Towards Educational Guidelines for the Security Systems Engineer

. Industry 4.0 will impact the systems engineering landscape and cyber-security in the future. The education needs of system engineers working in these environments will change as the system landscape adapt to the Industry 4.0 changes. This research aims to explore the impact of Industry 4.0 on systems engineering and security requirements which must be catered for in future in this changing Industry 4.0 landscape. Although it is not certain yet how the landscape will change, this research starts to explore what the potential education needs could be for system engineers to understand all future cybersecurity requirements. The results of this research indicate that security requirements engineering will be needed in the first requirements stage of the systems development life cycle. Secondly, a new set of expert engineering skills will be required to identify future threats and vulnerabilities which could impact the system landscape. These results can be used as a guideline to start thinking how system engineers should be educated for the future.


Introduction
The rise of Industry 4.0, also referred to as the Industrial Internet of Things (IIoT) or the fourth industrial revolution, defines the use of new digitized and connected industrial systems, assumed to yield extensive industry-spanning opportunities [1]. These new systems are expected to be smart cyber-physical systems which communicate and work with other systems and humans in real time [2]. The interconnected nature of Industry 4.0-driven operations and systems means that the impact and effects of cyberattacks on these systems will be more extensive on the engineering systems than before [3].
The fear of industry and academia is that the designers, manufacturers and their supply networks may not be prepared for the risks that these Industry 4.0-driven systems presents. This posts one of the biggest challenges for engineering design and also for engineering education [3,4]. To address these uncertainties, the engineering space has recently seen a large drive to include extensive cybersecurity processes into systems engineering process requirements engineering. This is due to the traditional systems engineering processes being inadequate for the development of secure systems, as cybersecurity had less impact on business operations as the environment were isolated versus the new connected environment [5,6]. In the past, security integration in engineering systems was limited to the IT industry, where security were added after the completed system was developed. However, with the new drive for integration, security must be included in software development, risk management, human factors and all other areas within an organization [7,8]. The International Council of Systems Engineering (INCOSE) has chartered a working group in 2016 to start the processes required for fostering security within systems engineering, where system security is "accepted and practiced as a fundamental part of system engineering" [5] and where security is incorporated across the entire systems development lifecycle [9,10].
There exist limited studies in the field of systems engineering that aim to investigate how the cybersecurity knowledge and skills of the systems engineer in the industrial workforce are changing. This research aims to investigate the additional cybersecurityrelated activities the systems engineer will be responsible for in order to design Industry 4.0-ready systems. As the range of cybersecurity activities are so wide-ranging throughout the design of engineering systems, this paper will only consider the activities in the Requirements and Conceptualization phase of an engineering project.

2
Overview of the current systems engineering landscape The increased connectivity of smart systems essential for Industry 4.0 requires the design of smart, autonomous technologies. These connected, smart systems, aiming to fully integrate the digital and physical world, introduce a new set of cyber risks. The interconnected nature of these systems requires organizations to employ professionals with the skills and competencies to design Industry 4.0-ready systems. For cyber risks to be adequately addressed, cybersecurity strategies should be fully integrated into organizational and design strategies from the start [3].
When designing traditional systems, the systems engineer would typically leave the cybersecurity aspects of a system to the security professionals [5]. In many cases the security features of a system were treated as of secondary importance. One of the main work roles of the systems engineer is to derive a complete set of functional requirements (criteria defining specific behavior and functions) and non-functional requirements (criteria indicating the operation and constraints) of the system. Security is generally considered a non-functional requirement and are typically considered less important than functional requirements [5,6]. It is stated by Dove et al. [5] that "as long as systems engineers do not consider security a functional requirement, it will not be likely to rise to the top of the implementation checklist". To address this issue, INCOSE admits that new approaches to systems engineering will need to be implemented in order to meet the need for secure systems in the era of Industry 4.0 [5].
The National Institute of Standards and Technology (NIST) produced the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework in August 2017 which highlights the need for interdisciplinary nature of cybersecurity work and provides guidance on workforce development, training and education of cybersecurity professionals [11]. This includes information regarding cybersecurity-related activities and tasks of an organization and the relevant work role responsible for each activity or task. It also details the knowledge, abilities and skills required by a professional in order to successfully execute the applicable tasks and activities [6,[11][12][13][14][15]. As the updating of the systems engineering framework by INCOSE to include cybersecurity is still a work in progress, the NICE Cybersecurity Workforce Framework publication is currently used to evaluate the inclusion of cybersecurity considerations in the system development life cycle (SDLC) of systems engineering.
Due to the limited exposure of systems engineers to cybersecurity, many systems engineers lack the knowledge, abilities and skills required to address potential Industry 4.0-related security issues. This lack in cybersecurity knowledge regarding security risk analysis, as well as the lack in vision to consider systems and their threats/risks in their entirety leads to gaps in the security architecture of systems [6,16].

Methodology
This work analyses the activities in the traditional systems development life cycle (SDLC) as well as the updated secure systems development life cycle (S-SDLC) to determine the additional cybersecurity activities required by the process and where the responsibilities lie. As the range of cybersecurity activities are so wide-ranging, this paper will only consider the activities in the Requirements and Conceptualization phase of an engineering project. The research presented in this paper aims to determine the new activities that a systems engineer will be exposed to when developing systems for the Industry 4.0 environment. This work comments on the potential activities and responsibilities shortfall amongst traditional systems engineers in the era of Industry 4.0. The methodology followed consists of the following steps: 1. To conduct a content analysis on the traditional SDLC processes captured by the ISO/ICE/IEEE 15288:2015 [17] standard to identify the range of security activities included in the SDLC and where the responsibility lies.

To conduct a content analysis on the NIST NICE Cybersecurity Workforce
Framework [11] to determine the proposed cybersecurity related activities required in the S-SDLC and where the responsibility lies. 3. Comment on the activities, knowledge, abilities and skills differences between the two processes and determine the how the role of the systems engineer in the industrial workforce might change.
The results of the various steps are discussed in the subsequent sections.

4
Analysis of security activities in the SDLC

Responsibilities of the systems engineer in the SDLC
When a new system is developed, a coordination of numerous activities and processes from a collection of professionals are required. The systems engineer's responsibility starts with the need of a new system or problem that must be solved, and ends when the system is operational and used by end-users or customers. The responsibility of the systems engineer would be based on individual experience, systems engineering knowledge and current system complexity. One of the main work roles of the systems engineer is to derive a complete set of functional and non-functional requirements of the system. This requirements engineering process uses the results of risk analysis and threat assessments as goals that must be met by the system to initialize the elicitation activity [15]. This risk analysis and threat assessment is traditionally the responsibility of a systems engineer. In the traditional SDLC, the goal of the risk management processes, according to Parnell et al. [18], is to identify, assess and take action to reduce risks of system technical performance, cost and schedule estimates. However, the analysis and assessment of extreme risks, including cybersecurity, is not traditionally seen as the systems engineer's responsibility but rather an expert risk analyst [19].
Sage and Rouse [19] states the following responsibilities of a systems engineer relating to requirements engineering: 1. Need identification and customer linkage: the need is identified through the matching of the need with the technical feasibility and provide the linkage between the customer's needs and the design of the system. 2. Requirements management: the customer needs is developed as in input to determine the systems and functional requirements. 3. Architecture and systems design: design the system's concept and link the requirements with the configuration. 4. Technical risk and management: perform a technical risk assessment and manage these risks during trade-off analysis.
It can be seen that no direct mention is made of any security related responsibilities. Traditionally, when designing systems, the systems engineer would leave the cybersecurity aspects of a system to the security professionals [5].

Overview of the SDLC
In industry, systems engineers utilize best practice systems engineering processes and methods to execute the activities during system development. System development progresses through the life cycle stages, and make use of decision gates to determine the way forward [20]. This discovery process is generally structured into stages throughout the system life cycle where it is conceptualize, developed, produced, utilized, supported and retired [18]. Fig. 1 illustrates a generic systems engineering life cycle as described by ISO/IEC/IEEE 15288:2015.  [16,18] The process model followed by a systems team depends on prior experience of the resources and standard approaches used by the organization or problem type to be solved, therefore there does not exist one SDLC for all engineering systems [19]. Comparisons of the available life cycle models used by various organizations or disciplines are available in literature [18,20]. A typical SDLC used in a commercial systems integrator environment is illustrated in Fig. 2.

Fig. 2. Typical SDLC for commercial systems integrator environments
During the SDLC stages shown in Fig. 2, the processes prescribed by standards and systems engineering communities are invoked [20]. The processes currently included in the body of knowledge do not directly include a process relating to security. In order to determine where the security-related activities are included in the systems engineering process, a content analysis is performed on the ISO/ICE/IEEE 15288:2015 framework, described in the subsequent section.

Content analysis of security in Systems Engineering Processes
A content analysis was performed on the ISO/IEC/IEEE 15288 2015 -Systems and software engineering -Systems life cycle processes document. The search term "security" was used in order to determine where security-related actions are included in the SDLC and who the responsible professionals are. Security activities show to impact three processes shown in Table 1. It can be seen from the table that all the references to security in the document are references to other standards documents. It is noted in the ISO/ICE/IEE 15288 standard that "information security for supplier relationships" must be carefully considered [17]. It can be deduced from this analysis that the traditional SDLC does not include dedicated security activities. The systems engineering community acknowledged this lack and has responded with integration of security engineering into the systems engineering processes [14,22,23].

5
Analysis of security activities in the S-SDLC

Overview of the S-SDLC
The systems engineering community is in the process to identify security roles and responsibilities applicable to the entire systems development life cycle for future connected environments [22]. Various researchers have developed S-SDLC suggestions to show how and where security can be included in the S-SDLC. In these suggestions, security is included throughout the systems development life cycle stages. The first step in the proposed S-SDLC is the introduction of a new security requirements engineering process which is a sub process of the traditional requirements engineering activity [15]. The S-SDLC, illustrated in Fig. 3, indicates the updated Requirements and Conceptualization phase to illustrate the addition of the security requirements engineering process.

Fig. 3. S-SDLC indicating the addition of risk analysis and assessment relating to security requirements engineering
This security requirements engineering process's purpose is to elicit the security requirements the system should cater for in order to reduce risk [24]. The new security requirements engineering process is depended on a security risk analysis and assessment activity to derive a complete set of requirements [6,15].
The goal of the security risk analysis is to identify potential sources of threats or vulnerabilities the new system could have. The risks identified must then be assessed to determine the potential impact on the organizations operations, assets, individuals and other implications [25]. The result of the risk assessment is then used as an input to the security requirements engineering process. The results are analyzed to identify suitable security requirements that can mitigate the potential threats and vulnerabilities within the organization's risk management strategy [15].

Responsibilities of the systems engineer
The literature states that the security requirements engineering process will in future potentially be integrated with the requirements activity as the systems engineer is generally the person with the holistic view of the system. This will require the systems engineer to develop the knowledge, competencies and skills in order to do complete security requirements.
The risk assessment and threat analysis activities, required as an input to the new security requirements engineering process, are additional activities not previously included within the system engineering responsibility. Traditionally, the risk analysis performed by the systems engineer did not include activities relating to security and only considered technical risk assessment, as discussed in Section 4.1. For the system engineer to perform the new security risk analysis and threat assessment, he/she will require new knowledge, competencies and skills.
If the systems engineer is not the professional who will take responsibility for these tasks, these tasks must become the responsibility of another cybersecurity professional. In order to determine the responsible professional(s) for these security-related activities, a content analysis was performed on the NIST NICE Cybersecurity Workforce Framework [10], described in the subsequent section.

Content analysis of security in S-SDLC
The NIST NICE Cybersecurity Workforce Framework describes an organization's cybersecurity needs by defining Specialty Areas, Work Roles and Tasks. Each specialty area represents an area of concentrated work, where each work role indicates the responsible person, and each task an activity. A range of steps were followed to determine who would be the professionals responsible for security-related risk assessment and requirement tasks according to the NIST NICE Cybersecurity Workforce Framework.
Step One. Who is responsible for the security requirements engineering tasks of the NIST cybersecurity framework? A content analysis was done of the phrase "security requirements" within the NICE Framework. The results relating to work roles are shown in Table 2 below. Protects the organization's mission and that the business processes are adequately addressed in all aspects of enterprise architecture.
Only one work role included the phrase "security requirements". Per definition, the Security Architect is not a work role which is included in the SDLC requirements and conceptualization phase. As a specific work role is not allocated for security requirements relating to the systems engineering and the SDLC, a second content analysis was done of the phrase "functional requirements" within the NICE Framework. The results are shown in Table 3 below. The framework only has one work role, namely Systems Requirements Planner, allocated to the tasks relating to functional requirements. As security requirements not listed as a separate function for the Systems Requirements Planner, it can be assumed that security requirements engineering activity remains the responsibility of the Systems Requirements Planner, which per definition relates to the systems engineer. Input to guide the security requirements engineering activity is the risk identification and assessment of all potential threats and vulnerabilities.
Step Two. Who is responsible for the risk analysis and threat assessment tasks of the NIST cybersecurity framework? Content analysis was performed to identify who is responsible for risk analysis and threat assessment of the NIST cybersecurity framework. A search was done on the phrases "risk assessment", "assessment", "threat" and "vulnerabilities" within the NICE Framework. The results relating to work roles in the SDLC are shown in Table  4 below. From this result of this analysis, it can be seen that the work roles assigned for risk assessment includes the Security Control Assessor and Vulnerability Assessment Analyst. The Research and Development Specialist and the Exploitation Analyst are assigned to assess threats.
These roles are not roles traditionally defined in systems engineering processes, which would indicate that these are new roles required for the Industry 4.0 environment. Therefore, the S-SDLC will require a new type of engineer functioning as a Vulnerability Assessment Analyst and Exploitation Analyst who must perform the risk assessments and threat analysis activities. In the current environment a systems engineer developing the solution will not be able to take on these activities in addition to his/her existing work. Table 4. Results of content analysis on "risk assessment", "assessment", "threat" and "vulnerabilities" in NICE Cybersecurity Workforce Framework. Analyzes collected information to identify vulnerabilities and potential for exploitation.

Discussion & Recommendations
System engineers cater for both physical and information security as part of the design [17], with the principle that the design of the system must prevent intentional introduction of faults with consequences of various impacts [26]. From this it is acknowledged that security is traditionally only considered and designed for the environment the system will operate in. As future environments will be much more connected, it has been highlighted that cybersecurity should be considered during the entire systems development lifecycle and not just bottom up during design and validation [27]. The analysis performed in Section 4 shows that there exist a clear need for the inclusion of cybersecurity-related activities in the SDLC. Cybersecurity skills related to security risk analysis, threat assessment and security requirements engineering, must be included in the systems engineering process.
Form the analysis done in Section 5, it can be seen that the cybersecurity-related activities added to the S-SLDC does not clearly indicate who the responsible person will be in a systems engineering context. It can then be argued that the additional cybersecurity-related activities may befall the systems engineer by default if no cybersecurity specialist is assigned to the process. The security risk analysis requires a holistic technical view, but also needs security risk scenario analysis and threat analysis skills, which most systems engineers do not currently possess.
The results of this study can pose the case for a new type of engineer to become an expert in the function of security risk analysis and threat assessment. The reason for this is that an engineer typically has a sound systems thinking ability to understand the holistic environment in order to identify all influences on the environment. An engineer capable of sound systems thinking skills as well as cybersecurity-related knowledge, skills and competencies relating to cybersecurity would form an important part of a systems engineering process in the future of Industry 4.0-ready systems. The requirement for this new type of systems engineer calls for the development of engineering education to include cybersecurity-related knowledge, skills and competencies into systems engineering curricula. Systems engineers need to be educated in the fields of security risk analysis and threat assessment, as well as security requirements engineering.
Currently, there only exist a hand full of known postgraduate cybersecurity engineering degrees worldwide, with even less of these focusing on cybersecurity within systems engineering. Two known Master's degrees include the Master of Science in Systems Engineering at Johns Hopkins Whiting School of Engineering [28] and the MS in Systems Engineering with Certificate in Cybersecurity University of Maryland, Baltimore County [29]. Currently no known postgraduate cybersecurity engineering degrees are offered by South African institutions [30]. The inclusion of cybersecurity in dedicated systems engineering modules and courses are even scarcer, leading to the existence of a mismatch between cybersecurity education in systems engineering and cybersecurity requirements from industry. Therefore, inclusion of cybersecurity in currently systems engineering courses or the creation of a cybersecurity systems engineering degree or postgraduate module is recommended.

Conclusion
This paper argues that in the light of Industry 4.0, there exist a need for the creation of systems with a greater level of connectivity, where cyberattacks on these systems may be more extensive than before [3]. It is therefore required by designers, manufacturers and supply networks to be prepared for the risks that these new Industry 4.0-driven systems presents.
This paper shows through content analyses that the current systems engineering processes do not consider all security activities needed in the light of the fourth industrial revolution. This paper also shows that when considering the new cybersecurity activities proposed to be included in the Requirements and Conceptualization phase of an engineering project, new cybersecurity-related knowledge and skills will be required. It is argued that these activities will require the addition of a systems engineer who possesses the knowledge, skills and competencies related to security risk analysis and threat assessment. As these knowledge and skills are not currently taught to systems engineers, it is argued that there exist a need in engineering education for the creation of such course or modules.
Future research would include an investigation on the identified cybersecurity-related activities and determine the relevant knowledge areas, abilities and skills required to successfully implement these activities. Future work must also consider other phases in the SDLC and determine the cybersecurity-related activities and where the responsibility lies. This work serves as a driver towards the creation of cybersecurity-related content into engineering education.