<a href="https://colab.research.google.com/github/tsherburne/de-textbook/blob/main/01_SCRE_DE_Textbook.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# Digital Engineering (DE) Introduction


*   The crux of digital engineering is the creation of ***computer readable*** models to represent all aspects of the system and to support all the activities for the design, development, manufacture, and operation of the system throughout its lifecycle.
*   These computer models would have to be based on shared data ***schemata*** so that in effect a digital thread integrates all the diverse stakeholders involved in the acquisition of new weapon systems.
*   Model-based systems engineering (MBSE) is a subset of digital engineering. MBSE supports the systems engineering activities of requirements, architecture, design, verification, and validation. These models would have to be connected to the physics-based models used by other engineering disciplines such as mechanical and electrical engineering.
*   Foundation to digital engineering is the representation of the system data in a format sharable between all stakeholders. SysML 2.0 is one of several future developments promising to provide a representation sufficient to support digital engineering. An ontology defining the entities and relationships between them can be used to define the concepts relevant to systems engineering. Such a representation is necessary to create the digital thread linking all the models together in a cohesive and useful manner.

See [SEBoK DE Definition](https://www.sebokwiki.org/wiki/Digital_Engineering) for additional details.


## System Definition Language (SDL)

A ***System Definition Language (SDL)*** is a formal, structured language which avoids the ambiguity inherent in using common English to define or specify a system. The precise meaning of each language concept is fixed and documented to enhance team communication and assure unambiguous interpretation of specifications using this language. SDL is based on the following primitive language concepts:​

*   ***Entities*** correspond to nouns in English. Entities define objects and serve as the basic units in a meta-model (e.g., Component, Function, etc.) ​
*   ***Relationships*** are similar to verbs. Each relationship has a definite subject and object (e.g. a Component performs a Function).​
*    Attributes further describe entities much like adjectives modify nouns. The attributes of an entity serve to define critical properties of entities. (e.g. Component entity includes number and type attributes).  
*   ***Attributed-Relationships*** (i.e., attributes on relationships) correspond to adverbs in English. The attributes of a relationship serve to define critical properties of the relationship. For instance, attributes of a consumes relationship would include the quantity being consumed. ​
*   ***Structures*** provide specification of semantically explicit system control constructs (Concurrency, Iteration, Loop, Multiple Exit, Replication, Selection, and Sequence). Using this explicit notation, the behavior of the system can be validated and executed using a simulator. 

See [A Primer for Model-Based
Systems Engineering](http://www.mbseprimer.com/) (page 34) for additional details.

## Top-Level MBSE Meta-Model
> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/meta-model-foundation.png" height="300" />



<a name="essential-mbse"></a>
## Essential MBSE Meta-Model
> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/mbse-essential.png" height="400" />


----

| Entity | Description |
| :---   | :----       | 
| Component | A component is an abstract term that represents the physical or logical entity that performs a specific function <br> or functions.|
| Function | A function is a transformation that accepts one or more inputs (items) and transforms them into outputs (items).|
| Item | An item represent flows within and between functions. An item is an input to or an output from a function.|
| Link   | A link is the physical implementation of an interface. |
| Requirement | A requirement is either an originating requirement extracted from source documentation for a system, a refinement <br> of a higher‐level requirement, a derived characteristic of the system or one of its subcomponents, or a design decision.|
| Structure | Recursive call structure, for example, select, parallel, loop, for each function. |
| Verification Requirement | A Verification Requirement describes what is to be proved (i.e., requirements), at what level the verification will occur, <br>which method of verification should be used, and the current verification status.|

----

# Secure Cyber Resilience Engineering (SCRE)



<a name="resilience-concept"></a>
## Resilience Concept

> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/resilience-concept.png" height="300" />

* A ***Resilience Mode*** is a distinct and separate method of operation of a component, device, or system based upon a diverse redundancy or other design pattern.
* A ***Sentinel*** is a pattern responsible for monitoring and reconfiguration of a system using available Resilience Modes. The Sentinel functions are expected to be far more secure than the system being addressed for resilience.



<a name="stpa-methodology"></a>
## STPA-Sec Methodology Overview
> [Systems Theoretic Process Analysis (STPA) Guidebook](https://psas.scripts.mit.edu/home/get_file.php?name=STPA_handbook.pdf) (page 14)

> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/stpa-method-overview.png" height="400" />

1. Defining the purpose of the analysis is the first step with any analysis method. What kinds of ***losses***
will the analysis aim to prevent? Will STPA be applied only to traditional safety goals like preventing loss
of human life or will it be applied more broadly to security, privacy, performance, and other system properties? What is the system to be analyzed 
and what is the ***system boundary***? 
2. The second step is to build a model of the system called a ***control structure***. A control structure
captures functional relationships and interactions by modeling the system as a set of feedback control loops. The control structure usually begins at a very abstract level and is iteratively refined to capture
more detail about the system. This step does not change regardless of whether STPA is being applied to safety, security, privacy, or other properties.
3. The third step is to analyze control actions in the control structure to examine how they could lead to
the losses defined in the first step. This step does not change regardless of whether STPA
is being applied to safety, security, privacy, or other properties.
4. The fourth step identifies the reasons why hazardous control might occur in the system. Scenarios are
created to explain:
  * How incorrect feedback, inadequate requirements, design errors, component failures, and
other factors (cyber attacks) could cause hazardous control actions and ultimately lead to losses.
  * How safe control actions might be provided but not followed or executed properly, leading to a loss.


## Mission Aware (MA) MBSE Incredients

> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/mission-aware-mbse-incredients.png" height="200" />

* [Essential MBSE](#essential-mbse)
* [STPA-Sec](#stpa-methodology)
* [Resilience Concept](#resilience-concept)
* NIST
  * [SP 800-160 Vol. 2](https://csrc.nist.gov/publications/detail/sp/800-160/vol-2/final) Developing Cyber Resilient Systems: A Systems Security Engineering Approach
  * [SP 800-53 Rev. 5](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) Security and Privacy Controls for Information Systems and Organizations
  * [RMF](https://csrc.nist.gov/projects/risk-management) Risk Management Framework
* MITRE
  * [CAPEC](https://capec.mitre.org/)
  * [ATT&CK](https://attack.mitre.org/)
  * [D3FEND](https://d3fend.mitre.org/)


## Top-Level MA MBSE Meta-Model

> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/ma-meta-model-foundation.png" height="400" />

## Detailed MA MBSE Meta-Model

> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/ma-meta-model-detail.png" height="600" />

----

| Element | Entity | Description |
| :---    | :---   | :----       | 
| Control Structure | Control Action | A controller provides control actions to control some process and to enforce constraints on the <br> behavior of the  controlled process.|
| | Feedback | Process models may be updated in part by feedback used to observe the controlled process.|
| | Context | The set of process model variables and values.|
| Risk | Loss | A loss involves something of value to stakeholders. Losses may include a loss of human life or <br> human injury, property damage, environmental pollution, loss of mission, loss of reputation, loss <br> or leak of sensitive information, or any other loss that is unacceptable to the stakeholders.|
| | Hazard | A hazard is a system state or set of conditions that, together with a particular set of worst-case <br> environmental conditions, will lead to a loss.|
| | Hazardous Action | A hazardous action is a control action that, in a particular context and worst-case environment, <br>will lead to a hazard.|
| Vulnerability | Loss Scenario | A loss scenario describes the causal factors that can lead to the hazardous control and to hazards. <br> Two types of loss scenarios must be considered: a) Why would hazardous control actions occur? <br>b) Why would control actions be improperly executed or not executed, leading to hazards?|
| | Remediation | The hygiene practice or resilience mechanism to protect against a loss}, hazard}, loss scenario, <br>or attack vector. |
| Mission Aware | Attack Pattern |An inventory (check list) of potential paths or means by which a hacker can gain access to a <br> computer or network server in order to deliver a payload or malicious outcome. Attack patterns <br> enable hackers to exploit system vulnerabilities, including the human element.|
| | Attack Vector | A 3-way associative class between attack pattern, component / link, and remediation <br> which tracks likelihood and severity of the attack pattern after remediation.|
| | Hygiene Practice |A routine practice (check list) of basic security capabilities to reduce cyber risks due to common <br> or pervasive threats.|
| | Resilient Mode |A configuration of a target system that remediates one or more loss scenarios. |
| | Sentinel | A highly secure subsystem responsible for monitoring and reconfiguration of resilient <br> modes for a target system. |

----

## Cyber Security Requirements Methodology (CSRM)

Cyber Security Requirements Methodology (CSRM) is a risk‐based methodology for addressing cyber security during the design phase of cyber-physical system and utilizes four teams of system owners and experts from a wide range of domains. Specifically, the four teams are:
* Systems Engineering (SE) Team ‐ The SE team is responsible for managing the CSRM process and developing system designs and definitions that reflect requirements, objectives, constraints, and stakeholder concerns.
* Blue Team ‐ The blue team is composed of operationally‐oriented members with experience using similar systems. The blue team is responsible for providing consequences and risks to the CSRM process.
* Red Team ‐ The red team is composed of cyber security experts and cyber attack experts who will provide the likelihood of different attacks given the current system design and resilient solutions.
* System Test Team ‐ The Test team is responsible for ensuring the current system design, including resilience modes of operation, can be adequately tested.
> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/csrm-methodology.png" height="300" />

Each block in the iterative CSRM process diagram is color coded to reflect the team responsible for the step. The 6 steps are outlined as follows:

1. The SE team produces a system description that includes the system architecture and functional descriptions of the system components that satisfy the Mission MOPs.

2. The blue team performs an operational risk assessment of the current design and produces a prioritized list of undesirable outcomes.

3. The SE team uses the system description and the risk assessment to produce a list of possible resilient solutions.

4. The red team prioritizes cyber defense and resilient solutions using their prior knowledge of attack likelihood.

5. The test team produces a verification and test plan that addresses defined resilient modes for the system.

6. The process iterates until an acceptable baseline system is defined that is deemed acceptable to all teams:

  * As necessary, the SE team updates the system description to include the red team recommendations.

  * As necessary, the blue revises the operational risk assessment to account for the new system design and red team assessment.

  * As necessary, the test team revises the verification and test plan to account for new system design and red team assessment.

## Framework for Operational Resilience in Engineering and System Test (FOREST)

> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/forest-methodology.png" height="350" />

### Testable Requirements Elicitation Elements (TREE)

----

| TREE    | Number | Description |
| :---    | :---   | :----       | 
| Attack **Sensing** | T.1 | This element of resilience provides the basis for discovering a successful cyber-attack and informing the <br> system operators about the attack.|
| Attack **Isolation** | T.2 | This element of resilience solutions addresses identification of the part of the system that has been <br> successfully attacked. |
| Resilience **Options** | T.3 | This element of resilience solutions addresses the reconfiguration solution(s) for the attacks under <br> consideration as well as the immediate containment of safety-related consequences.|
| **Evaluation** of Resilience <br> Options | T.4 | This part of the framework calls for documentation that provides explanations for the selection of <br> solutions, the anticipated performance of the reconfigured system (including time to reconfigure), <br> and the basis for deciding that the resulting operational capabilities are satisfactory. |
| Operational **Confidence** <br> in Executing Resilience <br> Solutions | T.5 | The framework calls for documentation of the basis for achieving high enough confidence and <br> the related test and evaluation methods.|
| **Readiness** for Operational <br> Execution <br> (Real-time Mission  Context) | T.6 | The framework will expect explanation of the basis for the system design approach regarding test support <br>for addressing operator roles and anticipated performance.|
| System Resilience <br> Decision & **Execution** | T.7 | The framework will look for the rationale for who decides on what, and the training and tech support required for decision-makers.|
| **Post-Event** and <br> Lifecycle Test Responses | T.8 | This portion of the framework addresses identification of information reporting and re-use of development test support <br> capabilities to address system re-testing regarding potential improvements based upon actual results derived from executing <br>resilience solutions in response to cyber-attacks.|

---


# Silverfish Case-Study Conops


Silverfish is a rapidly deployable set of fifty (50) individual ground-based weapon platforms (referred to as obstacles) controlled by a single operator. The purpose of the system is to deter and prevent adversaries from trespassing into a designated geographic area that is located near a strategically sensitive location. The system includes a variety of sensors to locate and classify potential trespassers as either personnel or vehicles. An internal wireless communication system is used to support communication between the sensors and the operator, and also supports fire control communications between the operator and the obstacles. The sensors include obstacle-based seismic and acoustic sensors, infrared sensors and an unmanned aerial vehicle-based surveillance system to provide warning of potential adversaries approaching the protected area. The operator is located in a vehicle, and operates within visual range of the protected area. The operator is in communication with a higher-level command and control (C2) system for exchange of doctrinal-related and situation awareness information. A more detailed functional description of the system is presented below.

> <img src="https://raw.githubusercontent.com/tsherburne/de-textbook/main/images/silverfish-overview.png" height="500" />

* Purpose: Deter and prevent, when and where necessary, via the use of rapidly deployable obstacles, adversarial tracked vehicles (assumed maximum speed - 10mph) or individuals from trespassing into geographic areas that are close to strategically sensitive locations. 
* Prohibited Area: ~100 acres of open field space (100 acres, approximately 0.16 square miles = 0.4 mile x 0.4 mile area). At maximum speed a vehicle would take about 3 minutes to cross the prohibited area. 
* Obstacle Deployment: About 50 obstacles are available to be distributed over the 100-acre protected area (each obstacle is designed to protect a 300x300 foot area). Two types of obstacles can be deployed. One type of obstacle addresses anti-personnel requirements. It contains six (6) short-range sub-munitions, each covering a 60-degree portion of a circular area to be protected. The second type of obstacle contains a single munition capable of impacting a tracked vehicle. 
* Operation: The operator, located in a vehicle that is operated close to the prohibited area (~150 meters away), remotely controls individual obstacles and their sub-munitions, based upon sensor-based and operator visual surveillance of the prohibited area.
* Prohibited Area Surveillance: The operator is supported by obstacle-based acoustic and seismic sensors (geophones and accelerometers) that can detect and distinguish between vehicles and people, redundant infrared sensors that can detect and track the movement of people and vehicles, and real-time Video/IR derived early warning information regarding people and vehicles approaching the prohibited area provided by a UAV managed by the C2. The UAV is used to provide warning information. The operator can relocate his or her vehicle for improved visual observation.
* Obstacle design features: The obstacle-based sensors provide regular operator situation awareness reports (seconds apart) when they detect a trespasser. They provide, at a lower data rate (e.g., a minute apart), general health related information, including reports on their location (GPS-based), their on-off status, and their remaining battery life.  Should a weapon be fired, the obstacle confirms the acceptance of commands and the actual firing events. To address potential tampering risks, obstacle-based software can only be modified by electrically disconnecting their platform-based computer from the obstacle, and removal results in self-destruction of that computer. 
* Infrared sensor configuration: A single pole-mounted IR sensor is assumed to be capable of providing surveillance of the entire protected area. A second sensor is provided for redundancy, and can be used to provide surveillance of areas that the single sensor is not able to observe. The IR sensors provide the same type of operator situation awareness data at the same rates as the obstacle-based sensors, but in addition provide tracking information to enable the operator to project future locations of moving vehicles or people. 
* Requirements for Avoiding Errors: Concerns exist regarding detonating sub-munitions in cases where non-adversarial vehicles or people, by chance, enter the prohibited area. Concerns also exist about failing to fire munitions when an adversary is approaching a strategically sensitive location via the prohibited area. The operator, when possible, can use visual observations to increase confidence regarding fire control. 
* Operator Functions: The operator can set the obstacles into either on or off modes and can cause individual or designated groups of obstacles/sub-munitions to detonate when in on mode. Obstacles can be commanded to self-destroy designated critical information in order to prevent adversaries from collecting such information for their own purposes. The operator also can launch a quad-copter drone (UAV) to provide video/IR based early warning information regarding potential trespassers of the protected area  (~5 minute warning for vehicles approaching at a 10 mph speed). 
* Communications Systems: The Operator, the higher level C2 System, and UAV operate on a shared radio system that is integrated to a relay node(s) that couples into the Silverfish system’s integrated wireless communication network. The communication system includes digital interfaces that support formatted data transfers between the operator’s system, the UAV subsystem, the individual obstacles, the IR subsystem, and the C2 Center. The communication system also supports short message text and voice communications between operator and C2 system.
* Operator Control Station: The operator is provided with a vehicle-mounted computer(s) subsystem that provides situation awareness information including individual obstacle status, and sensor-based situation awareness information. The subsystem also provides computer based entry and corresponding weapon system feedback for fire control related inputs from the operator. The control station also supports required digital situation awareness related reporting to the C2 center. 
* Command Center Controls: The C2 center digitally provides weapon control information for the operator (determines weapon system on/off periods, provides warning of periods of higher likelihood of attack, provides forecasts of possible approach direction to the prohibited area, enables operation with/without UAV support, etc.). As determined by either the operator or the C2 center, out of norm situations can be supported through rapid message communications between the C2 center and the operator. 
* Forensics: All subsystems collect and store forensic information for required post-mission analysis purposes. 
* Rapid Deployment Support: All subsystems enable rapid deployment testing to confirm readiness for operational use.

# DE Textbook Table of Contents





*   Mission Engineering
  *   (SCRE) [Operational Risk Assessment](https://github.com/tsherburne/de-textbook/blob/main/02_SCRE_Risk_Assessment.ipynb)
*   Requirements Analysis
*   Behavior Analysis
  *   (SCRE) [Vulnerability Assesment](https://)
*   System Architecture
  *   (SCRE) [Resilience Architecture](https://)
*   Verification and Validation
  *   (SCRE) [Resilience Design Validation](https://)
  *   (SCRE) [Test Support System](https://)