What does the assurance case approach deliver for critical information infrastructure protection in cybersecurity?

Abstract

This paper describes how the Assurance Case Approach (ACA) was applied for Cyber Security and Critical National Infrastructure resilience, using for a single asset an individual Assurance Case (AC), and for system-of-systems clustering a `Mesh' case concept. Despite its common use in the Safety domain, the ACA concept had not been applied to a dynamic situation. It allowed for Cases to be clustered using a `Mesh' Case to summarise a particular ecosystem/environment. This ACA is defined using basic elements of an assurance case ie Claim, argument and evidence - often associated with a legal analogy. Using the case study research method [27], the main methodology as stated in the paper combined the organisational learning cycle [1] with the 6-step based process based on a GSN [16] and CAE [2] notational hybrid for the construction of an argument structure. This was implemented with a CII asset, and further pilotted to demonstrate the ACA for other CII nodes [13]. The clustering using the `Mesh' cases closely aligns with Interdependency Analysis for the UK interconnected system-of-systems. Further work is required to expand the `Mesh' case principle for the 21st century information-centric ecosystem to provide a continual resilience work process framework, which eventually must include real-time inputs. (6 pages)