This proposal is organized around a system decomposition (break the system down to understand and exploit) then composition (rebuild the system with improved defensive measures) methodology. The first step to understanding a system is gathering all associated documentation. Then based on that insight the system is decomposed by discovering susceptibilities (inherent weaknesses) and access points. The tools/techniques used by the threat to capably exploit the system are also analyzed. The total resulting system vulnerability based on the intersection of susceptibility, threat access, and threat capabilities is then determined. Finally, defensive measures to mitigate these vulnerabilities can be derived from a quantitative security metric analysis. This approach, based on the offerors' experience with system vulnerability analysis, red teaming, and development of threat mitigation technologies, will result in a scalable and cost effective CPS defensive mechanisms while protecting our national interests.
Benefit: Many DoD cyber-physical systems are being networked into larger TCP/IP networks. If one defines system trustworthiness as consisting of safety, security, and reliability, then having a quantitative diagnostic capability is essential for ?trust?. The concern about the trustworthiness of our desktop and laptop, and smart phones is increasingly shifting to concern about cyber-physical systems such as DoD's unmanned weapon systems that can have alarming impacts to our physical world if they become unsafe, insecure, or unreliable. Tenet 3, LLC, has been approached by several large DoD firms interested in assessing the more general trustworthiness state of the cyber-physical systems they are developing for the US Government. The DoD Primes desire improved safety, security and reliability for their systems but do not want to add significant additional hardware and/or impact performance. Our approach under this project has the potential to meet that need.
Keywords: Trustworthiness, Cyber-Physical Systems, Cps, Cyber Security, Quantitative Security Metrics, Scalable Security Assessment Technologies
