This is a solid piece of work. I would say though that 17 principles sound like a long list - it is difficult to remember so many items. Have there been any thoughts about how those 17 principles could be structured or grouped to ease their understanding?
Principles 1 and 2 appear to be "core" statements and not limited to cyber only, just normal engineering practices. Could they be combined? Principle 1 says basically that a systematic approach should be applied and then generally this is achieved through deployment of a management system. Principle 2 somehow seem to limit the scope of management systems to a RASCI. Can we frame principle 1 as follows? Can it be trimmed down?
"Implement an engineering management system linked to the enterprise governance framework. The management system should provide for clear accountability, authority and responsibility for secure design, operation, maintenance, and disposal of the system. It should take a whole of system whole of lifecycle approach to secure design, operation, maintenance and disposal. The whole system includes all technology, people and processes. Technology includes all hardware, firmware and software and interconnected systems; people includes human interactions, human behaviour, and skills to operate and maintain the systems; and processes includes in built controls and processes required to operate and maintain the system securely.".
I feel that principle 5 is redundant. As engineers we use a multitude of standards, practices, manuals, principles and it is impossible to do the work without appreciation of the fact that principles should be used selectively based on the context on the system.
I feel that principle 15 is redundant as well since principle 17 requires to implement regimes for patching.
Second statement (plan for components obsolescence) in principle 17 seems redundant since the first statement already calls for having an obsolescence management.
------------------------------
Ilya Shustikov
------------------------------
Original Message:
Sent: 07-02-2023 02:12 PM
From: Shireane McKinnie
Subject: Cyber Engineering Principles
The Cyber Engineering Working Group has developed a set of Principles for Cyber Engineering which are intended to cove all engineers involved in Cyber across all disciplines. The principles are set out below. Members views on the principles are welcomed.
CYBER ENGINEERING PRINCIPLES
- Take a whole of system whole of lifecycle approach to secure design, operation, maintenance and disposal. The whole system includes all technology, people and processes. Technology includes all hardware, firmware and software and interconnected systems; people includes human interactions, human behaviour, and skills to operate and maintain the systems; and processes includes in built controls and processes required to operate and maintain the system securely.
- Implement an engineering management system linked to the enterprise governance framework that provides for clear accountability, authority and responsibility for secure design, operation, maintenance, and disposal of the system.
- Undertake continuous threat and vulnerability modelling, to understand emerging security risks, to inform and build in physical and logical security measures that are readily evolvable to incorporate new technologies, changes to threats and user needs.
- Tailor engineering processes and standards to system complexity and security needs.
- Apply the engineering principles applicable to the context in which the system is to be designed, operated, maintained and disposed.
- Undertake analysis of both functional and non-functional requirements (e.g. performance, confidentiality, integrity, availability, safety, human factors) to understand priorities and trade-offs of stakeholder needs and document decision trade-offs. Safety and security are addressed as co-ordinated views when determining trade-offs. Stakeholder needs include system intended capability outcomes, economic and organisational needs, customer requirements, and regulatory requirements.
- Design and refine the system architecture to reduce the evolving threat attack surface, cognisant of strategic performance, support, and security risks.
- Ensure all system elements are integrated in a logical sequence and tested to ensure that the system operates as predicted.
- Plan and implement verification and validation processes that provide objective evidence of system performance, identify residual security risks, and determine actions required to mitigate or accept residual risks.
- Establish processes to rigorously manage all interfaces (physical, logical, and human), including interfaces to external systems or networks where the pedigree of the connected systems cannot be accurately determined or actively managed.
- Assume that there will be successful attacks on the system and design in mechanisms to aid recovery from such attacks. Changes in sophistication, diversity and vectors of attacks must be expected. Plan for and regularly exercise system recovery processes as part of the operations, support, and maintenance regimes.
- Anticipate and expect human error that might create vulnerabilities (both intentional and unintentional).
- Establish mechanisms to detect and eradicate counterfeit parts, components, firmware and software that may contain malicious or poor-quality code in the supply chain; e.g. through functional and physical configuration audits.
- Design in mechanisms to detect and report unauthorised use, unusual or unpredicted system behaviour.
- Define processes for introducing software and patches into the system to reduce the risk of unintended security impacts or impacts on system performance.
- Implement security measures through a layered multifactored approach.
- Design and implement maintenance and support regimes that ensure secure configuration control, approval of changes to system requirements, system performance monitoring, obsolescence management, system updates and regular patching. Plan for the management of system components (hardware, firmware, and software) that are likely or may become obsolete during the planned life of the system.
------------------------------
Shireane McKinnie
------------------------------