CQSDI Cyber Physical System Security Panel System Security ... -...

9
CQSDI Cyber Physical System Security Panel System Security Perspective March 2019 Holly Dunlap Raytheon NDIA SSE Committee Chair [email protected] 3/31/2019 1

Transcript of CQSDI Cyber Physical System Security Panel System Security ... -...

Page 1: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

CQSDICyber Physical System Security Panel

System Security PerspectiveMarch 2019

Holly DunlapRaytheon

NDIA SSE Committee [email protected]

3/31/20191

Page 2: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

Agenda

• Observations as the NDIA SSE Committee Chair

• Where we’ve been, where we are, and where we are heading

• King for a Day

3/31/20192

Page 3: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

Cyber is everyone’s responsibility

3/31/20193

…. what is your responsibility?

Page 4: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

(e Complexity)Winter is Coming

3/31/20194

https://www.youtube.com/watch?v=GsE8EzKmuPAhttps://www.ourmovielife.com/2017/08/15/game‐thrones‐prediction‐5‐will‐wall‐fall/

Winter (Cyber) is Coming….

Pretty sure its here.

HELLO BEAUTIFUL

Page 5: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

Key DoD Protection Activities to Improve Cyber Resiliency

3/31/20195

What: A capability element that contributes to the warfighters’ technical advantage (CPI)

Key Protection Activity:• Anti‐Tamper• Defense Exportability Features• CPI Protection List• Acquisition Security Database

Goal: Prevent the compromise and loss of CPI

What: Mission‐critical  functions and components

Key Protection Activity:• Software Assurance• Hardware Assurance/Trusted Foundry

• Supply Chain Risk Management• Anti‐counterfeits• Joint Federated Assurance Center (JFAC)

Goal: Protect key mission components from malicious activity

What: Information about the program, system, designs, processes, capabilities and end‐items

Key Protection Activity:• Classification• Export Controls• Information Security• Joint Acquisition Protection & Exploitation Cell (JAPEC)

Goal: Ensure key system and program data is protected from adversary collection

Program Protection & Cybersecurity

InformationComponentsTechnology

Protecting Warfighting Capability Throughout the Lifecycle

DoDM 5200.01, Vol. 1‐4DoDI 5200.39 DoDI 5200.44 DoDI 5230.24

DoDM 5200.45

DoDI 5000.02, Enclosure 3 & 14 

DoDI 8510.01DoDI 8500.01

Policies, guidance and white papers are found at our initiatives site:  http://www.acq.osd.mil/se/initiatives/init_pp‐sse.html 

Cybe

r Resilien

t & Secure Weapo

n System

s Sum

mit, M

cLean, VA Ap

ril 18, 201

7En

gine

ering Cybe

r Resilien

t Weapo

n System

s, M

elinda

 Reed, DAS

D(SE)

System security engineering evaluates, integrates, and manages the risks of security specialties: hardware assurance, software assurance, anti-tamper, supply chain risk management, and cybersecurity, to provide a security perspective within the system architecture and throughout the system development lifecycle

Page 6: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

Trending towards convergence…

3/31/20196

Technology Information

Components

Technology Information

Components

Information

Components

Technology

Safety

Reliability Quality

20112015

+2019

Cyber Resilient & Secure Systems

Page 7: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

Readily Available Clear System Security Trade (Risk, Cost, Performance) Based Options

System Security Engineering King for the Day Wish…..

3/31/20197

Customer Requirement Example:  Trusted, Cyber Resilient, & Secure System

Technical Requirements

How do we get from here to here?! 

Why is this important?

Tends to be ambiguous & hard to measure, hard to prove, hard to compete for contracts….Customer Requirement Example:  Implement Risk Management Framework

Trusted, Cyber Resilient, & Secure System

Page 8: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

System Security Engineering King for the Day Wish…..

• Tiers of Assurance(Confidence Levels)

– Architecture– Hardware – Software– Supply Chain– Protection of Critical Program Information (CPI)

3/31/20198

• Assurance Case– Claim - Assertion to be proven

– Argument – How evidence supports the claim– Evidence – Documented proof.

Start with the high level operational Systems of Systems Concept to understand what is critical to the success of the mission

Decompose the system and identify system mission critical functions

Further decompose the system mission critical function into system mission critical components (hardware, software, firmware). 

Select components with the right risk, cost, and performance to meet the customers requirements.    

Provide an assurance case to prove the customer requirements have been met.

Page 9: CQSDI Cyber Physical System Security Panel System Security ... - ASQasq.org/asd/2019/04/quality-control/cyber-physical-system-security... · CQSDI Cyber Physical System Security Panel

Prove Why Your System Should be Trusted • Assurance cases includes the collection of things you do to increase confidence that the system and all of the integrated

components (hardware, software, firmware) will work as designed and only as intended. Some of these actions may also be considered to be countermeasures or risk mitigations.

3/31/20199

Prove the System is safe.Prove the System is reliable.Prove the System is secure.Prove the System is trustworthy.Prove the System is resilient while under attack.

Would you bet your life on it?Would you bet your family’s life on it?

– People (Expertise. Critical thinking.)– Processes (Standard operating procedures. Reducing variation. Analysis)

• Testing

– Technology• Design Features• Tools• Capabilities