CERT
search  


 
CMU Heinz College CMU School of Computer Science CERT Statistics US-CERT CyLab
 

Survivable Systems Analysis Method

Survivability Concepts

The success of virtually all organizations in business, government, and defense is dependent on the availability and correct functioning of large-scale networked information systems of astonishing complexity. Because of the severe consequences of failure, organizations are focusing on system survivability as a key risk management step.

Survivability is the capability of a system to fulfill its mission in a timely manner, even in the presence of attacks or failures. Survivability goes beyond security and fault tolerance to focus on delivery of essential services, even when systems are penetrated or experience failures, and rapid recovery of full services when conditions improve. Unlike traditional security measures that require central control and administration, survivability addresses highly distributed, unbounded network environments that lack central control and unified security policies.

The Three Rs: Resistance, Recognition, and Recovery

The focus of survivability is on delivery of essential services and preservation of essential assets. Essential services and assets are those system capabilities that are critical to fulfilling mission objectives. Survivability depends on three key capabilities: resistance, recognition, and recovery. Resistance is the capability of a system to repel attacks. Recognition is the capability to detect attacks as they occur and to evaluate the extent of damage and compromise. Recovery, a hallmark of survivability, is the capability to maintain essential services and assets during attack, limit the extent of damage, and restore full services following attack.

Survivable Systems Analysis: Addressing Architecture Softspots

The Survivable Systems Analysis (SSA) method (formerly the Survivable Network Analysis method) was developed by the SEI CERT® Coordination Center. SSA is a practical engineering process that permits systematic assessment of the survivability properties of proposed systems, existing systems, and modifications to existing systems. The analysis is carried out at the architecture level as a cooperative project by an SEI team working with your team of system architects, developers, and stakeholders. The method proceeds through a series of joint working sessions, culminating in a briefing on findings and recommendations.

The SSA method provides a means for organizations to understand survivability in the context of their operating environments. What functions must survive? What intrusions could occur? How could intrusions affect survivability? What are the business risks? How could architecture modifications reduce the risks? Systematic consideration of these questions through SSA reveals the risks and leads to mitigation strategies.

The SSA method is composed of four steps, as follows:

  • Step One: System Definition
      The first step focuses on understanding mission objectives, requirements for the current or candidate system, structure and properties of the system architecture, and risks in the operational environment.

  • Step Two: Essential Capability Definition
      Once step one is complete, essential services (services that must be maintained during attack) and essential assets (assets whose integrity, confidentiality, availability, and other properties must be maintained during attack) are identified, based on mission objectives and failure consequences. Essential service and asset uses are characterized by usage scenarios, which are traced through the architecture to identify essential components whose survivability must be ensured.

  • Step Three: Compromisable Capability Definition
      Next, intrusion scenarios are selected based on assessment of environmental risks and intruder capabilities. These scenarios are likewise mapped onto the architecture as execution traces to identify corresponding compromisable components (components that could be penetrated and damaged by intrusion).

  • Step Four: Survivability Analysis
      The final step of the SSA method takes aim at softspot components of the architecture. These are components that prove both essential and compromisable, based on the results of steps two and three. Softspot components and the supporting architecture are then analyzed for the key survivability properties of resistance, recognition, and recovery. The analysis of the "three Rs" is summarized in a Survivability Map. The map enumerates, for every intrusion scenario and corresponding softspot effects, the current and recommended architecture strategies for resistance, recognition, and recovery. The Survivability Map provides feedback to the original architecture and system requirements, and gives management a roadmap for survivability evaluation and improvement.

SSA Deliverables

The SSA method produces the following deliverable items for the selected system:
  • Essential services and assets, and essential architecture components
  • Representative intrusions and compromisable architecture components
  • Architecture vulnerabilities and softspots
  • Mitigation strategies for resistance, recognition, and recovery
  • System survivability map

These deliverables are provided in a final report and briefing to your management team, and provide a basis for risk analysis, cost/benefit trade-off, and system improvement.

SSA Benefits

The SSA process raises awareness of survivability exposures in the systems your organization and customers depend on. SSA helps avoid unpleasant surprises. It provides a management roadmap for addressing exposures before the fact rather than consequences after the fact. System survivability means mission survivability for most organizations. It is more effective to manage survivability risks up front than to manage damage control later.

For More Information

For information on how the CERT/CC can provide an SSA for your organization, contact
Dr. Nancy Mead at 412 / 268-5756, Email: nrm@sei.cmu.edu

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
FAX: 412 / 268-6989
CERT hotline +1 412-268-7090
E-mail: survivable-systems@cert.org
World Wide Web: http://www.cert.org

Return to top of the page

Copyright 2001, 2002 by Carnegie Mellon University

Disclaimers and copyright information

Last updated November 12, 2002