In the transportation, automotive, aerospace, and defense domain, non-traditional IT cyber-physical systems such as aircraft and vehicles are increasingly under threat from a wide range of threat actors. One of the most pressing problems with cyber-physical systems’ security is the lack of an agreed upon methodology for measuring and presenting mission or business risk for a given system within its expected operating environment. This problem is especially difficult since there is so little historical data to draw from, and the lack of an agreed upon method to assess or measure risk greatly hampers our ability to know where to position our limited resources. Solving this problem might even be considered a “Gordian knot” that if cut, would clear the way to solutions for a host of other related problems such as selecting between alternative designs and keeping cost under control.
The main reason why a risk measurement system has yet to gain widespread acceptance among the continuing debates over qualitative versus quantitative approaches, is that there is no single approach or tool that is a best fit in all circumstances and environments. Therefore, what is needed is a family of connected tools across the spectrum of qualitative analysis and quantitative measurement that use similar formats and outputs enabling some comparison across the tools.
This Unified Risk Assessment and Measurement System or URAMS provides a diverse set of integrated qualitative and quantitative tools that provides true risk management for weapon systems and aviation platforms throughout the development lifecycle and across a range of contested cyberspace environments. URAMS starts with an engineering analysis, and our most commonly used tool is Systems-Theoretic Process Analysis for Security (STPA-Sec). This tool was developed from leveraging the safety analysis work done at MIT and has since been used with great effectiveness across a range of military weapon systems and civilian aerospace systems. STPA-Sec is grounded in systems engineering and is focused on mission level losses as the true drivers of relevant security design. STPA-Sec also enables analysis of a system’s security posture early in the lifecycle, which enables true “baking in” of security.
From the analysis, a set of risk scenarios are developed that are specific to the system under consideration and its expected operating environment. Then, those risk scenarios are scored using any of a wide range of available scoring tools. URAMS scoring tools are characterized first by the model of risk and what factors are assumed to contribute to overall risk, and second by the type of input. Inputs can be provided as single point values, single point values with a confidence, three-point estimates, or 90% confidence intervals depending on the training and experience of the assessors as well as how important uncertainty is to the decision makers. While human subject matter experts (SMEs) are utilized as the basis for scoring in URAMS, automated and algorithmic based approaches can and should be used to inform those SMEs.
The risk scenarios can then be combined utilizing a simple Monte Carlo simulation to determine what the overall risk is for a system or portfolio of systems. With this ability to combine risk a structured assurance case can be built that includes the analyzed mission structure connected to the specific risk scenarios and their scores, with the risk scoring flowed up through the mission elements to the overall system. Perhaps most importantly, specific evidence such as testing results, design features, etc., can also be added to the assurance case to show how the risk scores were determined in a format that allows decision maker to rapidly assess if the scoring is reasonable based on their understanding of the mission and the evidence provided. Thus, the URAMS framework provides a way to cut the Gordian knot of weapon systems and platform risk measurement enabling more secure and better defended systems and missions.