When it comes to cybersecurity in space organizations, everyone has heard the statement, “Bake it in, don’t bolt it on.” The real question is, “How?”
There’s a straightforward answer: good cybersecurity = good systems engineering.
For starters, cybersecurity artifacts = systems engineering documentation. In other words, when the cybersecurity team asks for the software list, hardware list, and systems topology—those are simply systems engineering documents.
A Single Discipline
For decades, cybersecurity and systems engineering have grown into two separate job descriptions—creating a cultural gap—but it’s always been a single discipline. Cybersecurity is, and always has been, an integral part of the systems engineering lifecycle, from requirements to operations.
And that’s the key to building in cybersecurity into space systems from the beginning, to keep pace with today’s fast-moving threat environment. By bringing together cybersecurity and systems engineering teams in innovative ways, space organizations can turn them into a single, highly efficient team delivering more effective capabilities.
Wasted Time and Expense, Limited Functionality
In many organizations across both government and business, systems engineers focus their design efforts on a system’s critical functionality, without a full understanding of the cybersecurity requirements. Later, after the system is mostly or completely built, the cybersecurity team recreates artifacts (e.g., software and hardware lists, and data flow diagrams) to understand how everything fits together.
That’s just the beginning. The cybersecurity team then goes back to the systems engineers to tell them how to rework the system, shut down key parts, or close vulnerabilities, to properly secure the system. The result: wasted time and expense by both teams, with organizations sacrificing either functionality over security, or security over functionality.
Bridging the Cultural Gap
Space organizations can take a practical, step-by-step approach to bridging the cultural gap between cybersecurity and systems engineering. The first step is cross-training that helps each team understand the other team’s perspective.
Small groups of systems engineers, for example, are temporarily embedded with cybersecurity teams. The systems engineers get a chance to learn about the kinds of constraints the cybersecurity experts are under, and how their tools work. Over the course of the training, the systems engineers can see how they might design their systems to meet cybersecurity constraints more effectively.
At the same time, cybersecurity experts are temporarily embedded with systems engineering teams. The cybersecurity experts get a chance to see how difficult it is to design a system—and make the necessary tradeoffs—when you’re not sure where cybersecurity fits in.
Bringing the Teams Together
In the second step, the two teams are brought together, in tabletop discussions, as system design begins. They bounce ideas back and forth about the various functional, design, and cybersecurity issues. Once they agree on a design, they work together to build and test a prototype that—from the outset—is both as secure and functional as possible. Often, this is the first time cybersecurity experts get a “seat at the table” in system design.
A common outgrowth of this collaboration is that cybersecurity teams and systems engineers seek to gain more expertise in each other’s fields, and so get education, training and certifications. Over time, they move toward working as a single team that sees cybersecurity and systems engineering as a unified discipline.
Stephen Bolish (bolish_stephen@bah.com), BS EE, MS EE, CISSP, is a Principal at Booz Allen with more than 27 years of engineering and cybersecurity experience supporting commercial, defense, and federal clients. He and his team focus on demystifying cybersecurity, and building highly effective engineering teams.