March 2, 2022
Jeremy Bellay - Battelle Memorial Institute
Cybersecurity, by its nature, is a complex and continuously evolving field. Recently, understanding of the supply chain’s role in security has received new emphasis due to the high-profile Solar Winds attack, and the increasing movement of state-of-the-art silicon manufacturing off American shores. This raises the question of how we integrate security models used at the factory or by the supplier with security assessment estimates that are required later in the lifecycle and at the system level. In this talk we review the resources currently available to describe cyber vulnerabilities and weaknesses in hardware, software, and systems. We then look at what is required to characterize vulnerabilities in hardware and software components, compound components, and systems. Finally we describe how this infrastructure could support the goal of security models that are composable and meaningful across the abstractions and contexts of real systems.