• Addresses consequences in terms of mission and confidentiality
• Process supports
• Risk Management Framework system A&A, CYBERSAFE
Certification, PPP Criticality Analysis, Cyber Survivability
KPP compliance
CyberFMECA Summary
![Page 12: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/12.jpg)
Page-12
• Successfully beta tested by government team on CMBRE
• Under assessment by the CITAG
• Joint Industry, USAF, & USN aviation systems cybersecurity
forum
• Currently required on NAVAIR contracts with
• Boeing
• GA
• LMCO
• NGC
• Data Item Description developed
CyberFMECA Status
![Page 13: CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality Determination · 2017-05-17 · Page-1 CyberFMECA An Adaptation of the FMECA Process to Cyber Effects Criticality](https://reader033.vdocument.in/reader033/viewer/2022042105/5e8371af2606e860cc05995e/html5/thumbnails/13.jpg)
Page-13
Questions?
CyberFMECA
Think like a hacker!!!