System Security Engineering: A Critical Discipline of Systems Engineering

In order to adequately address the comprehensive set of threats to its acquisition programs, the United States Department of Defense (DoD) must include systems security engineering as a critical element of systems engineering. Security specialties have emerged over time as responses to new threats and risks; for example, specialties include information security to protect information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction; physical and personnel security to protect information and other valuable assets physically stored within facilities and installations; and communications and network security to protect electronic information in transit over networks. Security has now become a system-level risk. Twenty years ago, systems were relatively stand-alone, software was critical but not prevailing, and the supply base was known and traceable. Prime contractors build today’s complex, software-controlled, highly networked systems by integrating hundreds of suppliers and commercialoff-the-shelf (COTS) components, whose origin and level of integrity are difficult to ascertain. Security vulnerabilities now exist beyond the mitigations that information assurance controls typically provide. They present themselves in embedded software and hardware components and in system-of-systems architecture designs. The discipline of systems security engineering provides an important mechanism for the engineering team to assess and mitigate the vulnerabilities of the system and subsystems. We must grow and resource this discipline and capability.