Abstract
As our infrastructure, economy, and national defense increasingly rely upon cyberspace and information technology, the security of the systems that support these functions becomes more critical. Recent proclamations from the White House, Department of Defense, and elsewhere have called for increased resilience in our cyber capabilities. The growth of cyber threats extends well beyond the traditional areas of security managed by Information Technology software. The new cyber threats are introduced through vulnerabilities in infrastructures and industries supporting IT capital and operations. These vulnerabilities drive establishment of the area of cyber physical systems security. Cyber physical systems security integrates security into a wide range of interdependent computing systems and adjacent systems architectures. However, the concept of cyber physical system security is poorly understood, and the approach to manage vulnerabilities is fragmented. As cyber physical systems security is better understood, it will require a risk management framework that includes an integrated approach across physical, information, cognitive, and social domains to ensure resilience. The expanse of the threat environment will require a systems engineering approach to ensure wider, collaborative resiliency. Approaching cyber physical system security through the lens of resilience will enable the application of both integrated and targeted security measures and policies that ensure the continued functionality of critical services provided by our cyber infrastructure.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alberts DS (2002) Information age transformation: getting to a 21st century military. DOD Command and Control Research Program, Washington
Alberts DS (2011) The agility advantage: a survival guide for complex enterprises and endeavors. DOD Command and Control Research Program, Washington
Ames AL, Glass RJ, Brown TJ, Linebarger JM, Beyeler WE, Finley PD, Moore TW (2011) Complex adaptive system of systems (CASoS) engineering framework. SAND 2011–8793. Sandia National Laboratory, Albuquerque
Collier ZA, Linkov I (2014) Decision making for resilience within the context of network centric operations. Presented at 19th International Command and Control Research and Technology Symposium, Alexandria, VA, USA, 16–19 June, 2014
Collier ZA, Walters S, DiMase D, Keisler JM, Linkov I (2014a) A semi-quantitative risk assessment standard for counterfeit electronics detection. SAE Int J Aerosp 7(1):171–181
Collier ZA, DiMase D, Walters S, Tehranipoor M, Lambert JH, Linkov I (2014b) Cybersecurity standards: managing risk and creating resilience. Computer 47(9):70–76
Committee on National Security Systems (2010) National Information Assurance (IA) Glossary. Instruction Number 4009, Committee on National Security Systems: Fort George G. Meade, MD
Cox LA Jr (2008) Some limitations of “risk=threat x vulnerability x consequence” for risk analysis of terrorist attacks. Risk Anal 28:1749–1761
Executive Order No 13636 (2013) 78 Federal Register 11739-11744, 19 Feb 2013
Ezell BC, Haimes YY, Lambert JH (2001) Risks of cyber attack to water utility supervisory control and data acquisition systems. Mil Oper Res 6(2):23–33
Finkle J (2014) Target says criminals attacked with credentials stolen from vendor. Reuters, Originally published 29 Jan 2014. http://www.reuters.com/article/2014/01/29/us-target-cyberattack-idUSBREA0S25Z20140129
Frick DE (2012) The fallacy of quantifying risk. Def AT&L 228:18–21
Grossman L (2014) World war zero: how hackers fight to steal your secrets. Time magazine, Originally published 10 June 2014. http://time.com/2972317/world-war-zero-how-hackers-fight-to-steal-your-secrets/
Identity Theft Resource Center (2015) Identity theft resource center breach report hits record high in 2014. http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html
Ponemon Institute (2013) 2013 Cost of data breach study: global anaylsis. Ponemon Institute, Traverse City
Kaplan S, Garrick BJ (1981) On the quantitative definition of risk. Risk Anal 1(1):11–27
Karvetski CW, Lambert JH (2012) Evaluating deep uncertainties in strategic priority-setting with an application to facility energy investments. Syst Eng 15(4):483–493
Kelic A, Collier ZA, Brown C, Beyeler WE, Outkin AV, Vargas VN, Ehlen MA, Judson C, Zaidi A, Leung B, Linkov I (2013) Decision framework for evaluating the macroeconomic risks and policy impacts of cyber attacks. Environ Syst Decis 33(4):544–560
Lambert JH, Jennings RA, Joshi NN (2006) Integration of risk identification to business process models. Syst Eng 9(3):187–198
Lambert JH, Keisler JM, Wheeler WE, Collier ZA, Linkov I (2013) Multiscale approach to the security of hardware supply chains for energy systems. Environ Syst Decis 33(3):326–334
Linkov I, Eisenberg DA, Bates ME, Chang D, Convertino M, Allen JH, Flynn SE, Seager TP (2013a) Measurable resilience for actionable policy. Environ Sci Technol 47(18):10108–10110
Linkov I, Eisenberg DA, Plourde K, Seager TP, Allen J, Kott A (2013b) Resilience metrics for cyber systems. Environ Syst Decis 33(4):471–476
Linkov I, Anklam E, Collier ZA, DiMase D, Renn O (2014a) Risk-based standards: integrating top-down and bottom-up approaches. Environ Syst Decis 34(1):134–137
Linkov I, Bridges T, Creutzig F, Decker J, Fox-Lent C, Kröger W, Lambert JH, Levermann A, Montreuil B, Nathwani J, Nyer R, Renn O, Scharte B, Scheffler A, Schreurs M, Thiel-Clemen T (2014b) Changing the resilience paradigm. Nature Clim Change 4:407–409
Longstaff T, Haimes Y (2002) A holistic roadmap for survivable infrastructure systems. IEEE Trans Syst Man Cybern A Syst Hum 32(2):260–268
McAfee (2014) Net losses: estimating the global cost of cybercrime. http://www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf
National Academy of Sciences (2012) Disaster resilience: a national imperative. National Academic Press, Washington
National Defense Authorization Act for Fiscal Year (2011) 2012 Public Law No. 112-81, 125 Stat. 1298, 2011
NERC (2009) Cyber security—electronic security perimeter(s). NERC Standard CIP–005–3
Olzak T (2013) Insider threats: implementing the right controls. TechRepublic, Originally published 21 Feb 2013. http://www.techrepublic.com/blog/it-security/insider-threats-implementing-the-right-controls/
Park J, Seager TP, Rao PSC, Convertino M, Linkov I (2012) Integrating risk and resilience approaches to catastrophe management in engineering systems. Risk Anal 33(3):356–367
Patil VS, Andhale SR, Paul ID (2013) A review of DFSS: methodology, implementation and future research. Int J Innov Eng Technol 2(1):369–375
Pecht M, Tiku S (2006) Bogus: electronic manufacturing and consumers confront a rising tide of counterfeit electronics. IEEE Spectr 43(5):37–46
Perlroth N, Harris EA (2014) Cyberattack insurance a challenge for business. New York Times, Originally published 8 June 2014. http://www.nytimes.com/2014/06/09/business/cyberattack-insurance-a-challenge-for-business.html
Rinaldi S, Peerenboom J, Kelly T (2001) Identifying, understanding, and analyzing critical infrastructure interdependencies. IEEE Control Syst Mag 21(6):11–25
Roege PE, Collier ZA, Mancillas J, McDonagh JA, Linkov I (2014) Metrics for energy resilience. Energy Policy 72(1):249–256
Seager TP, Satterstrom FK, Linkov I, Tuler SP, Kay R (2007) Typological review of environmental performance metrics (with illustrative examples for oil spill response). Integr Environ Assess Manag 3(3):310–321
Shakarian P, Lei H, Lindelauf R (2014) Power grid defense against malicious cascading failure. Presented at 13th International Conference of Autonomous Agnets and Multiagent Systems, Paris, France, 5–9 May 2014, arXiv:1401.1086
Sood B, Das D, Pecht M (2011) Screening for counterfeit electronic parts. J Matar Sci 22(10):1511–1522
Teng K, Thekdi SA, Lambert JH (2012) Identification and evaluation of priorities in the business process of a risk or safety organization. Reliab Eng Syst Saf 99:74–86
Teng K, Thekdi SA, Lambert JH (2013) Risk and safety program performance evaluation and business process modeling. IEEE Trans Syst Man Cybern A 42(6):1504–1513
United States Department of Army (2001) Field manual 3-19.30: physical security. United States Department of Army, Washington
Wallace G (2014) Target and Neiman Markus hacks: the latest. CNN money. Originally published 13 Jan 2014. http://money.cnn.com/2014/01/13/news/target-neiman-marcus-hack/
Williamson RM (2006) What gets measured gets done: are you measuring what really matters? Strategic Work Systems Inc., Columbus
Acknowledgments
Permission was granted by the USACE Chief of Engineers to publish this material. The views and opinions expressed in this paper are those of the individual authors and not those of the US Army, or other sponsor organizations.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
DiMase, D., Collier, Z.A., Heffner, K. et al. Systems engineering framework for cyber physical security and resilience. Environ Syst Decis 35, 291–300 (2015). https://doi.org/10.1007/s10669-015-9540-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10669-015-9540-y