Enabling FuSE Security Objectives by Leveraging Cyber Survivability Methods

Abstract

AbstractThe importance of system security continues to grow as systems become more complex, more connected, and more vulnerable. The INCOSE Vision 2035 sets goals for systems engineering (SE) as a discipline in enabling engineering solutions for a better world: “By 2035, cybersecurity will be as foundational a perspective in systems design as system performance and safety are today” (INCOSE, 2024). A key objective of the INCOSE Future of Systems Engineering (FuSE) Security Foundations Roadmap is to recognize system security as a fundamental part of the mission, integrated into the system architecture, and not “bolted‐on” as a separate subsystem or set of features in the detailed design. To achieve this, systems engineering must address system security early in the system lifecycle, during the mission analysis and concept development phase and ensure it is addressed as a functional requirement throughout the systems engineering lifecycle. System security needs must be treated as fundamental system capability.The INCOSE FuSE Security foundations roadmap identifies six (6) objectives and eleven (11) foundational concepts necessary to achieve the FuSE vision for system security (Dove, et al., 2021). Five of the objectives and five of the foundational concepts are directly related to systems acquisition and engineering lifecycle processes. The five key foundational concepts are: Stakeholder Alignment, Security as a Capability, Security as a Functional Requirement, Loss Driven Engineering and Modeled Trustworthiness.The Operational Test and Evaluation (OT&E) community has extensive cyber assessment and execution processes mandated through numerous Department of Defense (DoD) and individual service policies, directives and guidebooks. This paper studies several of the cybersecurity assessment and process guidebooks, analyzing the processes and methods to identify areas where systems engineering should be responsible, and which SE activities and outputs are needed to enable the requirements of each guidebook.This paper examines six OT&E cyber security guidebooks, and the methods and processes they describe to achieve system security in relation to the five foundation concepts. In addition to their test and evaluation processes, each describes systems engineering processes, activities and outputs that could be used to form the initial foundation of a system security technical process.While the original INCOSE vision statement uses the term “cybersecurity,” the FuSE Security initiative is adopting the term “system security” to emphasize that this is a system engineering responsibility as opposed to software engineering or information technology task. As a result, the analysis of the cybersecurity guidebooks will be in the context of “system security.”