How Systems Engineering can help Cybersecurity

you can help cybersecurity my name is Andrew Hall I give Irish on in the hacker community my twitter handle is a true Sean underscore EE okay so a little bit about me I'm a graduate student at the University of Utah right now doing an Executive MBA I graduate this may I have a Bachelors of Science in electrical engineering I'm ICS SP electronics hobbyist I enjoy making badges for other things I did the DC 801 DEF CON badge and DC for DEFCON 24 through 26 I always like to be learning try new things and open to new opportunities to grow always fun I have a little disclaimer there not sure well it's readable but it's basically you can

be anything you want to be and different ways and different aspects of doing it sometimes you just get thrown into it sometimes you like out sometimes you have to work hard at it and but and then but can you be everything you want to be it's a big question so outline I will go over what is system engineering and why NIST is using it with cybersecurity a lot of it will be with the systems security engineering and aspect of NIST why do cyber security should be more like systems engineering how management can help make cybersecurity successful why cybersecurity should be separated from IT why education is important to cyber security and open for questions and I have a little bit of reference

it's in the back hey go in what is systems engineering and why is this using it with cyber security the big vacuum is the NIST 800 - 160 system security engineering it goes through it has Volume one and two great aspect on how you have to look at systems from a big view you have to incorporate more than a single silo to go through it and then they have the 800-53 red 5 which is still in draft that goes through all those individual requirements through physical security through configuration management integration programming hardware software many aspects as it goes through there there's you have to really look at the picture fully in order to to get a

grasp on security so system engineering they always look at broad domains and go through within your mechanical electrical engineering aspects ironies is look at hardware software look at human resources the human element how do you do badging and how how the organization works as a whole and make sure it groups gets all the groups together so you end more there's a nice system injury and life cycle picture to go through cradle-to-grave is important you need to look at it from the beginning to the requirements before you're getting started in this and the subject they need a cyber security expert there with the other main policy setters in order to really continue and grow and they need to be embedded into

the program process they need to learn every aspect we be involved in meetings and into the requirements the testing the valve there at the end you need to really see the full picture in order to be successful doing security and especially cyber security as a whole a look at the big view and going through or so follow the system engineering cycle will help make the picture become clearer and get you into a good track moving forward so continuing on cyber security experts need to have a broader base of Education they need to really be diverse understand me aspects and all the different domains and silos that they have to pertain with so it will help him think outside the box

research and development in the field progress the field get it into a more secure discipline with better career growth and aspects and keep moving the profession forward kind of like what's engineering that you keep engineering yourself out of a job you you keep pushing and perfecting it and making it so it's easier to to keep the basic securities at bay and get into more depth and in your processes this quote is out of the than this 800 s 160 document from 1970 that security controls in a computer system is in itself as systems design problem a combination of hardware software communication physical personnel and administrative processes safeguards is required to comprehensive security in particular software

safeguards alone are not sufficient so really you have to look at the big picture you can't this look at software to help save you and hardware issues and vice versa you really need to start integrating and looking at the picture of the whole and understand your products in all aspects so you go through 10,000 foot picture fully incorporated need to look at problems in their entirety you aren't siloed in your problems problems or cross-domain you go through everything's Simon Remo the code up here he's one of the fathers of systems engineering which was part of TRW group and a concentrate as he goes it concentrates on the design and application of the whole as distinct

from the parts looking at a problem in its entirety taking into account all facets and all the variables and relating the social to the technical so really you have to be understand the business side in some regards and the technical side and be able to communicate them together to make the most out of you know especially a manager in Siberia but definitely within the service of your field you need to be diverse in your knowledge and understanding and doing in management killed by because it should not fall under IT management should have requirements direction for hardware and software it really should be a pusher to in your requirements filled for cybersecurity dislike system engineers as you can see the full picture see the

problem as a whole in the entirety they should be able to make better requirements for their your developers and your hardware desires to get more in line and not be so stagnant and siloed in the requirements where they end up having more issues when they come together than they really should managers should have an understanding of all aspects of cybersecurity both software hardware vulnerabilities and nobody's requirement to fulfill the mission of the group and lead change in the organization they need to really push to make the organization better and not keep it in a cycle that redundant and causes more harm than good where we end up with same vulnerabilities over and over again we need to move on and

progress out of that and the Mannings work on staffing training tools the equipment it's important to keep education in your cybersecurity group within the domains they you have to have it I have our diverse group you can't have experts all in the software or all in hardware you need to have it a dynamic group that covers many domains where there sMI's over subjects we can also work together one slide

okay also that they should look at standards like RMF risk management framework just do the PCI DC at the SS and other aspects in that those are cores that you can build upon and help understand and help push as they cover multiple domains and aspects and the biggest thing is to remove obstacles as a manager over a cyber group you need to remove obstacles let them into other groups not you can destroy the silos that are out there within industry and in a lot of businesses where groups don't really talk to each other the cyber group needs to be basically incorporated into all groups that deal with a product that has potential for vulnerabilities and really help build

your corporation and business as a whole you go through as the DoD moves on and other things that they've also learned that cyber IT and cyber security need to be separated different domains cyber security is more of a overarching analyst management aspect compared to IT that gets into more of your nuts and bolts as your network operators software developers and everything that can't do all the implementation while your cyber security does more into your requirements overarching integration is SM information system security managers to be able to make everything come together as a whole and work well with each other the career paths are still being defined many things as we all know in most regards as companies mature and grow

they're defined they career past a little bit differently as they figure out what so what type of security really needs to be done and where it needs to be played and it needs to be really improving the requirements and policy we didn't move up into c-suite and get into the boards to understand that security is a big issue and needs to be talked through amongst everyone and being corporate into a lot of groups that right now some are lacking any type of security insight when they really should have a lot more into them those through cypress tree grows by making hard things easy and doing yourself out of a job make complex thing as easy

needs to be shared and vetted in the industry so as we progress and information is shared more these be vetted and verified it helps go through systems engineering is great in that regard a lot of help going through doing modeling and system modeling and everything else every security is doing some modeling we'll get more into it and as you model and get more understanding of the complex systems they'll become easier and and those security aspects can evolve into more appropriate protections for your end-users and for your equipment cannibalize your your end product a little risk at the end that makes everyone a lot more happier maturing filled saturated with lots of credentials filled solidifying I'll talk

more on the education side a little bit later a breath of an oration cross flow mobility protection as lots of things to go the hardware and software there's more abilities and both sides that they sometimes to work well together but a lot of times have issues so here's some key questions that deal with education and certifications well a degree help you advance in your career is institution accredited by the right organization will experience be able to replace a degree with future opportunity he's big-league questions I've hit the hill hit the cybersecurity insecure field was in the last few years and then credentials is the crunch credit certification I credited do you already have a certificate that's equal and are

higher than the one that your business is looking for or your customer required to have perform work that you do in some industries like DoD you have to have certain certs in order to do certain jobs this is how they go they're kind of realigned that so education can sometimes replace the certifications so it's going to be interesting you go through let's not stay quite at the bottom which is kind of unique in that the whole economic boom and cybersecurity seems largely to be consequence of poor engineering which in some regards I think is true poor engineering poor practices poor policies have led to kind of the mess of cybersecurity that we have now we have

so many different vulnerabilities bad products coming out poor poor standards no real leeway for consumer IOT devices to really be released with no understanding that they aren't going to mess up your your home environment and let hackers in or adverse adversaries into places that they aren't supposed to be it's starting to hit a lot of industries that usually weren't connected now they're starting to be connected and they're hitting new vulnerabilities that that they have to get taught up really quickly like in industrial control systems and with degrees it's more than a piece of paper when properly obtained engineering degrees are accredit by a bit a bit is starting to do accreditation with cybersecurity now they they have three

universities that they're doing undergrad accreditation right now and pushing to set up standards within that Lisa engineering aspect with cybersecurity so both the naval and Air Force Academy's and University of Missouri or kind of the pilot right now so it's going to be interesting to see how some of the schools and education goes with accreditation and how it's going to push the filled into standards where HR will be able to understand basis of people coming in with certain type of credentials kind of like what they do with engineering where you can then figure out you you you'll hire more for pay fit and how well does the applicant will learn in your environment more than

just your raw skills in some regards because our field is really changing dynamically right now and especially as you move up degrees are definitely nice within management and above and that's Kevin the nature in a lot of fields but they do either have issues that you just can't stop at the degree you have to continue the education you have to continue the training because our field is still dynamic it's not going to be stagnant like any other field especially in the sciences we have to continue to learn go through CPEs and certifications have help in that regard help maintain your understanding and push the education aspects especially within employers membership into organizations are also good to help

share information and that information unlike those in the industry going into certifications there's lots of different certification organizations is c-squared sands Camp Tia offensive security there's a whole gamut that I'll provide certs they're all basically equivalent or slightly better so they were all variable depends on your employer and who you go to and who's teaching you the class and everything else DoD has put in credentials and certifications of positions right now 85-78 goes through it the updated 80 140 that's going to come out is going to be a lot better on where that they'll go into better job aspects and not this habit generalizes a technician manager aspects and it's going to be interesting to see how

industry will respond with that as they go into that developers in cyber will should have this or this type of education to work on things and matters having certain ones really you shouldn't show a whole bunch of certificates after your name you should just show the most applicable and the highest levels because that's really what you're showing off all the other ones are kind of building steps up to the bigger certs our industry needs to be a little bit better at having alphabet soup after our names and keep it simple a lot of it was built from the IT side instead of the engineering side in that regard and really they needed have better cross

compatibility I saw the certification organization especially if they're all accredited

go through i touched over a lot of this teamed with a degree though like professional engineering it might look like cybersecurity might require that you get a degree and then you get a license or certificate certificate a certain aspect especially if it does with things that are liabilities of human finance high economic aspects like professional engineering you do in west buildings that because our bridges because they can kill people different aspects cybersecurity might have different regards where we might end up with certs are more aligned to deal with forensics and things that are caught up in the loop that our law abiding that have really strict guidance where it makes a little more sense to have the

certifications to go with it that's my presentation so that i have it up for questions right now

so pushing the fixed organization as a whole instead the systems that you're working on now that's a big part that needs to be pushed on and why cybersecurity needs move out of IT into its own domain so it has a better aspect to help push organizations in the white right way that it's done IT issue it's a cyber issue it's the thing that everyone needs to be pay attention to not just the ID department needs to go fix this it's your engineering department your human resource department your your marketing department all have vulnerabilities all have aspects so they need to be better educated and aligned with and they need to work in with a core cyber or security

group a lot better than what a lot of businesses are right now so you basically have to mature your organization to understand that cyber needs to touch everyone any other questions

so right so he asked where cyber security for the fallen or IT right where it should sit an organization so there really should be a a CSO position that falls in with the CTO and CIO a lot of organization especially if you deal with applications that can affect others where they their line up on par with the i/o and tio and the organization because the security person needs to per requirements and work with them into both of the other organizations as well as get the CEO on board and understand that the the technology side won't always do it the information say well always do it the security really need is the catalyst between the two groups to

make it that it will protect your device and the consumers and your customers and and and have a high-level view up there then that will push down and get it so that because if it falls under them then the tio the CTO and the CIO can out voice and can nerf your security program so it really needs to be its own entity on par with others any other questions

yes not so thank you for attending my talk I had that I was throw up my reference so in kasi is a system engineering group that does a certification for system engineering where I got so many information the DA you the defense acquisition University has information I see high tech is that they they go through a lot of the NIST documents and give their view on information the DoD manual 80 140 is on draft right now it's not public at this time once it goes public it'd be a great thing that you look at because they're they really dissected the 8570 if you've looked at that manual and have their little triangle of positions to requirements that they've

blowing it up a lot and made it more precise for different job categories and it's going to be a really good improvement on that regard to help understand career paths and different what type of education and credentials should be going after and then this is always a great place for as they keep pushing and updating their documentation feel free to send me any questions on Twitter or other things and thank you for attending [Applause]