Cyber Resiliency Engineering Overview of the Architectural Assessment Process

Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science 28 (2014) 838 – 847

&RQIHUHQFHRQ6\VWHPV(QJLQHHULQJ5HVHDUFK&6(5  (GV$]DG00DGQL8QLYHUVLW\RI6RXWKHUQ&DOLIRUQLD%DUU\%RHKP8QLYHUVLW\RI6RXWKHUQ&DOLIRUQLD 0LFKDHO6LHYHUV-HW3URSXOVLRQ/DERUDWRU\0DULOHH:KHDWRQ7KH$HURVSDFH&RUSRUDWLRQ 5HGRQGR%HDFK&$0DUFK



&\EHU5HVLOLHQF\(QJLQHHULQJ 2YHUYLHZRIWKH$UFKLWHFWXUDO$VVHVVPHQW3URFHVV 'HERUDK-%RGHDXD5LFKDUG'*UDXEDUWEDQG(OOHQ5/DGHUPDQF  a, b, c



The MITRE Corporation 202 Burlington Road Bedford MA 01730, USA

$EVWUDFW

0LVVLRQVEXVLQHVVIXQFWLRQVRUJDQL]DWLRQVDQGQDWLRQVDUHLQFUHDVLQJO\GHSHQGHQWRQF\EHUVSDFHZKHUHDWWDFNVDUH QR ORQJHU OLPLWHG WR VLPSOH GLVFUHWH HYHQWV VXFK DV WKH VSUHDG RI D YLUXV RU D GHQLDORIVHUYLFH DWWDFN 7KHUHIRUH DUFKLWHFWXUHDQGV\VWHPVHQJLQHHULQJPXVWDVVXPHV\VWHPVRUFRPSRQHQWVKDYHEHHQFRPSURPLVHGDQGPLVVLRQVDQG EXVLQHVVIXQFWLRQVPXVWFRQWLQXHWRRSHUDWHGHVSLWHFRPSURPLVHV$JURZLQJQXPEHURIWHFKQRORJLHVDQGDUFKLWHFWXUDO SUDFWLFHVFDQEHXVHGWRLPSURYHUHVLOLHQFHWRF\EHUWKUHDWV+RZHYHUWKHVHLPSURYHPHQWVFRPHZLWKFRVWVDVZHOODV EHQHILWV&\EHUUHVLOLHQF\DVVHVVPHQWVDUHLQWHQGHGWRLGHQWLI\ZKHUHKRZDQGZKHQF\EHUUHVLOLHQF\WHFKQLTXHVFDQ EHDSSOLHGWRLPSURYHDUFKLWHFWXUDOUHVLOLHQF\LQDFRVWHIIHFWLYHZD\  ‹7KH$XWKRUV3XEOLVKHGE\(OVHYLHU%9 © 2014 The Authors. Published by Elsevier B.V. 6HOHFWLRQDQGSHHUUHYLHZXQGHUUHVSRQVLELOLW\RIWKH8QLYHUVLW\RI6RXWKHUQ&DOLIRUQLD Selection and peer-review under responsibility of the University of Southern California. .H\ZRUGVF\EHUUHVLOLHQF\HQJLQHHULQJF\EHUUHVLOLHQF\DVVHVVPHQWDUFKLWHFWXUDODVVHVVPHQWSURFHVV





'HERUDK-%RGHDX7HOID[(PDLODGGUHVVGERGHDX#PLWUHRUJ 5LFKDUG'*UDXEDUW7HOID[(PDLODGGUHVVUGJ#PLWUHRUJ (OOHQ5/DGHUPDQ7HOID[(PDLODGGUHVVODGHUPDQ#PLWUHRUJ

1877-0509 © 2014 The Authors. Published by Elsevier B.V. Selection and peer-review under responsibility of the University of Southern California. doi:10.1016/j.procs.2014.03.100

839

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

,QWURGXFWLRQ :LWKWKHJURZLQJFDSDELOLW\H[SHUWLVHDQGLQWHQWRIDGYDQFHGF\EHUDGYHUVDULHVLWLVQRORQJHUUHDOLVWLFWRDVVXPH WKDW RQH FDQ VXFFHVVIXOO\ NHHS DOO DGYHUVDULHV RXW RI D V\VWHP LQIUDVWUXFWXUH 7KHUHIRUH DUFKLWHFWXUH DQG V\VWHPV HQJLQHHULQJPXVWEHEDVHGRQWKHDVVXPSWLRQWKDWV\VWHPVRUFRPSRQHQWVKDYHEHHQRUFDQEHFRPSURPLVHGDQGWKDW PLVVLRQV DQG EXVLQHVV IXQFWLRQV PXVW FRQWLQXH WR RSHUDWH LQ WKH SUHVHQFH RI FRPSURPLVH  &\EHU UHVLOLHQF\ DVVHVVPHQWV DUHLQWHQGHGWRLGHQWLI\ZKHUHKRZDQGZKHQF\EHUUHVLOLHQF\WHFKQLTXHVFDQEHDSSOLHGWRLPSURYH DUFKLWHFWXUDOUHVLOLHQF\DJDLQVWDGYDQFHGF\EHUWKUHDWV7KH&\EHU5HVLOLHQF\(QJLQHHULQJ)UDPHZRUNDVLOOXVWUDWHG LQ)LJXUHDQGGHVFULEHGLQPRUHGHWDLOLQWKH$SSHQGL[SURYLGHVDZD\WRXQGHUVWDQGJRDOVDQGREMHFWLYHVEDVHGRQ WKLV DVVXPSWLRQ RI FRPSURPLVH DQG WKH WHFKQLTXHV DV GHILQHG LQ 7DEOH  EHORZ  WKDW FDQ EH DSSOLHG WR LPSURYH PLVVLRQUHVLOLHQFHDJDLQVWDGYDQFHGF\EHUWKUHDWV 

 )LJXUH&\EHU5HVLOLHQF\(QJLQHHULQJ)UDPHZRUN

+RZHYHUGXHWRDYDULHW\RISROLWLFDORSHUDWLRQDOHFRQRPLFDQGWHFKQLFDO32(7 IDFWRUVLWLVQRWIHDVLEOHIRU RUJDQL]DWLRQV WR XVH DOO UHVLOLHQF\ WHFKQLTXHV RU WKH JURZLQJ VHW RI WHFKQRORJLHV WKDW LPSOHPHQW DVSHFWV RI WKH WHFKQLTXHV)RUDGHWDLOHGVXUYH\RIWHFKQRORJLHVDVZHOODVGLVFXVVLRQRI32(7IDFWRUVVHH ,WLVDOVRQRWIHDVLEOH WRDSSO\DQ\UHVLOLHQF\WHFKQLTXHSHUYDVLYHO\EHFDXVHLPSOHPHQWDWLRQVRIF\EHUUHVLOLHQF\WHFKQLTXHVYDU\LQPDWXULW\ DFURVVGLIIHUHQWDUFKLWHFWXUDOOD\HUVDQGEHFDXVHVRPHLPSOHPHQWDWLRQVDUHLQWHQGHGWREHXVHGRQO\LQVWUDWHJLFDOO\ FKRVHQORFDWLRQVLQDV\VWHPFRPPRQLQIUDVWUXFWXUHRU6\VWHPRI6\VWHPV6R6 7KXVDVWUXFWXUHGDSSURDFKWR LGHQWLI\LQJSRVVLEOHLPSURYHPHQWVLVQHHGHG7KHIROORZLQJWKUHHVWHSVDUHXVHGWRDVVHVVWKHF\EHUUHVLOLHQF\RID V\VWHPRUDUFKLWHFWXUH GHWHUPLQHWKHVFRSHRIDQGSUHSDUHIRUWKHDVVHVVPHQW DVVHVVWKHDUFKLWHFWXUHDQG  GHYHORSVSHFLILFUHFRPPHQGDWLRQV ,IWKHDSSURDFKLVDSSOLHGWRDQRSHUDWLRQDORUDVLVDUFKLWHFWXUHWKHHPSKDVLVPD\EHRQ³ORZKDQJLQJIUXLW´RU RSSRUWXQLWLHVIRUQHDUWHUPDQGKLJKOHYHUDJHLPSURYHPHQWVXVLQJDIHZF\EHUUHVLOLHQF\WHFKQLTXHV$VHWRIJHQHUDO UHFRPPHQGDWLRQVSURYLGHVDVWDUWLQJSRLQWIRULGHQWLI\LQJVXFKRSSRUWXQLWLHV,IWKHDSSURDFKLVDSSOLHGWRDQRWLRQDO RU WREH DUFKLWHFWXUH WKH DVVHVVPHQW PD\ ORRN DW WKH IXOO VHW RI F\EHU UHVLOLHQF\ WHFKQLTXHV DQG DW HQVXULQJ WKDW SRVVLEOHVROXWLRQVLQWKHPLGDQGORQJWHUPFDQEHLQWHJUDWHGLQWRWKHDUFKLWHFWXUH 'HWHUPLQHWKH6FRSHDQG3ODQIRUWKH$VVHVVPHQW 3ODQQLQJ DQ DVVHVVPHQW LQYROYHV GHWHUPLQLQJ WKH SXUSRVH DQG VFRSH RI DQ DVVHVVPHQW DQG LGHQWLI\LQJ NH\ VWDNHKROGHUVDQGVRXUFHVRILQIRUPDWLRQ 7KHSXUSRVHRIDQDVVHVVPHQWLVGHILQHGE\WKHTXHVWLRQVLWLVLQWHQGHGWRDQVZHUDQGWKHGHFLVLRQVLWLVLQWHQGHGWR VXSSRUW 7KHVH VKRXOG LQLWLDOO\ EH H[SUHVVHG LQ VWDNHKROGHU WHUPV UDWKHU WKDQ UHVLOLHQF\ WHUPV WKH\ FDQ WKHQ EH

840

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

WUDQVODWHGLQWRWKHF\EHUUHVLOLHQF\IUDPHZRUNWHUPLQRORJ\'HSHQGLQJRQWKHSXUSRVHWKHDVVHVVPHQWFDQSURGXFH TXDOLWDWLYHDVVHVVPHQWYDOXHVIRUREMHFWLYHVVXEREMHFWLYHVDQGWHFKQLTXHVRUFDQLGHQWLI\H[LVWLQJFDSDELOLWLHVIRU DFKLHYLQJREMHFWLYHVDQGVXEREMHFWLYHVDQGSRWHQWLDOLPSURYHPHQWVEDVHGRQDSSO\LQJUHOHYDQWWHFKQLTXHV 7KHVFRSHRIDF\EHUUHVLOLHQF\DUFKLWHFWXUDODVVHVVPHQWFRQVLVWVRIERWKWKHDUFKLWHFWXUHWREHDVVHVVHGLQFOXGLQJ D GHVFULSWLRQ RI WKH PLVVLRQV DQGRU EXVLQHVV SURFHVVHV ZKHQ DSSURSULDWH DQG WKH F\EHU UHVLOLHQF\ REMHFWLYHV DQG WHFKQLTXHV WR EH FRQVLGHUHG 7KH VFRSH LV DOVR GHWHUPLQHG LQ SDUW E\ WKH DUFKLWHFWXUDO OD\HUV LQFOXGHG LQ WKH DUFKLWHFWXUH)LQDOO\WKHVFRSHGHSHQGVRQZKHWKHUWKHDUFKLWHFWXUHLVDVLVRUWREH)RUDQDVLVDUFKLWHFWXUHWKH VFRSH PD\ EH OLPLWHG WR QHDUWHUP LPSURYHPHQWV HPSKDVL]LQJ HIIHFWLYH XVH RI H[LVWLQJ VHFXULW\ FDSDELOLWLHV WR DQWLFLSDWHZLWKVWDQGDQGUHFRYHUIURPDWWDFNV)RUDWREHDUFKLWHFWXUHWKHVFRSHFDQLQFOXGHZD\VWKHDUFKLWHFWXUH FDQEHGHILQHGWRHYROYHRYHUWLPHWROHYHUDJHWHFKQLTXHVWKDWDUHFXUUHQWO\EHLQJUHVHDUFKHGRUSURWRW\SHG 7KHGHWHUPLQDWLRQRIZKLFKWHFKQLTXHV WR LQFOXGH LQ WKH VFRSH LVVWURQJO\ LQIOXHQFHGE\ 32(7 FRQVLGHUDWLRQV 7DEOHSURYLGHVUHSUHVHQWDWLYHH[DPSOHVRIUHDVRQVIRUH[FOXGLQJWHFKQLTXHVIURPFRQVLGHUDWLRQRUUHVWULFWLQJVSHFLILF WHFKQLTXHVWREHFRQVLGHUHGLQGHYHORSLQJUHFRPPHQGDWLRQV 7DEOH5HSUHVHQWDWLYH5HDVRQVIRU5HVWULFWLQJ&RQVLGHUDWLRQRI&\EHU5HVLOLHQF\7HFKQLTXHV Technique

RepresentativeReasonsforRestrictingConsideration

AdaptiveResponse AnalyticMonitoring CoordinatedDefense

Liabilityconcerns(e.g.,responsesthatviolateServiceLevelAgreements(SLA),causecollateraldamage) Policyconcernsrelatedtocollecting,aggregating,andretainingdata GovernanceandConceptofOperations(CONOPS)issues(e.g.,overlappingorincompletelydefinedrolesand responsibilities,noclearresponsibilityfordefiningcybercoursesofaction) Deception Legal,regulatory,contractual,orpolicyrestrictions;Concernforreputation Diversity Policyorprogrammaticrestrictions(e.g.,organizationalcommitmenttoaspecificproductorproductsuite); LifeͲcyclecostofdevelopingoracquiring,operating,andmaintainingmultipledistinctinstances DynamicPositioning Technicallimitationsduetopolicyorprogrammaticrestrictions(e.g.,organizationalcommitmenttoaspecific productorproductsuite) DynamicRepresentation Governanceissues/informationsharingconstraintsinthecontextofSoS NonͲPersistence TechnicallimitationsthatpreventrefreshfunctionsfrommeetingQualityofServicerequirements PrivilegeRestriction GovernanceandCONOPSissues(e.g.,operationalimpetustoshareroles) Realignment Organizationalandculturalimpacts(e.g.,eliminatingfunctionsstaffareusedto,moraleofrelocatingstaff) Redundancy Costsofmaintainingmultiple,uptodateandsecureinstantiationsofdataandservices Segmentation CostandscheduleimpactsofreͲarchitecting;costofadditionalrouters,firewalls SubstantiatedIntegrity Costandscheduleimpacts Unpredictability Operationalandculturalissues(e.g.,adverseimpactonplannedactivitiesorstaffexpectations)

6WDNHKROGHUV¶QHHGVGULYHZKLFKUHVLOLHQF\WHFKQLTXHVDUHQHHGHG'LIIHUHQWVWDNHKROGHUVKDYHGLIIHUHQWQHHGVDQG SHUVSHFWLYHV,QWHUYLHZVZLWKWKHYDULRXVVWDNHKROGHUVDUHQHHGHGWRREWDLQDFRPSOHWHYLHZRIWKHLUQHHGV7DEOH LGHQWLILHVSRVVLEOHVWDNHKROGHUVDQG6XEMHFW0DWWHU([SHUWV60(V ZKRPLJKWEHLQWHUYLHZHG 7DEOH3RVVLEOH6WDNHKROGHUVDQG6XEMHFW0DWWHU([SHUWVWR,QWHUYLHZ Role MissionOwner

CyberDefender:TacticalorlineͲlevel management,operationalormidͲlevel management,andstrategicorenterpriseͲlevel management ProgramManager

IT/ICTProvider(e.g.,DatacenterManager) Architect/SystemsEngineer

InformationtoObtain Missionpriorities–whattasksaremissionͲessential,missionͲcritical,orsupportive; relativepriorityofnearͲtermvs.longͲtermmissioncapabilities.Informationusually derivedfrom requirementsandinMissionImpactAnalysisorBusinessImpactAnalysis. How–andhowwell–thearchitectureenablescyberdefenderstofulfilltheir responsibilities.(SeeAppendixAofreference2foradetailedmappingofcyber defenderactivitiestocyberresiliencyobjectivesandsubͲobjectives.) Relativeprioritiesofcyberresourcesandcyberresiliencygoalsandobjectives,based onthemissionstheprogramsupports,therelativeprioritiesofnearͲtermvs.longͲ termcapabilitiesforthosemissions,andthecriticalityofcyberresourcestothose missions. Relativeimportanceofdifferentcapabilitiesorservices. Currentandfuturearchitecture.POETconsiderations,particularlytechnical constraints.

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

841

7DEOHLGHQWLILHVSRVVLEOHVRXUFHGRFXPHQWVIRUDF\EHUUHVLOLHQF\DVVHVVPHQW7KHVRXUFHGRFXPHQWVFRQVXOWHG GHSHQGRQWKHVFRSHRIWKHDVVHVVPHQWDQGRQWKHOLIHF\FOHVWDJH 7DEOH3RVVLEOH6RXUFH'RFXPHQWV SourceDocument MissionImpactAnalysisorBusinessImpactAnalysis

ContingencyPlans(e.g.,BusinessContinuityPlansor ContinuityofOperationsPlans) Architecturedocumentation StandardOperatingProcedures(SOPs)forsystemor networkadministration,andforhandlingcomputer incidents ComputerNetworkDefenseplans,CyberCoursesof Actions(CCoA)orcyberplaybooks

Relevance Identifiesmission(orbusinessprocess)concernsandpriorities.Identifies missionͲessentialandmissionͲcriticalresources.Providesbasisforcontingency plans. Describeshowcyberresourcesandoperationalprocessesareusedtoensure mission/businesscontinuityunderstress. Describesthearchitecturesofthemission/businesssegment,SoS,common infrastructure,setofsharedservices,system,and/orcomponents. DescribeshowcyberresourcesareusedtoenforcepoliciesandmeetSLAs. Describesoperationalprocessesforrespondingtoincidents. Describesprocesses,procedures,andcyberresourcesusedinthoseprocessesfor cyberdefense.

3HUIRUPWKH$VVHVVPHQW 3HUIRUPLQJ WKH DVVHVVPHQW LQYROYHV DVVLJQLQJ TXDOLWDWLYH YDOXHV UDQJLQJ IURP YHU\ ORZ WR YHU\ KLJK ZLWK VXSSRUWLQJUDWLRQDOH7KLVVHFWLRQSURYLGHVJHQHUDOYDOXHVFDOHVWKDWFDQEHXVHGIRUDOOF\EHUUHVLOLHQF\WHFKQLTXHV )RUVRPHDVVHVVPHQWVDPRUHGHWDLOHGVHWRIGHILQLWLRQVPD\EHQHHGHG7DEOHVGHILQLQJYDOXHVIRUF\EHUUHVLOLHQF\ WHFKQLTXHVFDQEHFRQVWUXFWHGXVLQJWKHJHQHUDOVWUXFWXUHLQ6HFWLRQEHORZ 'RFXPHQWLQJ WKH UDWLRQDOH IRU WKH DVVLJQPHQW RI D YDOXH LV D FUXFLDO SDUW RI WKH DVVHVVPHQW 7KH UDWLRQDOH FDQ LGHQWLI\ LQKHUHQW DUFKLWHFWXUDO YXOQHUDELOLWLHV WR DWWDFNV E\ DGYDQFHG DGYHUVDULHV JDSV LQ WHFKQRORJLHV 623V RU &&R$V DQGRU SROLF\ RU JRYHUQDQFH LVVXHV 7KH UDWLRQDOH WKHUHIRUH SURYLGHV WKH IRXQGDWLRQ IRU GHYHORSLQJ UHFRPPHQGDWLRQV 3.1. Architecture Flexibility or Capability )RUDQ\DUFKLWHFWXUHDQDVVHVVPHQWFDQGHWHUPLQHKRZIOH[LEOHRUFDSDEOHWKHDUFKLWHFWXUHLVZLWKUHVSHFWWRWKH LQFRUSRUDWLRQDQGHIIHFWLYHDSSOLFDWLRQRIDUHVLOLHQF\WHFKQLTXH7DEOHSURYLGHVDVFDOHRIUHODWLYHIOH[LELOLW\DVD IXQFWLRQRIDUFKLWHFWXUDOWUDLWV 7DEOH'HILQLWLRQVRI/HYHOIRU)OH[LELOLW\ Level

Components,Technology,andProcesstoImplementResiliency

IntegrationofAdditionalTechnologyor Componentsastheybecomeavailable

VeryHigh

Explicitlyintegratesastrategicset;hasmechanismstoassess effectiveness Explicitlyincludes Accommodatesorincludes Doesnotpreclude Precludes

Explicitlyprovidesflexibility

High Medium Low VeryLow

Someflexibility Someflexibility Limitedflexibility Severelylimited

 )RUHDFKRIWKHUHVLOLHQF\WHFKQLTXHVWKHGLIIHUHQFHVEHWZHHQWKHVHOHYHOVDUHGHVFULEHGLQWHUPVRIWHFKQLTXH VSHFLILFIDFWRUV7KHVHGLIIHUHQWLDWLQJIDFWRUVDUHLGHQWLILHGDVLQ7DEOH  

842

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

7DEOH.H\'LIIHUHQWLDWRUV%HWZHHQ/HYHOVIRU&\EHU5HVLOLHQF\7HFKQLTXHV CyberResiliencyTechnique AdaptiveResponse:takeactionsin responsetoindicationsthatanattackis underwaybasedonattackcharacteristics

KeyDifferentiatorsBetweenLevels Breadth:Howmanydifferentresponsiveactionsdoesthearchitecturesupport? Depth:Athowmanyarchitecturallayerscanresponsiveactionsbetaken? Dynamism:Howquicklycanresponseactionsbetaken? Integration:Howwellareresiliencytechnologiesintegratedintoresponse?

Sensorlocations:Athowmanylocationsismonitoringperformed? AnalyticMonitoring:gatherandanalyze Sensorcoordination:Howwellcansensorcoverageandanalysisbecoordinated? dataonanongoing,coordinatedbasis,to Sensordynamism:Howquicklycansensorsberecalibrated? identifypotentialvulnerabilities,adversary Analysistimeliness:Howquicklycananalysisdatabeperformed? activities,anddamage Scope:Whatisthescopeofanalysis? Breadth:Howmanydefensivetechniquesareappliedatagivenarchitecturallayer? Depth:Athowmanyarchitecturallayersisagivendefensivetechniqueapplied? CoordinatedDefense:manageadaptively andinacoordinatedwaymultiple,distinct Internalconsistency/coordination:Howconsistentlyandwithhowmuchcoordinationare cyberdefenses,andsupportingsecuritycontrolsmanagedinagivenadministrativespanof mechanismstodefendcriticalresources control? againstadversaryactivities Externalconsistency/coordination:Howconsistentlyandwithhowmuchcoordinationare cyberdefensesmanagedacrossdifferentadministrativespansofcontrol? Deception:useobfuscationand misdirection(e.g.,disinformation)to confuseanadversary Diversity:useaheterogeneoussetof technologies(e.g.,hardware,software, firmware,protocols)anddatasourcesto minimizetheimpactofattacksandforce adversariestoattackmultipledifferent typesoftechnologies DynamicPositioning:usedistributed processinganddynamicrelocationof criticalassetsandsensors

Sophisticationofdissimulation:Howsophisticatedarethemechanisms(e.g.,encryption)? Sophisticationofsimulation:Howsophisticatedarethemechanisms(e.g.,honeynets)? Integration:Howwellaredeceptionmechanismsintegratedwithothermechanisms? Depth:Diversityprovided/supportedathowmanyarchitecturallayers? Breadth:Athowmanylocationsinthearchitectureisdiversityprovidedorsupported? Degree:Howmanyinstances/alternativesareaccommodatedwithinthearchitecturallayers? Dynamism:Howquicklycannewimplementationsbeintegratedintothesystem? Integration:Howwellisdiversityintegratedwithotherpractices? Assetpositioning:Howextensivelyisamovingtargetdefensestrategyappliedtocriticalassets?

Sensorpositioning:Howextensivelycansensorsbemoved/reassigned/reconfigured? Dynamism:Howquicklycandynamicpositioningtakeeffect? DynamicRepresentation:maintaindynamic Breadth:Howmanyaspectsareincludedinrepresentations? representationsofcomponents,systems, Timeliness:Howquickly/howoftenarerepresentationsupdated? services,missiondependencies,adversary activities,andeffectsofcyberactions DepthofnonͲpersistence:AthowmanyarchitecturallayersisnonͲpersistencesupported? NonͲPersistence:retaininformation, services,andconnectivityforalimitedtime FrequencyofnonͲpersistence:Howfrequentlyisthedata,service,orsystemrefreshed? PrivilegeRestriction:restrictprivileges Depthofprivilegerestriction:Athowmanylayersisprivilegerestrictionapplied? requiredtousecyberresources,and Breadthofprivilegerestriction:Howbroadlyornarrowlyisleastprivilegeapplied? privilegesassignedtousersandcyber Criticality:Towhatdegreeiscriticalityanalysislinkedtoleastprivilege? entities,basedonthetypeanddegreeof Coordination/consistency:Howconsistentlyareprivilegesdefinedandassigned?InaSoS,how criticalityandtrustrespectively,to wellarepoliciesandpracticescoordinated? minimizepotentialimpactofadversary activities Depthofrealignment:Athowmanylayersisrealignmentapplied? Realignment:aligncyberresourceswith coreaspectsofmission/businessfunctions, Degreeofanalysis:Howdetailedisanalysis/determinationofcoremissionfunctions? thusreducingtheattacksurface Formalizationofrealignment:Howformal/structuredare realignmentprocesses? Redundancy:maintainmultipleprotected instancesofcriticalresources(information andservices)

Breadthofredundancy:Howmanyduplicatecopiesofagivenresourceexist?Where? Depthofredundancy:Athowmanylayersisredundancyprovided? Validation:Howconsistentandindependentareduplicatecopies? Integration:Howwellisredundancyintegratedwithothertechniques?

843

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847 CyberResiliencyTechnique

KeyDifferentiatorsBetweenLevels

Segmentation:separate(logicallyor physically)componentsbasedonpedigree and/orcriticality,tolimitthedamagefrom successfulexploits

Strengthofseparation:Howeffectiveistheseparation?

Depthofsegmentation:Athowmanylayersissegmentationprovided? Responsivenessofisolation:Howquicklyandeffectivelycansegmentationbeusedtoisolate cyberresourcesinlightofanattack? Depthofintegrity:Athowmanylayersisunpredictabilityapplied? SubstantiatedIntegrity:ascertainthat criticalservices,informationstores, Strengthofintegritymechanisms:Howstrongoreffectivearethesubstantiatedintegrity informationstreams,andcomponentshave mechanisms(e.g.,preventchangestodata/system,detectchanges,increasesourcesofdatato notbeencorruptedbyanadversary reduceprobabilityofchangesthatwillimpactmission)? Unpredictability:makechangesfrequently Depthofunpredictability:Athowmanylayersisunpredictabilityapplied? andrandomly Intentionalityofunpredictability:Isunpredictabilityplanned,happenstance,oracombination?

3.2. Implementation )RUQRWLRQDODUFKLWHFWXUHVWKHDVVHVVPHQWLVEDVHGRQVSHFLILFDWLRQVDQGSODQV5HJDUGOHVVRIKRZGHWDLOHGVXFK GRFXPHQWV DUH WKH\ VWLOO IRFXV RQ VRPHWKLQJ WKDW LV QRW \HW UHDO ,Q FRQWUDVW ³DVLV´ DUFKLWHFWXUHV DUH UHDOL]HG LQ RSHUDWLRQDOHQYLURQPHQWVDQGFDQEHDVVHVVHGZLWKUHJDUGVWRWKHFRPPLWPHQWWRXVLQJDUHVLOLHQF\WHFKQLTXHWKH FRPSUHKHQVLYHQHVVRI WKH LPSOHPHQWDWLRQ DQG WKH HIIHFWLYHQHVVRI WKH LPSOHPHQWDWLRQ 1RWH WKDW LPSOHPHQWDWLRQ LQFOXGHVQRWRQO\LQFOXVLRQRIWHFKQLFDOPHFKDQLVPVEXWDOVRKRZWKHSUDFWLFHLVXVHGRSHUDWLRQDOO\7DEOHSURYLGHV DJHQHUDOGHILQLWLRQRIOHYHOVRILPSOHPHQWDWLRQ 7DEOH/HYHOVRI,PSOHPHQWDWLRQ Level

Commitment

Comprehensiveness

VeryHigh InadditiontothecommitmentatHighLevel: Allspecifictechnologiesor Investment/architecturalevolutionplansincludeexpected approachesavailableareapplied futuremechanisms/capabilities High

Medium

Low VeryLow

InadditiontothecommitmentatMediumLevel: Resourcesareallocatedtotheuseofthetechnique(lifeͲ cyclecosts,LevelofEffort(LOE),training)andinvestment/ architecturalevolutionplansincludethetechnique Policiesandcontractualagreementsaccommodatesome useofthetechnique Someusesofthetechniquearerepresentedinoperations (CONOPS,SOPs,TTPs) Limitedresourcesareallocatedtotheuseofthetechnique (lifeͲcyclecosts,LOE,training) Plansexistformodifyingpoliciesandcontractual agreementstoaccommodatesomeuseofthetechnique NoplanstoaddressPOETconsiderationstoenableor facilitateuseofthetechnique

Mostspecifictechnologiesor approachesavailableareapplied

Effectiveness Effectivenessvalidatedby penetrationtesting, exercises,andmetrics tracking Effectivenessvalidatedby penetrationtestingand limitedexercises

Somespecifictechnologiesor approachesareapplied

Effectivenessvalidatedby testing

Somespecifictechnologiesor approachesareplanned Techniquesorapproachesare incidentalratherthanplanned

Effectivenesstobe validatedbytesting Effectivenessisnot evaluated

'HYHORS5HFRPPHQGDWLRQV 7KHJRDORIDQDVVHVVPHQWLVWRSURYLGHUHFRPPHQGDWLRQV7KLVVHFWLRQSURYLGHVJHQHUDOUHFRPPHQGDWLRQVWRVHUYH DVDVWDUWLQJSRLQW,VVXHVWKDWDUFKLWHFWVDQGV\VWHPVHQJLQHHUVVKRXOGWDNHLQWRFRQVLGHUDWLRQZKHQGHYHORSLQJRU DSSO\LQJUHFRPPHQGDWLRQVDUHDOVRGLVFXVVHG 7DEOHSURYLGHVJHQHUDOUHFRPPHQGDWLRQVRUHQJLQHHULQJSULQFLSOHVIRUDSSO\LQJUHVLOLHQF\WHFKQLTXHV7KHVHFDQ VHUYH DV D VWDUWLQJ SRLQW :KHQ GLIIHUHQWLDWLQJ IDFWRUV IRU UHVLOLHQF\ WHFKQLTXHV DUH DVVHVVHG PRUH VSHFLILF UHFRPPHQGDWLRQVFDQEHGHYHORSHG  

844

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

7DEOH*HQHUDO5HFRPPHQGDWLRQVIRU$SSO\LQJ&\EHU5HVLOLHQF\7HFKQLTXHV Technique

Adaptive Response

Analytic Monitoring

Coordinated Defense

Deception

GeneralRecommendations MaintainanupͲtoͲdateandconsistentcyberplaybook(setofSOPs,CCoAs,andconfigurationguides)ͲExerciseto validate Integrateautomateddecisionresponsemechanismscarefully,toavoiddestabilization Supporthumaninteractionandunderstandableuserinterfaces Exercisecautioninusingfullyautomateddynamicmechanisms CombinemonitoringandanalysisacrosssubͲsystems(e.g.,IDS,antiͲmalware,CMRS) Identifyandaddressmonitoringissuesrelatedtotransienceofothercyberresources AnalyzeandaddresstradeͲoffbetweenencryptionandmonitoring Applydefenseindepth,movingawayfroma“hardoutside,softchewycenter” CoordinateSOPs,particularlyforperformancemanagementandconfigurationmanagement,withmissionthreads CoordinatethedevelopmentofCCoAswithadministratorSOPs,acrossmultipleadministrativedomains,takinginto considerationmissionthreads,formissionsthatrelyonresourcescoveredbytheCCoAs Workoutpolicy,governance,andCONOPSissuesrelatedtoactivedeceptionpriortodefiningadeceptionarchitecture Considerthescopeofdeception(e.g.,focusedoninternalsystems,supplychain,DMZ,orexternaldatarepositoriesand servers)inarchitecturaldecisions Makeeffectiveuseofincidentaldiversity Incorporate(ratherthantrytoexpunge)diversecomponents,products,andservicesacquiredatdifferenttimesand/or bydifferentorganizations AccommodatediversityinendͲuserdevices(particularlyfor“bringyourowndevice”)

Diversity

Investintargeteddiversityforcriticalassetscarefully Communications:identifyandmaintainalternativecommunicationspaths Software:takeadvantageoforganizationͲownedmissionapplications

Dynamic Positioning

Dynamic Representation

NonͲPersistence Privilege Restriction Realignment

Redundancy

Segmentation

Substantiated Integrity Unpredictability

Information:identifyandmaintainmultiplesourcesofcriticalmissiondata Hardware:applyAntiͲTamper(AT),SupplyChainRiskManagementanddesigndiversity Useexistingtechnologiestodistributeassetsinwaysthattakeresiliencyintoaccount Ensureconsistentprotection Integratewithbackup,isolation,androllback Ensureexistenceofandthenbuildonstaticrepresentationsofcomponents,systems,servicesmissiondependenciesand adversaryactions Useexistingtoolstomaintainacurrentandrealisticrepresentation:UseContinuousMonitoringandintrusiondetection toolstorepresentsecurityposture;useperformancemonitoringandfunctionalmappingtoolstorepresentmission dependencies Coordinatewithcontingencyplanningactivities,sothatplans,CCoAs,andSOPscansupportnonͲadversarialaswellas adversarialdisruptions LeveragevirtualizationtomakeservicesnonͲpersistent Minimize“immortal”servicesandconnectionsaspartofsystemandnetworkadministratorSOPsͲTerminateunused portsandprotocols Applybestpracticeforleastprivilege,separationofduties,androleͲbasedaccesscontrol Identifycriticalresourcesandlockdowntheiruse Analyzemission/businessprocessestoidentifynonͲessentialresources PlantoseparateoroffloadnonͲessentialresources Applygoodpracticestandardsforredundancyinthecontextofcontingencyplanning Ensurecurrentpatch/configurationstatusofredundantfirmwareandsoftwareresources Ensureprotectionofallinstancesofcriticalresourcesregardlessoflocation Defineandseparateenclavesbasedonsensitivity,criticality,andtrust Employlogicalisolationmechanisms(e.g.,routers,firewalls,controlledinterfaces)toisolateenclavesandsubnets EnsureisolationofInternetfromintranet Isolateorganization’scybersecurityoperationscenter(CSOC) fromrestoforganization Applyexistingsoftwareintegrityandnetworkaddressvalidationmechanismseffectively ApplyATtocriticalhardware,firmware,andsoftwarecomponents Includeunpredictablechangesthataretransparenttomission/businessprocessusersindayͲtoͲdayoperations

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

845

4.1. Additional Considerations $GRSWLRQDQGHIIHFWLYHXVHRIDF\EHUUHVLOLHQF\WHFKQLTXHHQWDLOVDGGUHVVLQJDYDULHW\RIFKDOOHQJHVWKDWFDQEH IUDPHGLQ32(7WHUPV6HH$SSHQGL[(RI $QRWKHUFRQVLGHUDWLRQLVWKHPDWXULW\RIWKHUHVLOLHQF\WHFKQLTXH1RWDOOUHVLOLHQFHWHFKQLTXHVDUHDWWKHVDPHOHYHO RIPDWXULW\DQGXVDJH7HFKQLTXHVVXFKDV3ULYLOHJH5HVWULFWLRQ5HGXQGDQF\6HJPHQWDWLRQDQG$QDO\WLF0RQLWRULQJ LQFOXGHHOHPHQWVWKDWDUHLQFRPPRQSUDFWLFHWRGD\$WWKHRWKHUH[WUHPHWHFKQLTXHVVXFKDV$GDSWLYH5HVSRQVH 'HFHSWLRQ'LYHUVLW\5HDOLJQPHQWDQG8QSUHGLFWDELOLW\DUHUDUHO\DSSOLHGLQFXUUHQWSUDFWLFH6HH$SSHQGL['DQG $SSHQGL[)RI :KHQ D WHFKQRORJ\ VXSSRUWV F\EHU UHVLOLHQF\ LW LV LPSRUWDQW WR FRQVLGHU KRZ HIIHFWLYHO\ LW LV XVHG WR SURYLGH UHVLOLHQF\)RUH[DPSOHYLUWXDOL]DWLRQFDQEHDQHIIHFWLYHPHDQVRIVXSSRUWLQJ1RQ3HUVLVWHQFH'LYHUVLW\$GDSWLYH 5HVSRQVH'\QDPLF3RVLWLRQLQJDQG6HJPHQWDWLRQVWUDWHJLHV7KHXVHRIYLUWXDOL]DWLRQLVJURZLQJEXWWKDWGRHVQRW PHDQWKDWVLPSO\LQFOXGLQJYLUWXDOL]DWLRQWHFKQRORJ\LQDQDUFKLWHFWXUHPDNHVWKHDUFKLWHFWXUHPRUHUHVLOLHQW0RVW XVHV RI YLUWXDOL]DWLRQ DUH LQWHQGHG WR LPSURYH SHUIRUPDQFH DQG KDYH OLWWOH RU QR UHOHYDQFH WR UHVLOLHQF\ DJDLQVW DGYDQFHGF\EHUWKUHDWV :KLOH WKH WUHQG WRZDUG XVLQJ GDWD FHQWHUV WR KRVW PLVVLRQEXVLQHVV DSSOLFDWLRQV LV ODUJHO\ GULYHQ E\ FRVW GDWD FHQWHUV FDQ SURYLGH LQFUHDVHG UHVLOLHQF\ OHYHUDJLQJ YLUWXDOL]DWLRQ DQG FORXG FRPSXWLQJ LQIUDVWUXFWXUHV &\EHU UHVLOLHQF\WHFKQLTXHVDSSO\GLIIHUHQWO\WRGLIIHUHQWFODVVHVRIUHVRXUFHVLQGDWDFHQWHUV6HJPHQWDWLRQWHFKQLTXHVWR FUHDWHVHSDUDWHHQFODYHVIRUGLIIHUHQWFODVVHVRIUHVRXUFHVDUHKLJKO\DSSOLFDEOHWRGDWDFHQWHUFORXGHQYLURQPHQWV,W LVLPSRUWDQWWRORRNDWWKHLPSOHPHQWDWLRQWRVHHKRZLWVXSSRUWVRUOLPLWVF\EHUUHVLOLHQF\ &RQFOXVLRQ &\EHUUHVLOLHQF\LVDUHODWLYHO\QHZFRQFHSWDQGHQJLQHHULQJSULQFLSOHVIRUF\EHUUHVLOLHQF\DUHHPHUJLQJ)RU PRUHLQIRUPDWLRQVHHWKH5HSRUWVRIWKHQGDQGUG$QQXDO6HFXUHDQG5HVLOLHQW&\EHU$UFKLWHFWXUHV:RUNVKRS  7KHUHFRPPHQGDWLRQVGHYHORSHGIURPDQDUFKLWHFWXUDODVVHVVPHQWRIF\EHUUHVLOLHQF\PXVWEHPHDQLQJIXODQGIHDVLEOH ZLWKLQ WKH FRQVWUDLQWV RI WKH SROLWLFDO RSHUDWLRQDO HFRQRPLF DQG WHFKQLFDO IDFWRUV WKDW DSSO\ 7KH DUFKLWHFWXUDO UHVLOLHQF\DVVHVVPHQWSURFHVVVXPPDUL]HGLQWKLVZKLWHSDSHUDQGGHVFULEHGLQPRUHGHWDLOLQUHIHUHQFHLVGHVLJQHG WREHDGDSWDEOHVRWKDWRQO\WKHPRVWUHOHYDQWDVSHFWVRIF\EHUUHVLOLHQF\DUHFRQVLGHUHG7KHSURFHVV±OLNHWKH&\EHU 5HVLOLHQF\ (QJLQHHULQJ )UDPHZRUN ± LV DOVR GHVLJQHG WR EH H[WHQVLEOH WR DFFRPPRGDWH QHZ F\EHU UHVLOLHQF\ WHFKQRORJLHVDQGSULQFLSOHVDVWKH\DUHGHYHORSHGDQGSURYHQ $SSHQGL[$&\EHU5HVLOLHQF\(QJLQHHULQJ)UDPHZRUN 7KLV DSSHQGL[ SURYLGHV EDFNJURXQG RQ WKH &\EHU 5HVLOLHQF\ (QJLQHHULQJ )UDPHZRUN ZKLFK FDQ EH XVHG WR VWUXFWXUHDQDO\VLVGXULQJDQDVVHVVPHQW7KHIUDPHZRUNZDVGHULYHGIURPIUDPHZRUNVDQGRQWRORJLHVLQDYDULHW\RI UHODWHGHQJLQHHULQJGLVFLSOLQHVLQFOXGLQJUHVLOLHQFHHQJLQHHULQJV\VWHPUHVLOLHQFHLQFULWLFDOLQIUDVWUXFWXUHVHFWRUV QHWZRUN UHVLOLHQFH  VXUYLYDELOLW\  GHSHQGDELOLW\  DQG F\EHUVHFXULW\  7KH IUDPHZRUN RUJDQL]HV WKH F\EHU UHVLOLHQF\GRPDLQLQWRDVHWRIJRDOVREMHFWLYHVDQGWHFKQLTXHV*RDOVDUHKLJKOHYHOVWDWHPHQWVRILQWHQGHGRXWFRPHV 2EMHFWLYHVDUHPRUHVSHFLILFVWDWHPHQWVRILQWHQGHGRXWFRPHVH[SUHVVHGVRDVWRIDFLOLWDWHDVVHVVPHQW &\EHU UHVLOLHQF\ WHFKQLTXHV DUH WHFKQLFDO RSHUDWLRQDO RU JRYHUQDQFH DSSURDFKHV WR DFKLHYLQJ F\EHU UHVLOLHQF\ REMHFWLYHV7KHVHWHFKQLTXHVDUHVHOHFWLYHO\DSSOLHGWRDUFKLWHFWXUHVRUWRWKHGHVLJQRIPLVVLRQEXVLQHVVIXQFWLRQVDQG WKHF\EHUUHVRXUFHVWKDWVXSSRUWWKHPWRDFKLHYHF\EHUUHVLOLHQF\REMHFWLYHV7DEOHLGHQWLILHVHQDEOLQJWHFKQLTXHV IRUWKHREMHFWLYHVDQGWRDLGXQGHUVWDQGLQJPRUHVSHFLILFVXEREMHFWLYHV   

846

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

7DEOH&\EHU5HVLOLHQF\2EMHFWLYHVDQG6XE2EMHFWLYHV(QDEOHGE\7HFKQLTXHV Objective Understand:maintainuseful representationsofmission/business cyberdependencies,andofthestatusof cyberresourceswithrespecttopossible adversaryactivities 

SubͲObjective Understandadversaries

Techniques AnalyticMonitoring Deception Understandmissionorbusinessfunctiondependenciesoncyber DynamicRepresentation resourcesand Realignment Understandthefunctionaldependenciesamongcyberresources CoordinatedDefense PrivilegeRestriction Understandthestatusofresourceswithrespecttoadversary AdaptiveResponse activities AnalyticMonitoring DynamicPositioning DynamicRepresentation SubstantiatedIntegrity Prepare:maintainasetofrealisticcyber Createandmaintaincybercoursesofaction CoordinatedDefense CoordinatedDefense coursesofactionthataddresspredicted Maintainresourcestoaccomplishaboveactions Validatetherealismofcybercoursesofaction CoordinatedDefense oranticipatedcyberattacks DynamicRepresentation Prevent:precludesuccessfulexecution Hardenresourcesbasedonadversarycapabilities CoordinatedDefense Deception ofanattackonasetofcyberresources Deflectadversaryactions Dissuade/deteradversariesbyincreasingtheadversary’scosts Diversity PrivilegeRestriction Segmentation Unpredictability Dissuade/deteradversariesbyincreasingtheadversary’srisks AnalyticMonitoring Deception Deterattacksbylimitingtheadversary’sbenefits Deception NonͲPersistence Continue:maximizethedurationand Maintainfunctioning AdaptiveResponse Diversity viabilityofessentialmission/business CoordinatedDefense functionsduringanattack Ensurethatfunctioningiscorrect SubstantiatedIntegrity Extendthesurfaceanadversarymustattacktobesuccessful PrivilegeRestriction NonͲPersistence Unpredictability Constrain:limitdamagefroman Isolateresourcestoprecludeorlimitadversaryaccess Segmentation Moveresourcestoprecludeadversaryaccess DynamicPositioning adversary’sattacks Realignment Changeorremoveresourcestolimitorprecludeadversaryaccess NonͲPersistence PrivilegeRestriction AdaptiveResponse Reconstitute:redeploycyberresources Maintaindeployable/redeployableresources Redundancy Restorefunctionality AdaptiveResponse toprovidemission/business CoordinatedDefense functionalityafterasuccessfulattack Validatefunctionality SubstantiatedIntegrity Transform:changebehaviorinresponse Identifyunnecessarydependencies Realignment Adaptsystemsandmission/businessprocessestomitigaterisks Realignment topriororpredictedadversaryattacks ReͲArchitect:modifyarchitecturesfor AddresspredictedlongͲtermchangesinadversarycapabilities, Supporting improvedresiliency intent,and/ortargeting ApplycyberresiliencypracticescostͲeffectively Supporting Incorporateemergingtechnologies Supporting

 &\EHU UHVLOLHQF\ WHFKQLTXHV FDQ EH DSSOLHG DW GLIIHUHQW GRPDLQV OD\HUV LQ D QRWLRQDO OD\HUHG DUFKLWHFWXUH  DV LQGLFDWHGLQ7DEOH(IIHFWLYHDSSOLFDWLRQRIF\EHUUHVLOLHQF\WHFKQLTXHVWRGLIIHUHQWOD\HUVOHYHUDJHVDSSURDFKHVIURP WKHEURDGHUGLVFLSOLQHVRIIDXOWWROHUDQWFRPSXWLQJQHWZRUNUHVLOLHQFHDQGV\VWHPUHVLOLHQFHXVLQJUHGXQGDQF\IRU EDFNXSIDLORYHUDQGUHFRYHU\  

Deborah J. Bodeau et al. / Procedia Computer Science 28 (2014) 838 – 847

847

7DEOH$SSOLFDWLRQ'RPDLQVIRU&\EHU5HVLOLHQF\7HFKQLTXHV ApplicationDomain/Layerwithexamples Hardware/firmware(e.g.,FPGA,MPSoC,processors,embeddedfirmware) Networking/communications(e.g.,Communicationsmedia,networkingprotocols)

RelatedResilienceApproaches FaultͲtoleranthardware Networkresilience,especiallyusingredundancy

System/networkcomponent(e.g.,Firewalls,servers,thinͲclients)

FaultͲtolerantdesign

Operatingsystem(e.g.,GeneralͲpurposeOS,RealTimeOS)

FaultͲtolerantdesign

Cloud,virtualization,and/ormiddlewareinfrastructure(e.g.,VMM,hypervisor,SOA infrastructure/sharedservices)

FaultͲtolerantdesign;middlewareforpredictable andloadͲbalancedservice

Mission/businessfunctionapplication/service(e.g.,TailoredDBMS,workflowmanagement software;specializedmissionapplications)

FaultͲtolerantdesign

Software(e.g.,Softwarerunningonsystem/networkcomponents(includingOS,cloud, virtualization,middleware,DBMSs,applications,services)) Informationstreams/feeds(e.g.,RSSfeeds,Twitter,instantmessaging/chat,videofeeds)

FaultͲtolerantdesign

Systems(e.g.,Integratedsetsoftheforegoing,withinasingleadministrativeormanagement spanofcontrol.)

Systemresilienceusingredundancyforbackup, failover,andrestore

SystemsͲofͲsystems(e.g.,setsofsystemsundermultiplespansofcontrol,whichinteroperate tosupportagivenmissionorsetofmissions.)

Systemresilienceusingredundancyforbackup, failover,andrestore;networkresilienceusing redundancyforalternatecommunicationspaths

Networkresilience,especiallyusingredundancy

 5HIHUHQFHV  'R''HIHQVH6FLHQFH%RDUG7DVN)RUFH5HSRUW5HVLOLHQW0LOLWDU\6\VWHPVDQGWKH$GYDQFHG&\EHU7KUHDW-DQXDU\>2QOLQH@ $YDLODEOHKWWSZZZDFTRVGPLOGVEUHSRUWV5HVLOLHQW0LOLWDU\6\VWHPV&\EHU7KUHDWSGI  %RGHDX'*UDXEDUW5&\EHU5HVLOLHQF\$VVHVVPHQW(QDEOLQJ$UFKLWHFWXUDO,PSURYHPHQW7KH0,75(&RUSRUDWLRQ>2QOLQH@ $YDLODEOHKWWSZZZPLWUHRUJVLWHVGHIDXOWILOHVSGIBSGI  %RGHDX'*UDXEDUW5&\EHU5HVLOLHQF\(QJLQHHULQJ)UDPHZRUN7KH0,75(&RUSRUDWLRQ>2QOLQH@$YDLODEOH KWWSZZZPLWUHRUJVLWHVGHIDXOWILOHVSGIBSGI  7KH0,75(&RUSRUDWLRQHG 6HFRQG6HFXUHDQG5HVLOLHQW&\EHU$UFKLWHFWXUHV:RUNVKRS7KH0,75(&RUSRUDWLRQ'HFHPEHU >2QOLQH@KWWSVUHJLVWHUGHYPLWUHRUJVUBUHVLOLHQF\BZRUNVKRSBUHSRUWSGI  0F4XDLG0$OLFHD&(+HLQERFNHO:%RGHDX'*UDXEDUW57KLUG6HFXUHDQG5HVLOLHQW&\EHU$UFKLWHFWXUHV:RUNVKRS7KH0,75( &RUSRUDWLRQ'HFHPEHU>2QOLQH@KWWSZZZPLWUHRUJVLWHVGHIDXOWILOHVSXEOLFDWLRQVSGI  0DGQL$0-DFNVRQ67RZDUGVD&RQFHSWXDO)UDPHZRUNIRU5HVLOLHQFH(QJLQHHULQJIEEE Systems Journal9RO1R-XQH  0DGQL$0'HVLJQLQJIRU5HVLOLHQFHVOISTI Lecture Notes on Advanced Topics in Systems Engineering  ,1&26(5HVLOLHQW6\VWHPV:RUNLQJ*URXS>2QOLQH@0D\KWWSZZZLQFRVHRUJSUDFWLFHWHFKDFWLYLWLHVZJUVZJ  5H6,675HVLOLHQFHIRU6XUYLYDELOLW\LQ,676XPPDU\>2QOLQH@KWWSZZZUHVLVWQRHRUJ'2&5H6,67B6XPPDU\SGI 5H6,675HVLOLHQFHRQWRORJ\ILQDO>2QOLQH@'HFHPEHUKWWSZZZUHVLVWQRHRUJ3XEOLFDWLRQV'HOLYHUDEOHV' 5HVLOLHQFHB2QWRORJ\B)LQDOSGI 5LFKDUGV0*5RVV$0+DVWLQJV'(5KRGHV'+(PSLULFDO9DOLGDWLRQRI'HVLJQ3ULQFLSOHVIRU6XUYLYDEOH6\VWHP$UFKLWHFWXUH,Q Proceedings of the 2nd Annual IEEE Systems Conference0RQWUHDO4XHEHF&DQDGD ,),3:*RQ'HSHQGDEOH&RPSXWLQJDQG)DXOW7ROHUDQFH>2QOLQH@)HEUXDU\KWWSZZZGHSHQGDELOLW\RUJZJ $YL]LHQLV$/DSULH-&/DQGZHKU&%DVLF&RQFHSWVDQG7D[RQRP\RI'HSHQGDEOHDQG6HFXUH&RPSXWLQJ. IEEE Transactions on Dependable and Secure Computing-DQXDU\0DUFK9RO