Aircraft cybersecurity efforts have tended to focus at the strategic or tactical
levels without a clear connection between the two. There are many excellent
engineering tools already in widespread use, but many organizations have not yet
integrated and linked them into an overarching “campaign plan” that connects
those tactical actions such as process hazard analysis, threat modeling, and
probabilistic methods to the desired strategic outcome of secure and resilient
systems. This article presents the combined systems security engineering process
(CSSEP) as a way to fill that gap.
Systems theory provides the theoretical foundation on which CSSEP is built. CSSEP
is structured as a control loop in which the engineering team is the controller
of the design process. The engineering team needs to have an explicit process
model on how systems should be secured, and a control algorithm that determines
what control actions should be selected. CSSEP’s process model postulates that
security is best achieved by a balance of cybersecurity, cyber resiliency,
defensibility, and recoverability and that control is best established by
developing security constraints versus attempting to find every vulnerability.
CSSEP then transmits those security constraints as requirements into the design
process. The design process used in CSSEP is the prioritized integrated cyber
assessment methodology (PICAM). PICAM includes four phases that are looped
including mission analysis, cooperative testing, adversarial assessment, and
secure design. Feedback is then presented back to the engineering team using the
probabilistic mission risk analysis (PMRA) supported by test data to close the
control loop.
CSSEP identifies the major functions needed to do effective aircraft
cybersecurity and provides a flexible framework as the “missing link” to connect
the strategic and tactical levels of aircraft cybersecurity.
