SATURN 2020 has ended
Back To Schedule
Tuesday, May 12 • 11:15am - 12:00pm
Cyber-Risk Analysis in System-of-Systems (SoS) Environments

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Software is a growing component of modern business- and mission-critical systems. As organizations become more dependent on software, security-related risks to their missions are also increasing. Traditional cybersecurity approaches rely on addressing security risks during the operation and maintenance of software systems. However, the costs required to control security risks increase significantly when organizations wait until systems are deployed to address those risks. It is more cost effective to address software security risks as early in the lifecycle as possible.

Software programs should start managing cybersecurity risk early in the system's software lifecycle (e.g., during the requirements, architecture, and design phases). A complicating factor is that most software-intensive systems are networked and must operate within system-of-systems (SoS) environments. While networking offers many operational efficiencies to a system’s stakeholders, it also expands a system’s cyber-risk profile. Cyber attacks with the potential for mission impact can target any system within an SoS environment, creating complex attack vectors that must be considered during cyber-risk analysis. Software-intensive systems must be designed and architected with the knowledge that they must function as intended in an increasingly contested, challenging, and interconnected cyber environment.

For several years, researchers from the CERT Division of Carnegie Mellon University’s Software Engineering Institute (SEI) have been investigating how to enable mission success in SoS environments. The product of this research is the Security Engineering Risk Analysis (SERA) Method, a scenario-based approach for analyzing complex cybersecurity risks early in the system's lifecycle to support development of mission-critical software systems. The SERA Method incorporates a variety of models that can be analyzed at any point in the lifecycle to (1) identify security threats and vulnerabilities and (2) construct security risk scenarios. An organization can then use those scenarios to focus its limited resources on controlling the most significant security risks.

This presentation will describe the SERA Method and provide real-world examples of applying the method to analyze architectural and design weaknesses in complex weapon systems that operate in SoS environments. Attendees will learn how learn the basics of applying the SERA method to identify potential architectural weaknesses that attackers might be able to exploit.

avatar for Christopher Alberts

Christopher Alberts

Software Engineering Institute
Christopher Alberts is a Principal Engineer / Senior Cybersecurity Analyst in the CERT® Division at the Software Engineering Institute, where he leads applied research projects in software assurance and cybersecurity. He is currently leading two projects: (1) Security Engineering... Read More →

Tuesday May 12, 2020 11:15am - 12:00pm EDT
Salon 11/12 Rosen Plaza Hotel

Attendees (2)