Environ Syst Decis (2015) 35:291–300

DOI 10.1007/s10669-015-9540-y

Systems engineering framework for cyber physical security

and resilience
Daniel DiMase • Zachary A. Collier •

Kenneth Heffner • Igor Linkov

Published online: 8 February 2015

Ó Springer Science+Business Media New York (outside the USA) 2015

Abstract As our infrastructure, economy, and national functionality of critical services provided by our cyber
defense increasingly rely upon cyberspace and information infrastructure.
technology, the security of the systems that support these
functions becomes more critical. Recent proclamations Keywords Information security
Product life cycle
from the White House, Department of Defense, and else- management
Risk analysis
Systems engineering

where have called for increased resilience in our cyber System-level design
capabilities. The growth of cyber threats extends well be-
yond the traditional areas of security managed by Infor-
mation Technology software. The new cyber threats are 1 Introduction
introduced through vulnerabilities in infrastructures and
industries supporting IT capital and operations. These Cyber security risks are prevalent in today’s information
vulnerabilities drive establishment of the area of cyber age, and new cyber incidents appear regularly in the news.
physical systems security. Cyber physical systems security In fact, many people may have been directly affected by
integrates security into a wide range of interdependent cyber incidents. Most notably, as much as one-third of the
computing systems and adjacent systems architectures. population of the United States was impacted due to the
However, the concept of cyber physical system security is recent cyber attack on the retail store Target (Wallace
poorly understood, and the approach to manage vul- 2014). In this situation, hackers attacked the system with
nerabilities is fragmented. As cyber physical systems se- credentials stolen from a Target vendor (Finkle 2014). The
curity is better understood, it will require a risk type of attack that impacted Target and their consumers is
management framework that includes an integrated ap- but one example of the numerous methods by which cyber
proach across physical, information, cognitive, and social attacks may be carried out. While the mega-breaches, like
domains to ensure resilience. The expanse of the threat Target, grab the national headlines, smaller breaches are
environment will require a systems engineering approach still costly, averaging $5.4 million in 2012, and the average
to ensure wider, collaborative resiliency. Approaching cy- cost of data theft in the United States in 2012 was $188 per
ber physical system security through the lens of resilience customer account (Ponemon Institute 2013). There has
will enable the application of both integrated and targeted been a significant increase in attacks on cyber physical
security measures and policies that ensure the continued systems (CPS) as evidenced through public information.
The average American company fielded a total of 16,856
attacks in 2013 (Grossman 2014). Industry data breaches
D. DiMase
K. Heffner and cyber attacks increased in 2014 by 23.9 % compared
Honeywell Aerospace, Phoenix, AZ, USA with 2013 to 761 reported breaches exposing 83,176,279
records (Identity Theft Resource Center 2015). McAfee
Z. A. Collier
I. Linkov (&)
(2014) estimates that the annual cost to the global economy
US Army Engineer Research and Development Center,
Vicksburg, MS, USA from cybercrime is more than $400 billion and could be as
e-mail: [Link]@[Link] much as $575 billion. In the United States alone, the report

123
292 Environ Syst Decis (2015) 35:291–300

indicates a 0.64 % impact on 2013 GDP, equating to Authorization Act (NDAA) similarly calls for a ‘‘risk-
$108B. The study of how employment varies with export based approach’’ to secure the electronics hardware supply
growth suggests that the losses from cybercrime could cost chain from counterfeit parts (NDAA 2011). Counterfeit
as many as 200,000 American jobs, roughly a third of 1 % parts also pose a significant security risk (Collier et al.
decrease in employment for the US (McAfee 2014). For the 2014a; Sood et al. 2011; Pecht and Tiku 2006).
Target breach, analysts are forecasting $1 billion in losses. The common thread among these calls for enhanced se-
Since the breach was discovered, the company has incurred curity is that they are driven by risk. The traditional ap-
$88 million in breach-related expenses, its filings say proach to risk assessment is with risk being defined by a
(Perlroth and Harris 2014). triplet of what can go wrong, how likely is it to happen, and
The recent Sony attack in 2014 created tension among what are the consequences of it happening (Kaplan and
nation states that resulted in the United States invoking Garrick 1981). While this framework has historically been
economic sanctions against North Korea. The scale of the useful for many applications in the past, it becomes difficult
attack is egregious due to the amount of personal identifi- to apply for cyber risks (Collier et al. 2014b; Linkov et al.
able information stolen per victim associated in the hack. 2014a). Traditional risk assessment approaches tend to
Information included payroll, bank account numbers, so- break down when it is difficult to clearly identify the threats,
cial security numbers, confidential emails and communi- assess vulnerabilities, and quantify consequences (Cox Jr.
cations, and medical history for over 47,000 individuals 2008; Frick 2012). Cyber threats cannot be clearly identified
(Identity Theft Resource Center 2015). The consequences and quantified through historical measures due to the rapidly
of information leakage from this attack are ongoing. Cyber changing threat environment. Moreover, cyber security risk
warfare from North Korea highlights how a technologically management is extremely difficult to implement, since cyber
subdued nation state can strategically use hacking against a systems exist within and between multiple physical, infor-
technology rich nation through identified vulnerabilities. mation, cognitive, and social domains (Linkov et al. 2013a,
These cyber attacks are costly to consumers as well as to b) and are interdependent on a number of areas of concern in
the nation. More importantly, our nation’s critical infras- these domains. Assessing cyber vulnerabilities can be
tructure is dependent upon information technology and daunting and depends on where one draws the boundaries.
communication systems, as well as the supply chains that Cyber system vulnerabilities include software, hardware,
support them (Lambert et al. 2013). Consider the impor- firmware, adjacent systems in the network, energy supplies
tance of the power grid in providing electricity for our that power it, supply chains that provide materials to produce
nation. Almost all critical infrastructures supporting mod- it, and users who interface with it. Consequences impact
ern life is dependent on the power grid, yet it is dis- both the users and societies. Economic sectors dependent
turbingly vulnerable. A study published by West Point’s upon the sustainment of these systems can be quite broad
Network Science Center discusses how hackers can cause and tightly interconnected—increasing the likelihood of
blackouts by targeting a handful of small substations that cascading impacts (Kelic et al. 2013; Rinaldi et al. 2001).
are often overlooked and poorly defended. This can result These deep uncertainties necessitate a holistic, systems
in a cascading failure affecting millions of customers engineering approach to cyber physical systems security
(Shakarian et al. 2014). Ezell et al. (2001) used event trees (CPSS) (Karvetski and Lambert 2012).
and fault trees to quantify the risks of water utilities, an- Cyber vulnerability grows with industrial advancements
other vulnerable critical infrastructure asset. in systems network integration, high performance com-
Not only are cyber attacks costly but also attackers are puting, and software. The threat is further exacerbated by
notoriously adaptive, learning the defenses and concept of the rapid evolution of advancements in microelectronics
operations of the host system, and more importantly, the manufacturing technology used for the computer, com-
adjacent systems that enabled vulnerabilities of the host munications, and IT industries that do not incorporate cy-
system and Information Technology (IT) security. The ber security measures. The host system is no longer
dispersed attack vectors and the patient nature used for an vertically integrated by one organization and is reliant on
effective approach to cyber crime and espionage render the global supply chain. Organizations often experience
traditional IT security insufficient and ineffective. complications when trying to control or maintain CPSS as
These security concerns have prompted attention from they outsource procurements, manufacturing, services, and
the government, leading to calls for enhanced cyber secu- intellectual property and lose the associated visibility and
rity such as Executive Order 13636—‘‘Improving Critical control. Advancements in technology at today’s fast pace
Infrastructure Cybersecurity’’ (EO 13636 2013). This Ex- have become weapons in the cyber attacker’s arsenal due to
ecutive Order mandates the development of risk-based the unintended vulnerabilities introduced with the inte-
standards for identifying and protecting critical infrastruc- gration of complex hardware, software, and firmware. It is
ture assets from cyber risks. The 2012 National Defense therefore increasingly difficult to align an organization’s

123
Environ Syst Decis (2015) 35:291–300 293

internal risk assessment, risk management, and risk com-

munication processes to meet the evolving threat landscape
without a coordinated approach to business processes
modeling, priority setting, and decision making (Teng et al.
2012, 2013).
Before risks can successfully be assessed and managed,
it is necessary to clearly understand the cyber landscape. In
particular, we propose to define the concept of CPSS
through a systems engineering perspective and provide a
framework for understanding the related interconnections
and relationships between the many necessary areas of
concern, especially for critical infrastructure sectors. A
construct is needed to address the risks and build resiliency
into the electronic systems that drive our economy and
support our way of life. To close the gap between CPS
security baseline assessment and the CPS systems engi-
neering design process, a proposed CPS security systems
engineering perspective (SEP) is offered for consideration.
In its final implementation, the proposed SEP approach
should yield a CPSS that meets the operational systems
requirements of the User and systems provider that in-
cludes cyber security. These requirements include secure
data flow, compliance to regulatory policies, and resiliency
from cyber attacks.

2 Cyber physical systems security framework

2.1 Definitions and areas of concern

CPS used within critical infrastructure need a cyber secu-

rity framework with common terms to assess risk and en-
sure resiliency (Ames et al. 2011). Systems engineering
provides a process for designing the CPSS framework. The
CPSS systems engineering framework uses a hierarchical
approach from traditional systems engineering for captur-
ing and designing in accordance with User requirements. Fig. 1 Notional network CPS
The framework will also use a design scorecard approach
to measure the CPSS residual risk (Patil et al. 2013).
CPS are defined as electronics systems that operate as a electronics security barrier to a smaller collection of de-
single, self-contained device, or within an interconnected fined critical assets, or expanding coverage to external
network providing shared operations. An added distinction routers identified as critical assets. A CPS can be expected
of this CPS definition is a requirement affecting a tangible to communicate and conduct transactions with other elec-
output through command and control electronics embedded tronics systems that include cloud resources, wireless sys-
in the device or distributed across network nodes (NERC tems, and other CPS. Each external CPS will need its own
2009). Figure 1 illustrates a notional CPS network. Some CPSS that is capable of preserving the integrity of the
industries provide guidance that parses the electronic original internal CPS electronics perimeter. A system
perimeter of a CPS to cover the internal functional portion assessment should address the entire notional CPS
of the system (represented by the dashed line in Fig. 1) and network.
allows other established standards to address external These systems are complex, with 10 areas of concern
communications (NERC 2009). Industry guidance (e.g., that need to be addressed to ensure robust, resilient systems
NERC 2009) has flexibility for compressing the CPS security (Fig. 2).

123
294 Environ Syst Decis (2015) 35:291–300

Informaon Electronic &

Sharing Physical Security Informaon
& Reporng Assurance &
Data Security

Soware
Prognoscs, Assurance &
Forensics & Applicaon
Recovery Plans Security
Cyber-Physical
Track & Trace
Security Asset
Management &
Access Control

An-Malicious & An-Counterfeit

An-Tamper & SCRM
Life Cycle
& DMSMS

Cross Cung Capabilies

Risk Assessment Risk-Informed Training Educaon and
and Management Decision Making Outreach

Fig. 2 Cyber physical systems security framework

1. Electronic and physical security: Addresses the insider authentication, confidentiality, and nonrepudiation. It en-
threat that includes physical, technical, and administrative sures protection of data from unauthorized (accidental or
controls including system privileges (Olzak 2013). It in- intentional) modification, destruction, or disclosure (Com-
corporates measures designed to deny unauthorized access mittee on National Security Systems 2010). Information
to facilities, equipment and resources, and to protect per- assurance is the trust that information presented by the
sonnel and property from damage or harm (e.g., espionage, system is accurate and is properly represented; its measure
theft, or terrorist attacks) (US Department of Army 2001). of the level of acceptable risk depends on the critical nature
It includes protection resulting from measures designed to of the system’s mission (Longstaff and Haimes 2002).
deny unauthorized individuals information derived from Provides processes and systems that assure confidentiality,
the interception and analysis of noncommunications elec- integrity and authentication of information, and that man-
tromagnetic radiations (Committee on National Security age risks related to the use, processing, storage, and
Systems 2010). transmission of information. Protections apply to data in
transit, both physical (spectrum) and electronic domains, as
2. Information assurance (IA) and data security: Mea-
well as data at rest in various types of physical (document
sures that protect and defend information and information
control) and electronic storage facilities.
systems by ensuring their availability, integrity,

123
Environ Syst Decis (2015) 35:291–300 295

3. Asset management and access control: Manages cri- thereby characterizing the CPS operational cyber security
tical assets in the system that exhibit potential to introduce baseline. The baseline provides the basis for tools used in
vulnerability through a functional role in the CPS operating forensics (internal to the CPS), prognostics, and recovery
environment where interaction with the CPS is required. It plans (including resiliency). An adjacency provision for
provides systems for an inventory of critical assets main- external forensics serves the cooperative effort with other
tained by monitored access using verification credentials. industrial CPS organizations and government agencies re-
This includes management of information relevant to the sponsible for pursuing root cause of an attack vector ex-
operation of the asset (e.g., software revision, firmware ternal to the CPS operating environment.
revision) and the process of granting or denying specific
8. Track and trace: Provides the internal and network-
requests: (1) for obtaining and using information and re-
based process and tools for determining the current and
lated information processing services; and (2) to enter
past locations and logistics security controls that prevent
specific physical facilities (Committee on National Secu-
the introduction of malicious content to CPS software and
rity Systems 2010).
hardware.
4. Life cycle and diminishing manufacturing sources and
9. Anti-malicious and anti-tamper: A systems engineer-
material shortages (DMSMS): Provides sustainment
ing process that includes CPS vulnerability to tampered
processes for assets in a CPS threatened by loss or im-
hardware or malware introduction achieved through re-
pending loss of manufacturers of items or suppliers of
verse engineering. It provides tools and processes for the
items, services, or raw materials necessary to sustain
integration and assessment of protective technology fea-
availability of the asset. This includes updating the asset to
tures in the CPS electronics systems that mitigate the im-
address the latest vulnerabilities and ensuring hardware and
pact and consequences of reverse engineering attacks that
software configuration and functionality (e.g., patches in
could include an attacker’s assessment of vulnerabilities on
software and updating firmware or hardware to repair or
an otherwise, unprotected CPS.
replace broken assets).
10. Information sharing and reporting: Provides tools
5. Anti-counterfeit and supply chain risk management
and shared database resources for reporting and rapid ex-
(SCRM): Maintains systems and processes associated
change of cyber attack events and the mitigation measures
with CPS protection from counterfeit parts and supply
to minimize the breadth of impact of the attack in the CPS
chain vulnerabilities. It mitigates the risk that material is
network. Addresses the communications plan and infor-
not authentic and that suppliers do not produce or use
mation sharing necessary to report a cyber incident and
products that introduce vulnerabilities to the host CPS.
prevent an issue from reoccurring.
Counterfeit parts include components which have been
intentionally or maliciously modified from its intended Since each of these areas of concern are so broad and
design to enable a disruption in performance or an unau- have their own governing bodies, policy, and guidance, we
thorized function, which can be introduced anywhere in the have included them in our SEP to provide a cohesive
supply chain. Supply chain risk management ensures construct to address the problem. In addition, there are a
pedigree to the original manufacturer and adequate controls number of crosscutting capabilities necessary in our con-
against counterfeiting. It is unique to anti-Tamper, anti- struct to fully address CPS security, such as risk assessment
Malicious, and the Track and Trace CPS constructs. and management, risk-informed decision making, training,
and education and outreach.
6. Software assurance and application security: Level of
confidence that software is free from vulnerabilities, either
2.2 Operational, functional, and architectural
intentionally designed into the software or accidentally
requirements
inserted at anytime during its lifecycle and that the soft-
ware functions in the intended manner (Committee on
Identification of critical assets and areas of concern only
National Security Systems 2010). It also provides controls
partially completes the requisite list of CPS attack targets.
that limit the source code access to authorized individuals.
The approach to CPS security analysis also requires in-
It controls flow down to applications and the underlying
vestigation of the flow of sensitive data and critical com-
system where vulnerabilities are enabled through flaws in
mand/control functions within an organization specific to
design, development, deployment, upgrade, or maintenance
affecting the expected CPS tangible output (Teng et al.
of the application.
2012, 2013). Using the CPS critical assets and com-
7. Forensics, prognostics, and recovery plans: Provides mand/control functions, an assessment baseline should be
processes and tools for gathering of CPS operations data made that concurrently achieves system security in accor-
for use in the examination and analysis of cyber incidents, dance with vulnerability analysis and systems engineering

123
296 Environ Syst Decis (2015) 35:291–300

requirements. There is no formal process for conducting

the assessment baseline, rendering a key gap in establishing
resilient CPSS for the current and future cyber threat
environment.
To address the gap, the CPSS SEP uses operational,
functional, and architectural systems engineering design
requirements tiers. The operational requirements define
what the customer wants from the CPS in a User-defined
operational environment that includes CPSS sustainability
(can the company support it?), policies, guidance, and
regulatory requirements. The exit artifacts include the
high-level requirements for the CPS and CPSS (Fig. 3).
The functional level provides the systems engineering re-
quirements that will enable what the customer wants in the
operational environment, including vulnerability analysis Fig. 4 Flowchart for CPS-CPSS functional requirements
and how the system will perform (Fig. 4). The architectural
requirements provide the assembly and components phy-
sical layout and model for enabling the functional level
system performance (Fig. 5).
The SEP of CPS security also includes analysis of the
system operating environment defined by the operational,
functional, and architectural systems engineering elements
needed by the system to generate the tangible output for the
user(s). The CPS operating environment influences the
functional requirements provided in the CPS security
framework shown in Fig. 2. CPS security depends on
compliance to the guidance governing each of the CPS
areas of concerns for CPS component(s) and interfaces
connecting the CPS notional network.
At each level, the CPSS systems engineering approach
yields important artifacts for overcoming the challenge of Fig. 5 Flowchart for CPS-CPSS architectural requirements
managing the threat environment for a large CPS with a
wide area of coverage. The prospective CPS systems
engineering approach leads to the security measures inspectability, and sustainment management throughout the
needed to defend CPS critical assets and command and lifecycle of the CPS.
control functions. The process does this by delivering Understanding the tangible output of the host CPS and
documentation, modeling, and a path to CPSS traceability, the concept of operations to produce and sustain that output
is critical to designing the optimum CPS security solution.
The concept of operations produced under the operating
environment describes numerous external factors relevant
to where and how the CPS must perform while maintaining
the output of the system. Using large power grids as an
example, there are physical environmental concerns,
equipment wear, load capacity, and human factors that all
contribute to forming the grid. From the aspect of the CPS
provider, this is the environment the CPS is operating
which needs to generate the CPS output for purchase and
use by the User. To sustain the CPS output, the CPS pro-
vider should develop a risk assessment for sustaining the
CPS output as part of the final design. A resilient CPS
security design must incorporate the CPS operational re-
quirements to ensure that the system can survive in the
Fig. 3 Flowchart for CPS-CPSS operational requirements operational environment while minimizing security risk.

123
Environ Syst Decis (2015) 35:291–300 297

Another contribution to the CPS security risk analysis is low general performance (red) of CPSS at the operational
determining the range of emergent attack vectors and level could suggest that the User’s company infrastructure
vulnerabilities possible in the CPS operating environment is underperforming or may be incapable of executing the
(Lambert et al. 2006). It is here that gaps in CPS security CPSS implementation plan. The summary assessment also
exist as there is little availability of compliance guidance shows marginal weakness in protecting critical assets A
for an integrated CPS network. The problem is com- and C. Here, an improvement by the CPSS User in internal
pounded by the uniqueness of each CPS network system performance of CPSS operations could lead to a better
design and the interdependencies with the systems attached CPSS score. Figure 6 also shows a very weak CPSS per-
to the network being evaluated. To address the gaps in formance in the components protecting Critical Asset A.
compliance guidance, a baseline vulnerability assessment The summary scorecard should be performed under the
should be completed. In the assessment, attack vectors operational requirements tier of a CPSS design effort. It
could be overlaid into the CPSS framework to identify gaps should be updated at milestones tied to the functional and
in the operating environment that enable security vul- architectural requirement tiers and at implementation. As
nerabilities. The systems engineering process that includes the CPS continues to perform year over year, the assess-
the assessment will assist in prioritizing resources to close ment should be conducted on a predetermined schedule.
the gaps. The tool also allows for immediate assessment of the im-
pact of a new CPS attack vector that emerge at any point in
2.3 Scorecard tool the CPS life cycle thereby building CPSS resiliency into
the CPS design.
Having the appropriate metrics, or key performance indi- The data used in the CPS summary assessment score-
cators, is necessary for the successful management of any card derive from scorecards representing more detailed
enterprise (Seager et al. 2007; Williamson 2006), in this evaluation of the CPSS design and include each systems
case with a goal to gauge the vulnerability of the CPS engineering tier (Fig. 7). The CPS operational tier tool
design. A modified six sigma decision tool can be applied assesses the CPSS Areas of Concern in the User’s operat-
to generate a CPSS design scorecard. The CPSS scorecard ing environment. Process features, such as control of a
evaluates areas of concern throughout the CPS systems manufacturing line or test station would be assessed for
engineering process. Further, the tool provides the CPS vulnerability to remote insertion of malware. The func-
User with a highly flexible means to develop and assess the tional tier assessment tool would examine hardware
effectiveness of the CPSS in mitigating the risk of attack assemblies used or produced in the CPS network. Finally,
vectors on the host CPS critical assets and command/con- the architectural tier assessment would evaluate microchips
trol functions. throughout the CPS supply chain life cycle.
A notional representation of the final CPSS scorecard The weighting factors feature scores and minimum ex-
for the CPSS baseline assessment is shown in Fig. 6. The pectations used in the CPSS baseline assessment tool. The
tool produces visual data and metrics that allow the analyst tool will need common criteria guidelines achieved through
to quickly identify weakness in the CPSS. In Fig. 6, the industry and government collaboration. The CPSS

Fig. 6 Notional CPSS

summary scorecard

123
298 Environ Syst Decis (2015) 35:291–300

Functional Requirements - Assembly

Threats Assembly Features
Weighting Discreet Mother Interphase Software &
PWB Interconnect … Other
CPS Area of Concern Factors Devices Board Devices Firmware
Information Sharing and Reporting
Electronic and Physical Security
Information Assuirance and Data Security
Software Assurance and Data Security
Asset Management and Access Control
Anti-Counterfeit and SCRM
Life Cycle and DMSMS
Anti-Malicious and Anti-Tamper
Track and Trace
Prognostics Forensics and Recovery Plans

Totals
Weighted Totals

Operational Requirements - Internal Processes

Threats Process Features
Weighting Incoming Process Inspection Functional Environmental Actual CPSS Minimum
Storage
CPS Area of Concern Factors Inspection Controls Points Test Test Score Required Score
Information Sharing and Reporting
Electronic and Physical Security
Information Assuirance and Data Security
Software Assurance and Data Security
Asset Management and Access Control
Anti-Counterfeit and SCRM
Life Cycle and DMSMS
Anti-Malicious and Anti-Tamper
Track and Trace
Prognostics Forensics and Recovery Plans

Totals
Weighted Totals

Architectural Requirements
Threats Architectural Features
Weighting
Storage OEM Distributor … … … … Other
CPS Area of Concern Factors
Information Sharing and Reporting
Electronic and Physical Security
Information Assuirance and Data Security
Software Assurance and Data Security
Asset Management and Access Control
Anti-Counterfeit and SCRM
Life Cycle and DMSMS
Anti-Malicious and Anti-Tamper
Track and Trace
Prognostics Forensics and Recovery Plans

Totals
Weighted Totals

Fig. 7 Notional CPSS tier scorecards

assessment tool is but one of the notional concepts sup- our resources to build the future state needed in resilient
porting the introduction of this system engineering per- systems. This could be applied to a piece part all the way
spective to CPSS. up to a system level.
While the CPSS SEP theoretically addresses threats
associated with CPS, the construct needs further develop-
3 The path to resilience ment to be effective. Each of the areas of concern in our
construct is currently managed in its own silo, with stan-
As we assess the current state of preparedness for CPSS, dards, governing bodies, policies, and guidance documents
the lexicon of terms and SEP enables stakeholders to geared specifically to a single area of concern. In addition,
holistically assess the health status for all areas of concern. many of the specific standards, policies, and guidance we
As we overlay the attack vectors, defense mechanisms and have identified to address each area of concern are sector
technologies that counter attacks, we can create a roadmap specific (e.g., energy, retail, banking, defense). A holistic
that can assess the current state of the art and identify the approach that interweaves measures to address each area of
gaps that introduce vulnerabilities. This will help prioritize concern identified in the CPSS SEP framework is needed.

123
Environ Syst Decis (2015) 35:291–300 299

The approach should include measures to ensure resilience 4 Conclusions

is built into the framework.
However, to ensure resilience, it is necessary to first CPS security is a new and growing field. The field has to
accurately define and measure it. The National Academy of take into consideration the persistent, dynamic threat that
Sciences (NAS) defines resilience as ‘‘The ability to pre- impacts critical applications and the critical infrastructure.
pare and plan for, absorb, recover from, or more success- Cyber adversaries are evolving. As we develop better ways
fully adapt to actual or potential adverse events’’ (NAS to detect and evade problems, the adversaries develop
2012). In addition, insights from research in the field of better ways to evade detection and penetrate systems. As
Command and Control reveal that CPS can be thought of as we develop solutions to address the risk of cyber physical
spanning four domains: physical, information, cognitive, system security, we will need to incorporate the systems-
and social (Alberts 2002, 2011). Implicit in the concept of based view that interweaves the various areas of concern in
resilience, as opposed to the related concept of risk, is that a construct that is robust and resilient. When we think
resilience considers both known and unknown threats, fo- about the problem, we will need to identify where we have
cuses on a critical system function, and is explicitly time weaknesses and gaps in policy, services, and technologies
dependent (Park et al. 2012; Linkov et al. 2014b). in all the areas of concern as we formulate solutions for a
Based on these principles, Linkov et al. (2013a, b) de- more robust, resilient system that protects our critical in-
veloped an approach to generate resilience metrics for sys- frastructure. Taking a systems engineering based view of
tems. This approach couples the four actions described by CPS security is the first step toward this goal.
NAS (plan/prepare, absorb, recover, adapt) with the four Cyber physical system security is a multi-scale issue,
domains to create a 4 9 4 matrix. Each cell in the so-called starting at the piece part level to the assemblies and sub-
Resilience Matrix can be populated with metrics that de- systems that are included in the notional CPS network.
scribe the system’s overall ability to show resilience within There is a separate effort addressing electronic piece part
each domain and can be integrated using decision analytic vulnerabilities occurring within Society of Automotive
techniques (Collier and Linkov 2014). Metrics have been Engineers G-19A Test Laboratory Standards. These iden-
generated using this approach for cybersecurity (Linkov tified part vulnerabilities should be addressed in the ar-
et al. 2013b) and energy systems (Roege et al. 2014). chitectural tier evaluation.
Moreover, current CPSS lacks empirical data regarding In summary, the framework described in this paper
risk, and in cases where it exists, is often difficult to ac- could be used to assess the well-being of CPS security with
quire, given its sensitive and/or proprietary nature. Chal- the help of our SEP. As we develop the lexicon of terms
lenges include difficulty in quantification of the threat, specific to CPS security and standardize the practice, the
vulnerability, and consequence. There is high uncertainty SEP will enable stakeholders to holistically assess the
and variability associated with dynamic, emerging threats health status for all areas of concern. In addition, the ap-
from persistent cyber criminals and state actors. There is proach could assist in prioritizing our resources to build
also a disconnection between traditional risk assessments more resilient systems.
and risk management. Thus, in the absence of empirical
data, where a traditional probabilistic risk assessment could Acknowledgments Permission was granted by the USACE Chief of
Engineers to publish this material. The views and opinions expressed
be performed, a semi-quantitative method is a way to fill in in this paper are those of the individual authors and not those of the
data gaps with subject matter expertise. The semi-quanti- US Army, or other sponsor organizations.
tative framework could be used to assess the health and
well-being of a system’s CPS with the help of our SEP. As
we assess the current state of preparedness for CPSS, the References
lexicon of the terms specific to the state of the art from the
SEP and the construct enables stakeholders to holistically Alberts DS (2002) Information age transformation: getting to a 21st
assess the health status for all areas of concern. century military. DOD Command and Control Research Pro-
Standardization is needed to codify the CPSS framework gram, Washington
Alberts DS (2011) The agility advantage: a survival guide for
and to provide requirements and guidance for implemen- complex enterprises and endeavors. DOD Command and Control
tation. A standard can be created to incorporate industry Research Program, Washington
best practice and guidelines from the many different poli- Ames AL, Glass RJ, Brown TJ, Linebarger JM, Beyeler WE, Finley
cies and standards addressing the areas of concern in silos PD, Moore TW (2011) Complex adaptive system of systems
(CASoS) engineering framework. SAND 2011–8793. Sandia
and from industry specific sectors. The standard should be National Laboratory, Albuquerque
written with the perspective of applying to any sector Collier ZA, Linkov I (2014) Decision making for resilience within the
needing CPSS. context of network centric operations. Presented at 19th

123
300 Environ Syst Decis (2015) 35:291–300

International Command and Control Research and Technology Longstaff T, Haimes Y (2002) A holistic roadmap for survivable
Symposium, Alexandria, VA, USA, 16–19 June, 2014 infrastructure systems. IEEE Trans Syst Man Cybern A Syst
Collier ZA, Walters S, DiMase D, Keisler JM, Linkov I (2014a) A Hum 32(2):260–268
semi-quantitative risk assessment standard for counterfeit elec- McAfee (2014) Net losses: estimating the global cost of cybercrime.
tronics detection. SAE Int J Aerosp 7(1):171–181 [Link]
Collier ZA, DiMase D, Walters S, Tehranipoor M, Lambert JH, [Link]
Linkov I (2014b) Cybersecurity standards: managing risk and National Academy of Sciences (2012) Disaster resilience: a national
creating resilience. Computer 47(9):70–76 imperative. National Academic Press, Washington
Committee on National Security Systems (2010) National Information National Defense Authorization Act for Fiscal Year (2011) 2012
Assurance (IA) Glossary. Instruction Number 4009, Committee on Public Law No. 112-81, 125 Stat. 1298, 2011
National Security Systems: Fort George G. Meade, MD NERC (2009) Cyber security—electronic security perimeter(s).
Cox LA Jr (2008) Some limitations of ‘‘risk=threat x vulnerability x NERC Standard CIP–005–3
consequence’’ for risk analysis of terrorist attacks. Risk Anal Olzak T (2013) Insider threats: implementing the right controls.
28:1749–1761 TechRepublic, Originally published 21 Feb 2013. [Link]
Executive Order No 13636 (2013) 78 Federal Register 11739-11744, [Link]/blog/it-security/insider-threats-implementing-
19 Feb 2013 the-right-controls/
Ezell BC, Haimes YY, Lambert JH (2001) Risks of cyber attack to Park J, Seager TP, Rao PSC, Convertino M, Linkov I (2012)
water utility supervisory control and data acquisition systems. Integrating risk and resilience approaches to catastrophe man-
Mil Oper Res 6(2):23–33 agement in engineering systems. Risk Anal 33(3):356–367
Finkle J (2014) Target says criminals attacked with credentials stolen Patil VS, Andhale SR, Paul ID (2013) A review of DFSS:
from vendor. Reuters, Originally published 29 Jan 2014. http:// methodology, implementation and future research. Int J Innov
[Link]/article/2014/01/29/us-target-cyberattack- Eng Technol 2(1):369–375
idUSBREA0S25Z20140129 Pecht M, Tiku S (2006) Bogus: electronic manufacturing and
Frick DE (2012) The fallacy of quantifying risk. Def AT&L 228:18–21 consumers confront a rising tide of counterfeit electronics. IEEE
Grossman L (2014) World war zero: how hackers fight to steal your Spectr 43(5):37–46
secrets. Time magazine, Originally published 10 June 2014. Perlroth N, Harris EA (2014) Cyberattack insurance a challenge for
[Link] business. New York Times, Originally published 8 June 2014.
steal-your-secrets/ [Link]
Identity Theft Resource Center (2015) Identity theft resource center [Link]
breach report hits record high in 2014. [Link] Rinaldi S, Peerenboom J, Kelly T (2001) Identifying, understanding,
org/ITRC-Surveys-Studies/[Link] and analyzing critical infrastructure interdependencies. IEEE
Ponemon Institute (2013) 2013 Cost of data breach study: global Control Syst Mag 21(6):11–25
anaylsis. Ponemon Institute, Traverse City Roege PE, Collier ZA, Mancillas J, McDonagh JA, Linkov I (2014)
Kaplan S, Garrick BJ (1981) On the quantitative definition of risk. Metrics for energy resilience. Energy Policy 72(1):249–256
Risk Anal 1(1):11–27 Seager TP, Satterstrom FK, Linkov I, Tuler SP, Kay R (2007)
Karvetski CW, Lambert JH (2012) Evaluating deep uncertainties in Typological review of environmental performance metrics (with
strategic priority-setting with an application to facility energy illustrative examples for oil spill response). Integr Environ
investments. Syst Eng 15(4):483–493 Assess Manag 3(3):310–321
Kelic A, Collier ZA, Brown C, Beyeler WE, Outkin AV, Vargas VN, Shakarian P, Lei H, Lindelauf R (2014) Power grid defense against
Ehlen MA, Judson C, Zaidi A, Leung B, Linkov I (2013) Decision malicious cascading failure. Presented at 13th International
framework for evaluating the macroeconomic risks and policy Conference of Autonomous Agnets and Multiagent Systems,
impacts of cyber attacks. Environ Syst Decis 33(4):544–560 Paris, France, 5–9 May 2014, arXiv:1401.1086
Lambert JH, Jennings RA, Joshi NN (2006) Integration of risk Sood B, Das D, Pecht M (2011) Screening for counterfeit electronic
identification to business process models. Syst Eng 9(3):187–198 parts. J Matar Sci 22(10):1511–1522
Lambert JH, Keisler JM, Wheeler WE, Collier ZA, Linkov I (2013) Teng K, Thekdi SA, Lambert JH (2012) Identification and evaluation
Multiscale approach to the security of hardware supply chains of priorities in the business process of a risk or safety
for energy systems. Environ Syst Decis 33(3):326–334 organization. Reliab Eng Syst Saf 99:74–86
Linkov I, Eisenberg DA, Bates ME, Chang D, Convertino M, Allen Teng K, Thekdi SA, Lambert JH (2013) Risk and safety program
JH, Flynn SE, Seager TP (2013a) Measurable resilience for performance evaluation and business process modeling. IEEE
actionable policy. Environ Sci Technol 47(18):10108–10110 Trans Syst Man Cybern A 42(6):1504–1513
Linkov I, Eisenberg DA, Plourde K, Seager TP, Allen J, Kott A United States Department of Army (2001) Field manual 3-19.30:
(2013b) Resilience metrics for cyber systems. Environ Syst physical security. United States Department of Army, Washington
Decis 33(4):471–476 Wallace G (2014) Target and Neiman Markus hacks: the latest. CNN
Linkov I, Anklam E, Collier ZA, DiMase D, Renn O (2014a) Risk- money. Originally published 13 Jan 2014. [Link]
based standards: integrating top-down and bottom-up approach- 2014/01/13/news/target-neiman-marcus-hack/
es. Environ Syst Decis 34(1):134–137 Williamson RM (2006) What gets measured gets done: are you
Linkov I, Bridges T, Creutzig F, Decker J, Fox-Lent C, Kröger W, measuring what really matters? Strategic Work Systems Inc.,
Lambert JH, Levermann A, Montreuil B, Nathwani J, Nyer R, Columbus
Renn O, Scharte B, Scheffler A, Schreurs M, Thiel-Clemen T
(2014b) Changing the resilience paradigm. Nature Clim Change
4:407–409

123