Systems engineering framework for cyber physical security and resilience Daniel DiMase • Zachary A. Collier • Kenneth Heffner • Igor Linkov Published online: 8 February 2015 Ó Springer Science+Business Media New York (outside the USA) 2015 Abstract As our infrastructure, economy, and national defense increasingly rely upon cyberspace and information technology, the security of the systems that support these functions becomes more critical. Recent proclamations from the White House, Department of Defense, and else- where have called for increased resilience in our cyber capabilities. The growth of cyber threats extends well be- yond the traditional areas of security managed by Infor- mation Technology software. The new cyber threats are introduced through vulnerabilities in infrastructures and industries supporting IT capital and operations. These vulnerabilities drive establishment of the area of cyber physical systems security. Cyber physical systems security integrates security into a wide range of interdependent computing systems and adjacent systems architectures. However, the concept of cyber physical system security is poorly understood, and the approach to manage vul- nerabilities is fragmented. As cyber physical systems se- curity is better understood, it will require a risk management framework that includes an integrated ap- proach across physical, information, cognitive, and social domains to ensure resilience. The expanse of the threat environment will require a systems engineering approach to ensure wider, collaborative resiliency. Approaching cy- ber physical system security through the lens of resilience will enable the application of both integrated and targeted security measures and policies that ensure the continued functionality of critical services provided by our cyber infrastructure. Keywords Information security Á Product life cycle management Á Risk analysis Á Systems engineering Á System-level design 1 Introduction Cyber security risks are prevalent in today’s information age, and new cyber incidents appear regularly in the news. In fact, many people may have been directly affected by cyber incidents. Most notably, as much as one-third of the population of the United States was impacted due to the recent cyber attack on the retail store Target (Wallace 2014). In this situation, hackers attacked the system with credentials stolen from a Target vendor (Finkle 2014). The type of attack that impacted Target and their consumers is but one example of the numerous methods by which cyber attacks may be carried out. While the mega-breaches, like Target, grab the national headlines, smaller breaches are still costly, averaging $5.4 million in 2012, and the average cost of data theft in the United States in 2012 was $188 per customer account (Ponemon Institute 2013). There has been a significant increase in attacks on cyber physical systems (CPS) as evidenced through public information. The average American company fielded a total of 16,856 attacks in 2013 (Grossman 2014). Industry data breaches and cyber attacks increased in 2014 by 23.9 % compared with 2013 to 761 reported breaches exposing 83,176,279 records (Identity Theft Resource Center 2015). McAfee (2014) estimates that the annual cost to the global economy from cybercrime is more than $400 billion and could be as much as $575 billion. In the United States alone, the report D. DiMase Á K. Heffner Honeywell Aerospace, Phoenix, AZ, USA Z. A. Collier Á I. Linkov (&) US Army Engineer Research and Development Center, Vicksburg, MS, USA e-mail: Igor.Linkov@usace.army.mil 123 Environ Syst Decis (2015) 35:291–300 DOI 10.1007/s10669-015-9540-y