Requirements Challenges in Addressing Malicious Supply Chain Threats

gated in systems acquisition and operations. Mapping attack vectors to vulnerabilities in order to determine specific countermeasures adds the dimensions of the supply chain and development lifecycle to the systems engineering-based design trade space and the overall risk-management process. I n today's environment of cyber attacks and exploitation of system vulnerabilities, the systems engineer needs to be more aware of security during the system specification and design stage. Recent examples of supply chain attacks include computer motherboards shipping with malware, military chips from China with secret backdoors, and a bank employee inserting malware into the ATM network. This article discusses the US Department of Defense (DoD) state of practice for incorporating trusted system and network security requirements into the specifications for large, complex systems. The article describes the current environment, the trends that are influencing the need for system security engineering, and the types of system security requirements and analysis techniques the DoD is using. This article updates the system security engineering risk-cost-benefit trade-off analysis described in previous papers (including Baldwin et al. 2012). The trends that are contributing to the system-security challenges facing major DoD programs include the increasing reliance on commercially available technology, complex supply chains that include thousands of suppliers worldwide (figure 1), system interconnectedness, and the identification and exploitation of the supply chain and commercial off-the-shelf (COTS) vulnerabilities. The complexity of supply chains and development processes of major acquisition programs (with prime contractors, subcontractors, suppliers, and subsuppliers) makes it difficult for anyone truly to know what is in the system and where it came from. Many of the COTS products have complex supply chains that are not secured to prevent alteration and malicious insertion. In addition, open-source code and code of unknown origin are often incorporated into the system's COTS components and the COTS tools used to develop DoD subsystems. These COTS and open-source products are widely available for study, reverse engineering, and exploitation of vulnerabilities. The systems engineer and system security engineer must consider not only the security of the system but also the security of the supply chain (see John Miller's article in this issue), the COTS products used in the system, and the information incorporated into the system as much of the development and manufacturing exist outside of traditional controls. In designing and trading off potential components, the systems engineer must consider whether the COTS products are vulnerable to attack within the supply …