SURVlVABILlTE

ti ur
ritic
Society is increasingly

dependent upon large-scale,

ROBERT J. ELLISON, DAVID A. FISHER, RICHARD C. LINGER,
HOWARD F. LIPSON, THOMAS A. LONGSTAFF, AND NANCY R. MEAD
CERT Coordination Center, Software Engineering Institute distributed systems hat operate

in unbounded neiwork

environments. Survivability

C
mitemporary large-scale distributed nctworks arc hciiig used to
achieve radical new levels of organizational inrcgration. This intc- helps ensure that such systems
gration obliterates traditional organizational boundaries and tics
local operations into components of comprchcnsivc, nctworli-bascd busi-
licss proccsscs. or example, commercial organizations are integrating oper- deliver essential services and
ations with I1usincss uriits, suppliers, and cworners through large-scalc
networks that enhance communication and scrviccs. Tlicsc iictworks com-
biiic previously fiaginclltcci operations into coherent proccsscs opctlto maintain essential properties
many organizational participants, This ncw paradigm rcprcsents a shift
from bounded networks with central contml CO unbounded networks,
whcrc adrniiiistrativc colltrol is distributed wiihout central autlioriiy (see in the face of attclcks, failures,
the sidebar "Glossary [1ESurvivahility 'Terms" oti pagc 56).
Organizational integration is accompanicd by elevated risks ofinrru-
sion and compromisc. 'I'hesc risks can be mitigatecI by incorporating sur- and accidents,
vivability capabilities into a n organization's systems. Survivability is the
capability of a system tu fulfill its missioti in a tiincly mauiicr i n the pres-
CIKC of attacks, failurrs, o r accidmts. l ' h c cmphasis of survivaldity is on
continuity of opcrations, with the undcrsvauditig that sccurity precautions
cannot guaraiitcc that systrms will not be penctrated and compromiard.
Survivability focuses on utibouiidcd networked sysiems whcrc traditional
srcurity mcasurcs arc inaderluatc. As an emcrging discipline, it builds on
related fields of srudy (such as security fault tolerance, reliahility and vcr-
itication) and introduccs new coiiccpts and principles.

M I S S I O N FULFILLMENT
In survivability ciiginccring, it is the fiilfillmcni of a mission that niust SLIT-
vive an attack, not any particular suhsystnn or system component. A mir-
sion is a sct ofvcry 11igh level I-equiremcntsor gaals. Missions are not limited
to military settings; any successful organizatioii or project must have a vision

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 S U R V I V A B L E S Y S l E M S

Assume that a financial system shuts down for

12 hours daring a period ofwidespread power ont-
ages caused hy a hurricane. If the system preservrs
thc intcgrity and confidentiality of its data atid
Accidenfs- broad range of randomly occurring and potentially s essential services alier the period of cnvi-
r r s n n i ~its
damoging events such as natural disasters. Accidents are often ronmental stress is over, the system can rcasonably
externally generated events. he judged to have fulfilled its mission. However, if
the same system shuts down unex*'ecledly for 12
Adaptation services-system functions provided to continually hours ander normal conditions (or under relatively
improve a system's capability to deliver essential services, iypically minor environmental stress) and deprives its nsers
by improving resistance, recognition, and recovery capabilities. or essential financial services, the system can rea-
sonably be judged to 11avr failed its mission, even if
Affack-a series of steps taken by on intelligent adversary to data integrity and confidcntialiiy :ire peservcd.
achieve an unauthorized result. Attacks include intrusions, probes, The tcrnis auack,,fiiilure, and accident include
and denials of service. all potentially damaging events, but do not parti-
tion these cvents into mutually exclnsivc or evcn
Essenfial services-services that must be provided to system users distinguishable sets. It is often difficult to deter-
even in the presence of attacks, failures, or accidents, mine if a particulat detriinental wcnt is the result
oTa malicious attack, a conqmnent failure, or an
F a i l u r e a potentially damaging event caused by deficiencies in accident. Even if dic causc is evcntiially dctctmincd,
the system or in an external element an which the system depends. die immediate response cannot depend [ni spcco-
Failures may be due to software design errors, hardware Iations aboni lhe cansc.
degradation, human errors, ar corrupted data.
Attach include intrusimis, prubcs, and denials
Recognifian services-system functions thot detect attocks and the of service orchestratcd by a n intclligeni advcr-
extent of system damage or compromise. sary. 'l'lir m e r e thrcar of an attack can have as
scvcrc a n impact on a systcm as an actid occnr-
Recovery services-system functions to support the restoration of fence. A system chat assiimrs an overly dcfen-
services after on attack has occurred. Recovery services also help sive position becausc otthc threat of an attack
a system maintain essentiol services during an attack. nray significanrly reduce its functionality by
diverting excessivr rcsourccs to monitoring the
Resistance services-system functions that repel ottacks and make environincnt and protecting system assets.
them difficult and costly, rn Failures are the rrsult of deficiencies in the sys-
tem or in an cxtcrnal element on which the sys-
Survivabili?.--a system's capability to fulfill its mission, in a timely tem depends. Failures may be due io software
monner, in the presence of ottocks, failures, or accidents. design ctrors, hardware degtadatiun, human
errors, or corrupted data.
Unbounded nehuork-computer system or systems characterized rn Accidcnis describe a hroad range of randomly
by distributed administrative control without central authority, occurring and potentially damaging cvents such
limited visibility beyond the boundaries of local odministration, as iiatural disastrrs. Accidents arc o f ~ c oextcr-
and lack of complete information about the network. d l y generated events wliereas failures are typ-
ically intrrnally generated events.

of its objeciives, whcthcr they arc cxpre~~cd implic- With respect to systcm survivability, diatinctioris
itly or as a formal mission statement. Judgments as between a t t a c h , failures, and accidents arc less
to whether or not a mission has hrcn fulfilled arc important than the event's impact. Our survivabili-
typically made i n thr context of cxtcriial conditions ty approach conccntratcs on the effect of a potcn-
that may affect the achievement of t h a t mission's tially damaging event. Iypically, Cor a system to stir-
goals. Tinielitiess is typically included in (or implied vive, it mist react to (and tecovct from) a damaging
by) the very high level requirements tliat define a effect (for cxample, rhe integrity of a database is a n i -
missioii. Mowcvcr, timrlinrss is such a n important promised) long hefore the rinderlying came is iden-
factor that it is explicit i n the dcfinitiuii of surviv- tified. In fnct, the reaction and rccovety tiinst be suc-
ability. crssful whcthcr or not thc Cause is ever determined.

56 NOVEMBER. DECEMBER I999 http:licamputer.orglinlerneli lttt lNlERNE1 COMPUlINO

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 P R O T E C T I N G C R I T I C A L S Y S T E M S

SURVIVABILITY IN Survivability on the Internet

UNBOUNDED NETWORKS Thc Intcrner is an examplc ofau unboundcd cnvi-
Thc siiccess o f a survivable system depcnds 011 the roninciit with inany client-server nctwork applica-
computing ciivironnicnt in which it opetares. The tions. I.ack o f central administrativc control and of
trcnd in nctworkcd computing envimnnietits is global visihility characterizes thc Intcrnct and the
toward largely unbounded nctwork inftasrruciures. distributed applications rcsiding on it. A public
A bounded system is one i n which all nf the sys- Web server and its clients may exist within many
tcm’s parts arc conirollcd by a unificd administra- different administrative domains on thc Internet.
tion and can he conipletrly charactcrizcd and COLI-
trolled. At least i n theory, the hehaviar of a
bounded system can be understood and all of its
various parts identifird. More and more, a company’s
In a n unboundcd systcm thcrc is no unified
administrative control over the system’s parts. Thc
partners on one project are its
term administrative control is used here ill the competitors on the next, making
strictrst srnse: It includes the p w r r to impose and trust an extremely complex concept.
enforce sanctions and not simply to recnmqend an
appruprintr sccurity policy. In an unbounrlcd sys-
tem, each participant has a n incotiipletc view nf the
whole, must depend on and trust information sup- Many busincss-to-businessWeb-bascd c-commerce
plied by irs neighhors, and Cannot exercise control applications depcnd on conventions within a spe-
ourside its local domain. cific industry scgnient fnr intemperahility. There is
An unbounded environincnt exhibits thc fol- litrlc distinction bctwccn insiders and oittsidcrs-
lowing properties: anyont: connected to the Internet is an insider,
wlietlier or nor they are lznown to a particular sub-
It encnmpasses multiple administrative doinains system. This characteristic is thc result of the desire,
with no central aurhority. and modern necrssity, for connectivity. A cotnpa-
It lacks global visibility (that is, the nuinbcr and ny cannot survivc in a highly compctitivc industry
nature of thc notlcs in the nctwork cannot he without easy and rapid access to its customers, sup-
fully known), pliers, and partncrs.
Intcropcrability bctwccii administrarivedomains More and more, a company’s partners on one
is determined by convention. project are its competitors on the next, making
Systems ate widely distributed and intcropcrahlc. trust an extreniely complcx concept. Trust rela-
Users and attackrrs can hr pccrs in the cnvi- tionships arc continually changing and, i n tradi-
ronment. tional terms, may he highly amhiguous. Trust is
It cannot bc partitioned into a finite number of especially difficult to establish i n the ptesence of
bounded environments. unknown uscrs from unknown sourccs outsidc a
c o n p i i f s admiiiistrativc cantrul. Lcgitiinatc users
An onbounded system can be coinposed of bound- and attackers arc peers in the cnvitunment and
ed and unboundcd sysrcms connected rogether in a there is tin method to isolate one group ftoin the
network. Although the security policy of an indi- other. In otlicr words, thcrc is no way to bound the
vidual hounded system cannot he fully enforced cnvironmrnt to Icgitiinate users solcly through a
nutside the houndarks of its administrativc coli- coninion administr:ative policy
trol, tlic policy can be i d as a yardstick to cvali~.
arc thc sccurity state of that bounded system. O f Security-Based Defense
C O L I ~ S C ,the sccurity policy can bc advcrtiscd oui- Most sccurity technology depends on certain
side thr houndcd system, hut administrators art: underlying assumptions about the nature and
severely h i r e d i n their ability to compel o t p e ~ - structiirc of Generally, thesc assump-
suade outsidc individuals or ciititics to follow it. rions iriclude closed systems with central adminis-
This limitation is particularly true when an trative control and the capability to ohservc any
iinbounded dninain spans jiirisdictinnal hound- dcsired activity within the system-assumptioils
aries, making legal sanctions difficult or impossi- char may have been appropriate when systems wrrr
ble ro irnposc. isolatcd islands with highly controllcd intcrfaces.

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 S U R V I V A B L E S Y S l E M S

Today, howrver, systems are open, with no one per- oiny virtually etistires that the civilian networkcd
son or organization having administraiive control, information infrrastructurc and its vulticrahilities
and with any observer-whethcr inside or outside will always be an inseparable part of a country's
thc systetn-having only limited visibility into the natiunal dcfcnsc.6
structnre, extent, and topology of thc system. Practical, affordable systems arc almost nevcr
Much of today's research and practice in c o n - complctcly custom-hnilt, but rather are construct-
putcr system survivability lakes a security-based ed from cummonly available commcrcial off-thc-
view of defensc against computcr attacks. The tra- shclf (COTS) components. Thc trcnd toward
ditional firewall concept3 has been cxpanded into developing systems through integration and rcusc
what arc called boundmy controllers. For cxample, a rather than customized design and coding is a cor-
secure Dcpartnieiit of Defensc domain might nsc nerstone of modcm software engineering. Unfor-
commercial and nonsecure products fot general- tunatcly, the intellectual complexity associared with
pitpose computing, with boundary controllers software design, coding, and testing virtually
such as thc Naval Research Laboratory pump4 r n s n r ~ thc
s prcsence of hugs in COTS components
that can he exploited by aitackers. Thcsc hugs can
and will be discovered in comnicrcial and puhlic-
domain products whosc internal structures arc
The overall function of a widely available and hcncc ~ a i be
i analyzed by thosc
who wish to exploit the wcakncsscs. When thcsr
system should adapt to preserve products arc incarporatcd as compinirnts oflargcr
essential services. systems, those systems becomc vulnerable to attack
srrategics bascd on the exploitable bugs, making it
possible fot a single-attack strategy to have a widc-
ranging and devastating impact.
moving data among domains with diffcring secu-
rity policies. The Java security in particu- SURVIVABILITY OF ESSENTIAL
lar the sandbox, applies a similar kind of isolation SERVICES AND PROPERTIES
IO imported Java components so that their func- I<cy to thc concept of survivability is the identifi-
tionality can he limited to inaintaiu a sccure envi- cation of csscniial scrvicrs, and thc csscntial ptop-
ronmcnt. cities that support thcm, within an operational sy~.
For survivability, this kind of approach is incum- tcm. Essential services arc &fined as the Iunctions
plete because it Socuses almost cxclusivcly on pre- of thc sysicm that initst bc inaintaincd to m e e t thr
vcntion (that is, hardening a system to prevcrit a mission requirements when the cnvi~nimcntis
break-in or other malicious attack). I t does little to hostile, or when failurcs or accidents occur that
hrlp an organization dctect an attack or tecover thrcatcn the system.
after a successful amck has occnrrcd. 'l'his securi- To maintain their capability to dclivcr cssential
ty-focused view is also limited by evaluation tcch- services, survivahlc systems must exhibit four kcy
niques that conccntratc 011 the relative hardness of properties (sccTablc I ) :
a system-as opposcrd to a systcrn's rnhustness
undcr attack, irs ahility to rccovcr coinpromiscd w resistance tn attacks,
capabilities, or its ability to function correctly in recognition [if attacks,
the prcscncc of compromised componcnis. w fnll rccovcry ofessential srrviccs aftct attack, and
adaptation and evolution to reducc cffcctive-
Affordability and COTS Components ness of Suture attacks.
Affordability is always a significant Factor i n the
design, implemeotation, and maintcnance of sys- 'There arc typically many services that can be t a m
tcms, and it cncuuragcs sharing and replication of porarily suspcnded while a system deals with an
components. That sharing cxtcnds to the national attack or other extraordinary environmental con-
infiastructure (for example, the power grid, the dition. Such a suspension can help isolate area that
public switched communications nctworks, and tbr have hccn affected hy an intrusion and can fiec up
financial networks) and to national dcfcnsc. In fact, system rcsonrccs to deal with thc intrusionh effccts.
the trend toward incrcascd sharing of common The overall function of a system should adapt to
infrastructnrc components in thr interest of ccon- prcscrve esscntial serviccs.

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 P R O l E C l I N G C R I T I C A L S Y S T f M S

Central to the delivery oressential scrvices is the cation links art: incapacitated because of an intru-
capahility ofa systcm to maintain eiientiaipro/,erties sion, failure, or accident, and t h a t recovcis coni-
(that is, specified levels of quality attributes such as promised information and scrviccs in a timely
integrity, confidentiality, and performance). Thus, mantier. The financial system's survivability might
it is imporrant tn definc niinimum lcvels o f quali- he judgrd using a composite rneasurc of the dis-
ty attributes that must bc associated with essential ruption of stuck tradcs or hank transactions (that
serviccs. For example, a launch nf a inissilc by a is, a ineasurc ofthe disruption ofesscntial services).
defensive system cannot be effective if the systcinh Again, ultimately it is missinn fulfillmrnt that
performance is slowcd to the point that thc target is must survive, not any portion or component of thc
out of rangr hclorc the system can launch. system. A lost essential service can be replaced by
The capability to deliver essential serviccs (and anothcr seivice that supports mission fiilfillnient in
maintain the associated esscntial properties) must a different hut equivalent way However, we still
hc sustaincd even if a significant portion of thc sys- believe that the identification and protection of
tem is incapaciiatcd. Furthcrmorr, this capability essential services is an imporrant part of a practical
s b o d d not be dependcnt upon thc survival of a approach to building and analy7,ingsurvivable sys-
specific information rcsoiircc, computation, or terns. Thus in our definition of essential services,
communication link. In a military setting, essen- wc include alternate sets of essential services (pcr-
tial services might be thosc required to maintain an haps mutually cxclusivc) that need not be simulta-
overwhelming technical supcrinrity, and essential neously available. For cxamplc, a set of essential ser-
properties may include integrity, confidentiality, vices tn support power delivery inay include both
and a level of performance sufficient to deliver the distribution of electricity and thc operation of
results in less than one dccisinn cyclc of thr enemy. a natural gas pipclinc.
In the public sector, a survivablc financial system
is one that mailitailis rhc integtiry, confidentiality, SURVIVABILITY SOLUTIONS
and availability of csscntial information and finan- Survivability solutions are hest undcrstood as risk-
cial services, cven if particular nodes or cnmmutii- management stmcgirs that depend first on an inti-

lttE I N l l R N I I COMPUIING

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 S U R V I V , % B L E S Y S l E M S

matc knowledge o f thc mission being protectcd.2 utivr maiiagcmciii with thc infirmation necessary
The mission focus expands survivability solutioiis to make informed risk-mauagcment decisions.
hcyond purely iodepcndcnt (“one s i x fits all”) tcch- Thus, thc prrparaiory stcps nrccssary 1.b~ surviv-
nical strlutions, cvcn if those tcchnical solutious abiliiy must bc takeii by an organizatiun as a whulc,
extend beyoiid traditional computcr security to rather than hy security experts alone.
include fault iolerauce, reliahility, usahility, and so
forth. Risk-miiigation strategies must be crcatcd in New Tools for Survivability Support
the coiitcxt o f a mission’s requircmcnts (prioritized Ncw tescarch methods and tools to support sur-
sets o f normal and stress requirements), and must vivability solutions arc under dcvclopmcnt. A nun-
he based on “what-ii“ aiialyses of survival sccnarios her o f these c h r t s focus ou architectural issues.
a d contingency planning. Only ilieii c,ui wc look Otic approach inotivatcd hy iuforinarion war-
fare attacks ou t h c U S . infrastructure proposes to
dcsigiiatc a portion of the infrastructurc as the
essential minimum and liardrn that portion
The preparatory steps necessary against atiacb. Rccent work proposes mcthodol-
ogy t u analyze that approach.’
for survivability must be taken by Ncumann documcuts the first phase of a multi-
an organization as a whole. year e f f o n o n survivability8 T h e overall objectives
o f thc project includr

defining survivability requirements,

tow?nl gcneric software cnginccring solutions based idcntiSying functionality to support t h e
o n computcr security, other software quality rcquirimcnts,
attributc analyses, or other strictly tcchnical exploring techniques for dcsiguiug arid dcvel-
appachcs to support the risl<-mitigatioustratcgics. oping highly survivable systems and networks,
To rcrluce thc combiiiatorics inherent in treat- rlcspitc thc prrscnce of untrustworthy subsys-
ing reprcseiirative scts of survival sccnarios, the sce- tems and untrusiwotthy participanis, and
narios must lbcus o n adverse effects rather than rn rccotnmciidiiig specific architectural structures
CBIISCS. Effects are also morc important than c:iuscs that can lcad to survivahle systems and net-
in the immediate situation, because an organiaa- works capable oreither preventing or tolerating
tioii will likely have to deal with (and survive!) ail a widr rauge o f threats.
adverse e t k t long bcforr a dcteriniuarion is ma&
as to wliethcr die cause was an attack, a failure, or Sullivan takrs a control systems pcrsprctivc 011 sur-
an accident. Awaiting thc outcome of a detailed vivabi1ity”A conlmliyrtemmanages the behavior of
postniortcin to determine thc cause hefore acting a monitored system within its environnicnt to
to mitigate the effcct is out of the qucstion for most maintain the acceptable operation o f the system.
modem, mission-critical applications. An ndaptitie cuntrolsystem provides control ofa sys-
Contingency (including disaster) planning tun in thc Face of disruption LO elcinciiis of thc sys-
requires that risk-tnanagcmcnt dccisions and eco- tem and its control system.
nomic rradc-o& be madr by cxrcutive mauagc- l’hursisingham rxainines survivability requirc-
meut, with guidance from technical rxpcrts in the iiicnts for real-time command aiid control systcnis‘n
application domain, computcr sccuriiy, and other to dctcrminc software infrastructure requirements
software engineering and rclatcd disciplincs. Sur- and identify a migration path for legacy systems.
vivahility depends at least as much upoii the risk- The CllRT Coordination Criitcr is devclopiiig a
management skills o f an organization as it does Survivahle Network Analysis (SNA) method t o
upon the tcchnical expertise of a cadre of comput- evaluatr the survivability o f systems i n the context
cr-security rxpcrts. ‘This is ccriainly appropriate of attack sccnarios. Also undcr devclopinent is a
froin an organizational perspectivc, because rcspun- Survivable Systems Simulator that will provide fur
sibility for busiiicss r i s k managrmcur belongs tu the aoalysia, tcsting, and evaluation of survivahility
cxccutivc management, uot to coml’utcr-security solutions in unbounded ncrworks.
experts or other technical pcrsnnnel. Thr role of the The SNA method permits assessment ofsurviv-
rxpcrts in security, the application domain, a i d ability srratrgics at the architecture lcvcl. Steps in
otliei technically relevant arcas is to providc exec- the SNA method include

lttt IHlERNEl COMPUIIHG

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 P R O T E C T I N G C R I T I C A L S Y S T E M S

Much of the research in survivability relates to protecting crit- References

ical national infroslructures. These infrastructures include the 1. Critical Foundalionr-Prolecling America? Infrarfruclurer, Report of
electric power grid (and oher energy infrastructures), trons- the Preridentiol Comm. on Criticol Infrartructwe Protection, Oct. 1997,
portotion, telecommunications, health core, bonking and p. 173; ovailoble online ot hlfp://w.pccip.gov//.
finance, and national defense. Particularly in the U.S. and 2. Presidential Decision Direclive 63 IPDD 63). "Prolecling Americoi Cril-
Europe, these infrastructures increasingly rely on lorge-scale, ical Infrmtructurer." http://www.i"f~-r.e.~~m/cioo/63iocbhesl.html,
highly distributed software systems operating over open,
unbounded networks. Although this increases the efficiency Further Reading
and sophistication of the services these infrastruduresprovide, Books
it alsa increases heir vulnerability to cyber-attack. rn J.C. Lapie, ed., Dependability: Basic Concepts and
In response to the U.S. Presidential Commission report Terminology, Springer-Verlag, New York, 1992.
on critical infrastructure protection,' Presidential Decision rn N.G. Leveson, Safewnre: System Snfetynnd Computers,
Directive 63 (PDD 63)2established new government struc- Addison-Wesley, New York, 1995.
tures, including the National Infrastructure Protection Cen- rn J. Muso et al., Soffwclre Reliability: Measurement, Pre-
ter and the Critical Infrastructure Assurance Office. The diction, andApplication, McGraw-Hill, New York, 1987.
NlPC (http://www.fbi.gov/nipc/welcome.htm) is the U.S. rn F.B. Schneider, ed., Trust in Cyberspace, National
governmenvs focal point for threat assessment, warning, Research Council, Committee on lnformotion Systems
investigation, and response to threats or attacks against crit- Trustworthiness, National Academy Press, Washington,
ical infrastructures. The CIAO (http://www.info- D.C., 1999; olso available online at http://www.
sec.com/ciao/) is responsible for integrating the various nap.edu/readingroom/books/trust/.
sector plans into a National Infrastructure Assurance Plan
and coordinating analyses of the U.S. government's depen- Proceedings
dencies on critical infrastructures. rn R. Kazman et al., "The Architecture Tradeoff Analysis
The Defense Advanced Research Projects Agency (DARPA) Method," Proc. I€€€ lnt'l C o d Eng. o f Complex
funds ongoing national research in information survivability. Computer Systems, IEEE CS Press, Los Alomitos, Cnlif.,
Research areas include intrusion detection, intrusion-tolerant 1998; available online at http://vYww.sei.cmu.edu/ata/.
systems, barriers, strategic intrusion assessment, and security rn PE. I997lnlormation Survivability Workshop,Sofiware
architectures. Information obout this research can be found Eng. Institute and IEEE CS Press, Los Alamitos, Calif.,
at http://www.darpa.miI/ito/research/is/ and http:// 1997;available online at http://w.cert.org/research/.
www.dorpa.mil/ito/research/tnt/. rn Proc. I998 Information Survivnbility Workshop,
The European Dependability Initiative (http://www. Sofhvare Eng. Institute and IEEE CS Press, 1998; olso
cordis.lu/esprit/src/stdepend.htm) represents a major available online at http://www.cert.org/research/.
research effort in the European Union to address many of
the same issues and concerns as the critical infrastructure Articles and Reports
protection and survivability efforts in the U.S., and includes rn C. Ebert, "Dealing with Nonfunctional Requirements in
plans for joint EU4.S. collaboration. Large Software Systems," Annals ofSofhvare Eng., Vol.
The IEEE Computer Society's Technical Committee on 3, Sept. 1997, pp. 367-395.
Fault-Tolerant Computing and IFlP Working Group 10.4 on rn Reliable Software Technologies research projects, 1999,
Dependable Computing and Fault Tolerance have formed http://www,rstcorp.com/reseorch/pro jects.html.
dependobi1ity.org (htip://www.dependability.org/), a Web rn Trusted Information Systems research projects, 1999,
resource on the technology of dependable systems. htp://www.nai.com/nai_labs/asp_set/intro.asp.

rn elicitation o f system mission and architecture, rn sutvivability analysis ofarcliitcctural cornpnncnis

rn identification olcsscntial service scenarios and that arc both essential and compmmisablc.
corresponding architecture components,
rn generation ofatrack scenarios and correspond- Attack scenarios play a kcy rolc i n the mctliod.
ing compromisable architecture components, SNA r-esulrsarc summarized i n a survivability map
and that l i n k s recorninended survivability strategies for

I~ttlNliRNElCOMVUTING hllp:ll~omputer.arglinlernefi NOVEMBiR DECEMBER 1999 61

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 S U R V I V A B L E S Y S T E M S

resistance, recognition, and recovery to the systcni ability policirs, responding to attacks, ind tak-
architecture and requircments. The SNA method ing recovery actions.
has heen applied to a subsystem of a large-scale, dis-
tributed health-care system." Futurc studies will For existing systems, survivability providrs a ncw
apply the SNA method to proposed and existing perspective on evolution and upgrade. The surviv-
distributed systems for government, defense, and ability of existing systems caii often be improvcd
commercial organizations. with additional layers of boundary control-for
The Survivable Systems Simulator being dcvel- example, firewalls and their niore sophisticated s i c
opcd by thc CEKT Coordination Center is hasrd cessors--and through evolution to redundant (and
upon a ncw methodology called "emergent algo- diverse) hardware and software environments. In
rithms."" Emergent algorithms produce global addition, administrative procedures for hackup,
effects through coopcrative local actions distrihutcd restoration, and migration can be tested and any
throughout a system. These global effects (which inadequacies addressed. And survivability features
"emerge" from local actions) can Slipport system caii play a prominent role in the evaluation and
survivahility by allowing a system to fdfill its mis- selection of vendors and products.
sion, cven though the individual nodcs of the sys- The natural cscalation of offensive threats ver-
tem ore not survivable. Emergent algorithms can sus defensive counternieasure~has dcmonsirated
provide solutions to survivahility problems that time and again that no practical systems can be
cannot be achieved by conventional means. The buili that arc invnlncrablc io attack. Ucspite the
Survivable Systems Simnlator will allow stakehold- industry's bcst efforts, there can bc no assurance
ers to visualize the effects of specific cyber-attacks, that systems will uot be lircached.'l'hus, the tradi-
accidents, and failurcs on a given system or infra- tional view of information systems security mnst
structnre. The goal is to enable "what-iF" analyses lit: cxpandcd to cncornpass the specification and
and contingency planning based on simulated design of survivability behavior, Cllabling the crc-
walk-throughs of survivability scenarios. atinn uf systems that arc rohuat in the presrncc of
attack and ate able to survive attacks that caniint he
Development Considerations coinplctrly rcpelled.
For uew systems, survivability imposes constraints
on all phases of the software development process. ACKNOWLEDGMENTS
Thc Sofrwaic h g i n c c r i n g Inatituic at Csrncgir Mellon U t i -
At thc requirements and specification lcvcl, vcraiiy i s :I fcdcrally h d c d icsciiicli and dcvclopnieiir CCIICCC
essential scrvica and assets should be identified. s p o ~ ~ s o r ebyi ~rhc U.S. ~ ~ uercnsc. ~ c m and~ ~ ~

Requirements h r rcsistancr, recognition, recov- CERI' Cnnrdinariuo Ccnrcr ire r r g i r m c d in rhe U.S. Patent
ery, and adaptation should also be specificd. and Trailemark O f k c .
Architcctnres should incorporate survivability l ~ ~ i i ~ lioformuion
icr on t h i s srridc and relxeed rcsexcch is ~ v ~ i l -
strategies such as those mentioned in 'Fable I. able at borli h r r p : l l w ~ ? u a c i . c m ~ I . e d d o r g a o i r a t i o l ~ ~ s l
Evaluation should treat survivability on par orriri,r"-net-rc'l,.l~~,~lslid l , r r ~ ' : l l \ ~ " ~ . m r t . o ~ g l ~ ~ s ~ ~ ~ ~ l , .
with othcr properties such as performance, teli-
ability, and maintainability REFERENCES
Reused and COTS products should he selcct- 1. B. Rlsklcy, '''I'hc F,mpcm~'sOld Arinor,," Pror 1996New
rd with survivability i n mind. Ceiiriiry Pamdip-. l%rksbo/~,ACM. Ncw York, 1997.
Design and implementation should include 2. H I L i p w n and L l A . Fishcr. "StIwiwbili~-A NewTcclininl
techniques for isolation, replication, restoration, a d Busiims l'crspccrivc on Sccuriry." /'roc. I999 N m Secwiry
and migration ofessential services. fimrd@s Wor?+,ACM l'icss, NcwYork, 1999.
Correctness verification should cnsnrt: faithful 3. S . llcllovin iW. Chcswich, iireuudlr and hiteraet S k u -
d

implementation of survivability specifications. rity,Addisnn-Weslep Ilcading.Mass., 1994.

'Icsting should assess the rcliahility orsurviv- 4. M.M. Kang, U>. Moure, and I.S. Mosknwin, "Design and
ability fnnctians operating in cooperation Assumncc Strategy for thc NRI. Fuinp,'' Cowptier, Vol. 31.
with othcr system filnctions in adverse ciivi- No. 4, Apr. 1998, p p 50-64.
ronments. 5. C,. M c t i r a w and E. Felrun,/nun Security, lohn W i l c y &
Finally, procedures for system operations should Sons, New York, 1997.
have a substantial impact on survivability. They 6. Criricel Fuenriurio,rr-P,vri,*~ A r m h i infimtirrciurer.
should include processes for nian+g surviv- r ~rhc I'rcsidcnrid Coinm. L)II Critical Infirsuoc-
I l c ~ o of

lEIt INTERNET COMPUTINO

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.
 P R O T E C T I N G C R I T I C A L S Y S T E M S

IEEE

MALICIOUS INFORMATION
TECHNOLOGY:
The Software vs.
The People 5
See the
SeptlOct 2000
issue of
IEEE Software.

hllp://computer/iolIware

Iff1 I N l i R H i l COMPUTING

Authorized licensed use limited to: DUBLIN CITY UNIVERSITY. Downloaded on October 15, 2009 at 07:51 from IEEE Xplore. Restrictions apply.