The New Old Discipline of Cyber Security Engineering

Thomas A. Fuhrman
Senior Vice President, Booz Allen Hamilton, Herndon, VA, USA

Agency (NSA) and the Department of Homeland Security

Abstract - Although cyber security engineering is an
jointly sponsor a program to designate schools whose
established and diverse engineering field, it is not widely
curriculums meet certain standards as Centers of Academic
understood, and is under-applied in practice. The large and
Excellence in Information Assurance Education. Yet while
growing need to secure IT networks has been the primary
these and other programs are making progress in increasing
driver across society in developing the cyber security
the cyber workforce, the demand continues to outpace supply.
workforce from high school through college and in the
continuing education programs of industry and professional The body of knowledge for cyber security today is
societies. However, this emphasis on building the workforce unquestionably centered on enterprise networks and IT
skills for securing IT networks neglects the distinct technical systems. In fact, what is striking about the qualifications and
skills needed to secure complex systems other than traditional deployment of cyber security practitioners is that only a small
IT systems. This paper focuses on the urgent need for the percentage is focused beyond IT networks. This emphasis on
discipline of cyber security engineering and its relevance to securing traditional IT systems is not misplaced, but it is
these complex systems, using mis-use case analysis as an important to realize that systems other than traditional IT also
example of systems engineering methods that can be have critical and often distinct cyber security needs. Those
employed. systems are the purpose-built systems that exist to perform
functions in the physical world—tasks other than pure data
Keywords: security engineering, systems engineering, cyber, processing. This includes a large class of systems called by
mis-use case, tradeoff analysis names such as closed-loop systems, embedded systems,
complex systems, realtime systems, realworld systems,
distributed systems, and unmanned systems. Specific
1 Introduction examples include power grids, smart cars, aircraft, air traffic
The growing recognition of the threat that hackers pose management systems, manufacturing process control systems,
to IT networks and the enterprise data that they hold and Supervisory Control and Data Acquisition (SCADA) systems,
process has attracted a great number of professionals to the oil drilling platforms, nuclear power plants, autonomous
field of cyber security. This workforce is widely deployed underwater vehicles, Unmanned Aircraft Systems (UAS),
against the difficult task of protecting IT systems and space vehicles, healthcare tools and systems including
software, corporate network infrastructures, and network implantable medical devices, military weaponry, and a great
resources (e.g., “clouds”). Because this challenge requires a many others. These systems are designed to perform specific
wide range of different skills, the cyber security workforce is functions in the physical realm rather than in cyberspace,
highly diverse. Professional cyber security practitioners range though certainly onboard computing and external network
from entry-level analysts to experienced System Security interfaces are almost universally critical to their functions.
Engineers with multiple professional certifications. Managers In the absence of an accepted all-encompassing term,
often view this set of specialists as the cyber “experts” in the the term “mission systems” is used here in referring to this
organization, to be brought in when problems occur on the class of systems.1
network, sometimes without regard to their particular
expertise. Assigning people with the right skill levels to the
right positions is uneven in both government and industry. [1,
2 The Cyber Challenge for Mission
2, 3] Systems
Compounding the cyber security challenge is that there The cyber challenge for mission systems today has two
are not enough cyber security professionals in the workforce. dimensions. First, buyers and owners of mission systems
Many reports describe how the nation is critically short of often do not have sufficient appreciation of the threats facing
people with these skills. [4, 5] Since the late-1990s, the U.S. their systems in the cyber realm and the damage they can
government has made a concerted effort to increase the size
and depth of this workforce by establishing numerous 1
Many such mission systems, including those that are termed
programs aimed at increasing the pipeline of qualified cyber “critical infrastructures,” have connections to IT networks for the
security professionals. Cybersecurity scholarship programs purpose of control and communication. In these cases, the IT
have been set up across the civil agencies and within the network provides the automated control of the realworld system—
Department of Defense. Additionally, the National Security reflecting Norbert Wiener’s original usage of the term cybernetics,
from which today’s word cyber is derived. [6]
inflict. Second, the cyber security workforce has difficulty disciplines and domains, especially power systems specialists
delivering its expertise in ways that are compatible with the in this case, and to take a broad systems view of cyber risks.
main engineering effort so that the overworked adage about For mission systems, the cyber engineer needs to know the
security being “built in, not bolted on” can be realized. systems engineering process, the tools used, and the artifacts
produced.
2.1 The Buyer/Owner Dimension
There have been many cases in recent years in which  
cyber vulnerabilities in mission systems were only discovered  
when they were exploited. Recent newsworthy examples  
 
include the 2011 case of the in-theater military UAS sensor
 
system whose live streaming intelligence video was  
intercepted by the adversary using software downloaded from  
the Internet; the 2011 landing in Iran of a classified UAS,  
which at least one Iranian engineer claimed was achieved by  
cutting the command link and changing the vehicle’s GPS  
position; and the widespread reporting in 2010 of a  
sophisticated virus that targeted computers of the Siemens  
product line for managing large-scale industrial control  
systems used by manufacturing and utility companies.  
Further, a 2007 test conducted by the Idaho National  
 
Laboratory proved that the so-called “Aurora Vulnerability”
 
in a certain class of large electric generators and turbines that  
serve the U.S. power grid could in fact be exploited in a way  
that would lead to their physical self-destruction. [7, 8, 9]  
 
These events and others like them indicate that the cyber  
security community often has had too small a voice in the  
design decisions made in the development of mission  
systems. But cyber security needs have not been ignored  
totally, and there is widespread agreement on the general  
concept that cyber security engineering should be part of a  
broader system engineering effort. In the Department of  
Defense, for example, cyber security for mission systems is  
called out in certain areas, such as in the cyber security policy  
Figure  1.  Smart  Grid  Cyber  Security  Engineering  Tasks  
for space systems, which says that Information Assurance
(IA) ‘shall be applied in a balanced manner by performing One aspect of cyber security engineering that
Information System Security Engineering (ISSE) as an differentiates it from other engineering fields is that its focus
integral part of the space system architecture and system is primarily (though not exclusively) on the potential
engineering process to address all IA requirements in the disruption of system performance caused by the deliberate
intended operational environment.’ [10] actions of human actors intent on doing harm. Designing for
security is different in this way from designing against
Similarly, the National Institute of Standards and environmental effects, unreliable components, or external
Technology (NIST) has developed draft guidelines for hazards. The unique value that the cyber expert can bring to
securing the vastly complex and emerging Smart Grid. [11] an engineering effort is a technical understanding of the threat
The three-volume guidelines document describes a set of and an ability to identify potential vulnerabilities in the
tasks for assessing cyber security issues and identifying cyber mission system that could be exploited by the threat, as well
security requirements. (See Figure 1.) It also contains top- as the range of options for mitigating the risk posed by the
level security requirements for the smart grid and defines the threat.
logical reference model for interfaces and interactions
between the organizations, buildings, individuals, systems, Figure 2 shows some of the threat vectors that mission
and devices that make up the Smart Grid domains. The systems need to address. Additionally, cyber security
amount of content alone is an indication of the magnitude of considerations can lead to requirements for implementing
the cyber challenge in this highly complex mission system. special features such as a command disable function or anti-
tamper technologies to guard against compromise and reverse
The cyber security engineer cannot effectively work in engineering if the system is physically exploited.
isolation. These tasks clearly require the cyber security
engineer to work side-by-side with engineers from other
 mission systems, are not normally used in the development of
   Exploitation  of  vulnerabilities  in  embedded  mission  platform   IT networks, and cyber security specialists are not usually
software  and  firmware  (e.g,  Operational  Flight  Program)  and   expected to have this skill. Cybersecurity needs to be part of
its  development  and  maintenance   the tradespace. Advocates recognize that more formalization
   Exploitation  of  vulnerabilities  of  on-­‐platform  operating  systems  
of the cyber security engineering career field, patterned on the
features of established engineering fields, will take time.[2, 3]
   Exploits  against  the  attack  surface  of  the  connected  network    
Among the most mature of the efforts to advance the
   Data  protocol  exploitation  
systems engineering approach to cyber security is the
   Insiders  (both  witting  and  unwitting)   Systems Security Engineering—Capability Maturity Model
   External  interfaces/communications  links   (SSE-CMM) standard. Codified as an International
Organization for Standardization (ISO) standard (ISO/IEC
   Portable  media  (e.g.,  CDs,  USB  devices)   21827:2008), SSE-CMM describes the security engineering
   Local  “plug-­‐in”  devices  (e.g.,  peripherals,  special  purpose   processes that organizations need to ensure good security
probes,  sensors,  test  and  diagnostic  tools)   engineering. The standard provides a reference model for
system security engineering throughout the entire system life
   Supply  chain  
cycle and the entire organization, including interaction with
Figure  2.  Example  Cyber  Threat  Vectors     other disciplines and with other organizations. It is designed
Affecting  Mission  Systems   to be congruent with the Systems Engineering process. [13]

2.2 The Workforce Dimension 3 A Synthesis of Disciplines

The workforce challenge for the cyber security of Systems Engineering is inherently interdisciplinary. As
mission systems is particularly difficult. Not only are there such it provides an overarching framework in which multiple
too few cyber security professionals in total, but only a disciplines can productively operate and integrate towards a
minority of those in the workforce today have the engineering common design goal. Figure 3 summarizes some of the key
training and credentials to credibly engage in the engineering features of Systems Engineering.
process. It is still somewhat unusual to find a cyber
professional with experience in mission systems engineering, Systems  Engineering  is  an  interdisciplinary  approach  that  focuses  on  
and who is able to blend with an engineering team to develop defining   customer   needs   and   required   functionality   early   in   the  
meaningful requirements and operate in the trade space development  cycle,  documenting  requirements,  then  proceeding  with  
through which the design is evolved. design   synthesis   and   system   validation   while   considering   the  
complete  problem:  
These tasks would challenge many cyber specialists  Operations  
 Performance  
today because systems engineering methods differ in
 Test  
important respects from the way cyber security services are
 Manufacturing    
typically delivered. The structure within which IT security  Cost  &  Schedule  
specialists operate is the well-thought-out Risk Management  Training  &  Support  
Framework (RMF) described in Special Publication 800-53  Disposal  
of the National Institute of Standards and Technology
Systems  Engineering  integrates  all  the  disciplines  and  specialty  groups  
(NIST). The framework helps the specialist define required into   a   team   effort   forming   a   structured   development   process   that  
levels of assurance, select the appropriate security controls proceeds   from   concept   to   production   to   operation.   Systems  
from a comprehensive catalog, assess that the controls are Engineering  considers  both  the  business  and  the  technical  needs  of  all  
implemented correctly, support a formal decision by a customers  with  the  goal  of  providing  a  quality  product  that  meets  the  
designated owner to authorize operation, and then user  needs.  
continuously monitor the security of the system throughout its Source:    International  Council  on  Systems  Engineering  
life cycle. [12]
Figure  3.  What  is  Systems  Engineering?  
While the RMF and controls catalog form an essential
foundation, more is expected of the cyber security engineer. Cyber Security Engineering has strong affinity with two
First, the systems engineering environment expects a more other disciplines found in this environment—System Safety
interdisciplinary focus and even more engineering creativity Engineering and Reliability Engineering. These disciplines
than the RMF structure fosters. For systems of any have long histories and active professional communities. All
appreciable complexity, inevitably there are competing three are oriented towards managing throughout the full
operational and technical considerations. One of the key tools system life cycle, and integrate very well into the overarching
of engineering for complex systems is the formal tradeoff System Engineering framework. All three operate generally
study to examine alternatives and make design choices. in the realm of nonfunctional requirements, with the goal of
Tradeoff studies, while common in the engineering of making the design inherently resistant to failures. In practice,
 concerns may be in tension with the performance objectives
that the system is being designed to meet—and therefore may
be overlooked or overcome by the pressure to deliver
performance. Figure 4 shows a Venn diagram indicating the
relationship among cyber security, safety, and reliability
components. [14, 15, 16, 17, 18]

Good examples of the integration of these disciplines

are found in two government agencies: the mission assurance
program of NASA and the surety programs of the Department
of Energy. Both explicitly seek to integrate safety, security,
reliability, and quality across the system life cycle and have
proven records of success. [19] Table 1 summarizes some of
the key features and fundamental methods of Systems
Engineering, Reliability Engineering, System Safety
Engineering, and Cyber Security Engineering.

4 Cyber Security in the Tradespace:

An Example
Figure  4.   Convergence  of  Disciplines  Within  the  Systems   “Use case” analysis is one of the tools of Systems
Engineering  Framework   Engineering that has particular relevance to cyber security,
used for both requirements identification and in tradeoff
many of the tools (such as Risk Assessment) used within studies over alternative solutions. A use case is a description
these disciplines are very similar to each other. They also of the employment of the target system in an operating
have in common the fact that the non-functional requirements scenario with emphasis on its functions and interactions with
that emerge from safety, cyber security, or reliability the external environment including human actors. It provides

Table  1.  Summary  of  Four  Systems  Engineering  Disciplines  

  Background   Fundamental  Methods  

Systems  Engineering    Interdisciplinary  by  design    Program  integration  and  management  tools  
 International  Council  on  Systems  Engineering  (INCOSE)    Use  Case  Analysis  
develops  and  disseminates  best  practices  for    Design  Trade-­‐off  Analysis  (Figures  of  
successful  systems.   Merit/Evaluation  Measures)  
 Publishes  the  Systems  Engineering  Handbook  and    Life  Cycle  management  tools  
maintains  the  Systems  Engineering  Body  of  Knowledge    
 Certification  programs  [14]  
Reliability  Engineering    Emerged  in  the  1950s    Statistical  modeling  
 Relationship  to  Surety  Engineering  and  NASA  Mission    Reliability  Physics  (Physics  of  Failure)    
Assurance  [15]    Failure  Modes  and  Effects  Analysis  
 Industry-­‐recognized  Certified  Reliability  Engineer  (CRE)    Fault  Tree  Analysis  
and  Certified  Reliability  Professional  certifications  
through  American  Society  for  Quality  (ASQ)  [16]  
 IEEE  Reliability  Society  provides  numerous  professional  
development  opportunities  [17]  
System  Safety  Engineering    International  System  Safety  Society  fosters  the    Qualitative  Analysis  to  anticipate  failure  
application  of  systems  engineering  and  systems   potential  during  the  design  phase  
management  to  the  process  of  hazard,  safety,  and  risk    Hazard,  Safety,  and  Risk  analyses  (qualitative  
analysis  [18]   and  quantitative)  
 Certification  programs    Designing  ways  to  contain  failures  
 Safety  of  software  as  a  special  area  of  focus  

Cyber  Security  Engineering    Major  industry-­‐recognized  certifications  through    Mis-­‐Use  Case  Analysis  
(ISC)2,  SANS,  ISACA,  and  other  organizations    Threat  Identification  and  Characterization  
 System  Security  Engineering  Capability  Maturity  Model    Risk  Management  Framework  and  controls  
(ISO/IEC  21827:2008)  model  for  organizations  [13]   catalog  
 Continuous  management  of  system  security  
throughout  the  life  cycle  

 
a structured way of thinking about how the system will be diagrams as well, ultimately leading to additional system
used in its operating environment that helps in defining the requirements. [20, 21]
functional requirements.
Both analyses—use case and mis-use case—can help
In practice, use cases are usually expressed using the with the trade studies through which the design evolves in
Unified Modeling Language (UML) that depicts both the addition to their role in requirements definition.
actors and the process flow, facilitating information exchange
and enabling the use of automated support tools. However, it An example of the use case and mis-use case operational
can be helpful to begin by developing a top-level conceptual views is shown in Figures 5 and 6. These figures depict a
picture similar to the “operational view” of the Department of notional case in the Air Traffic Management System: the pre-
Defense Architecture Framework (DODAF). This can then takeoff preparation of the aircraft, filing of the flight plan, and
provide a structured way of thinking about the problem to the ground operations associated with starting the engines and
illuminate needs, enable creative cross-disciplinary taxiing. Coordination with the air traffic management
discussion, and produce insights into the cyber security and facilities of the Federal Aviation Administration (FAA) is a
other non-functional requirements. It can be a pre-cursor to necessity, as are programming the onboard navigation
the UML Use Case Diagrams. computer, getting authorization from the airline operations
center, and obtaining taxi clearance from the control tower.

Figure  5.  Operational  View  of  a  Pre-­Takeoff  Use  Case  (Air  Traffic  Management)  

A tool that is particularly suited to the cyber security These process steps are accomplished by people at a wide
engineering challenge is “mis-use case” analysis. Initially range of locations and facilities.2 The operational view of the
developed in the 1990s, the mis-use case turns the use case
2
around by focusing on what a malicious actor could do to This scenario is for illustration only. In reality, most of the
disrupt, subvert, or negate the performance of the system. The requirements of today’s Air Traffic Management System are already
top-level operational view can also be used for the mis-use known and specified by standards and regulatory requirements of the
FAA and other agencies. Nonetheless, specific implementation
case. These insights can later be developed into UML details would typically still need to be decided as part of the system
engineering effort, and a regular review of mis-use cases is advisable
as threats change.
use case and its associated misuse case allow all members of 5 Summary and Prescription
the systems engineering team to work together from a
common starting point. Although the intellectual groundwork for cyber security
engineering for mission systems is solidly in place, the degree
Examination of the mis-use case should involve every of true engagement by cyber security engineers still falls short
component and link within the system, and every relevant of what it should be. Evidence indicates that acquiring
threat vector with the goal of illuminating the cyber security organizations do not have a clear picture of the value
challenges. These results should be brought forward for proposition of the cyber security engineer, and, frankly, there
further consideration and analysis. are not enough qualified cyber security engineers to meet the
needs even if the value proposition were recognized. If cyber
In the example shown in Figure 6, possible cyber security specialists are to have an impact on mission systems,
challenges suggested by the operational view include they must have the skills to engage in the system engineering
interception of mission data by intruding into the process as franchised members, not as dabblers. This will be
communication links in the system; exploitation of the insider difficult to achieve as the cyber community is already
leading to compromise of access controls or other critical struggling to develop the workforce to address the more
security controls; penetration of the ground-based networks obvious needs of securing networks and IT systems.
that communicate and process critical system data; and

Figure  6.  Operational  View  of  a  Pre-­Takeoff  Mis-­Use  Case  (Air  Traffic  Management)  

malicious exploitation of vulnerabilities in the supply chain of More emphasis is therefore needed on the specific
the avionics equipment. These insights are just the start of the challenge of cyber security engineering for mission systems
process, and a full use/mis-use case analysis using accepted through existing university programs, U.S. government cyber
systems engineering tools should be the next step. scholarship initiatives, and professional certification
programs.
 Cyber security specialists themselves need to be part of [7] Peter Neumann. Moderator, Risks Digest,
the solution. They should strive to learn the practices of http://catless.ncl.ac.uk/Risks.
systems engineering, encourage their organizations to
embrace SSE-CMM, and work hard at their own professional [8] Robert McMillan. “Virus targeted at Siemens industrial
development. They should learn and internalize the unique control systems”, IDG News Service, July 17, 2010.
value that the cyber security engineering community can http://www.networkworld.com/news/2010/071710-new-
bring to the systems engineering arena. And they should gain virus-targets-industrial.html.
experience in the use of systems engineering tools.
[9] Brent Kesler. “The Vulnerability of Nuclear Facilities to
Lastly, the similarities and strong overlaps among Cyber Cyber Attack,” Strategic Insights, Vol. 10, Issue 1, pp. 15 –
Security Engineering, System Safety Engineering, and 25, Spring 2011.
Reliability Engineering should prompt those professional
communities to work together in an effort to find greater [10] DoD Directive 8581.1. “Information Assurance (IA)
synergy in the systems engineering environment. The Policy for Space Systems Used by the Department of
professional societies and associations that represent these Defense,” June 21, 2005.
stakeholders should join together under the auspices of the
International Council on Systems Engineering (INCOSE) to [11] The Smart Grid Interoperability Panel – Cyber Security
tackle this together to enhance the profession and produce Working Group. Guidelines for Smart Grid Cyber Security,
mission systems with better performance in any NISTIR 7628, August 2010.
environment—normal, abnormal, or hostile.
[12] NIST Special Publication 800-53 Revision 3.
“Recommended Security Controls for Federal Information
6 References Systems and Organizations,” National Institute of Standards
[1] Cyber IN-security: Strengthening the Federal Cyber and Technology, Gaithersburg, MD.
security Workforce; Partnership for Public Service and Booz
Allen Hamilton, July 2009. [13] ISO/IEC 21827:2008. Systems Security Engineering—
Capability Maturity Model®.
[2] Brian Dutcher. “Determining the Role of the
IA/Security Engineer,” SANS Institute; InfoSec Reading [14] International Council on Systems Engineering
Room. March 15, 2010, (INCOSE). http://www.incose.org
http://www.sans.org/reading_room/whitepapers/assurance/det
ermining-role-ia-security-engineer_33508. [15] NASA Office of Safety and Mission Assurance.
http://www.hq.nasa.gov/office/codeq/.
[3] Robert Ayoub. The 2011 (ISC)2 Global Information
Security Workforce Study, Frost & Sullivan Market Survey [16] American Society for Quality. Certified Reliability
Sponsored by (ISC)2, 2011. Engineer,
http://prdweb.asq.org/certification/control/reliability-
[4] Karen Evans and Franklin Reeder. “Human Capital engineer/index.
Crisis in Cybersecurity Technical Proficiency Matters,” A
Report of the CSIS Commission on Cybersecurity for the [17] IEEE Reliability Society. http://rs.ieee.org/.
44th Presidency, Center for Strategic and International
Studies, November 2010. [18] The International System Safety Society.
http://www.system-safety.org/.
[5] Eric Beidel and Stew Magnuson. “Government, Military
Face Severe Shortage Of Cybersecurity Experts”, National [19] Nancy Leveson. “White Paper on Approaches to Safety
Defense (National Defense Industrial Association), August Engineering.” Nancy Leveson’s Home Page at MIT, April 23,
2011, 2003; http://sunnyday.mit.edu/caib/concepts.pdf.
http://www.nationaldefensemagazine.org/archive/2011/Augus
t/Pages/Government,MilitaryFaceSevereShortageOfCybersec [20] Guttorm Sindre and Andreas Opdahl. Eliciting Security
urityExperts.aspx. Requirements by Misuse Cases, Proceedings of TOOLS
Pacific 2000, pp. 120-131, 20-23 November 2000, IEEE
[6] Norbert Wiener. Cybernetics: or Control and Computer Society Press.
Communication in the Animal and the Machine, The
Massachusetts Institute of Technology, Cambridge, MA, [21] Ian Alexander. “Use/Misuse Case Analysis Elicits Non-
1948 and 1961. Functional Requirements,” Computing & Control
Engineering Journal, Volume 14, Issue 1, pp. 40 – 45, Feb.
2003.