Lifecycle security complements security-by-design. It acknowledges that systems and their context change in unforeseen ways between initial design and final decommissioning. Without an overarching lifecycle security approach, new security threats that emerge during the lifecycle of systems will be addressed by different people/disciplines in silos, leading to a patchwork of security solutions with suboptimal outcomes.
Complex Information and Operational Systems
We focus on lifecycle security of complex information and operational (IT/OT) systems. OT systems are increasingly integrated with information systems, and therefore security attacks on IT (software) systems may also affect --or even specifically target-- operational systems. IT/OT systems are at the heart of many critical infrastructures that are essential for the functioning of our society. Lifecycle security is therefore a major concern of these systems.
Dynamic Knowledge Models
The central idea is to leverage existing data, sensing capabilities and sensing options of organizations that manage complex IT/OT systems, to create dynamic (knowledge) models of reality. For example, a dynamic model could represent the configuration and interdependency of IT/OT subsystems, the interactions with or between subsystems, the flow or location of sensitive information, and the attempted or ongoing actions on information. These models can provide relevant knowledge for decision- and action-making regarding lifecycle security, including software updates, security investments, attack detection, and protection and recovery actions. Dynamic models can be used to timely discover trends, patterns and events, and allow organizations to be pro-active. Moreover, instead of linking dynamic models to real-world systems, they can also be used for simulation, i.e. using constructed data (e.g. for rare events), in order to explore what-if scenarios. This idea is based on the concept of Digital Twin, aiming at intelligent decision-making using a digital representation, and DevSecOps, aiming at integrating security practices at every phase of the lifecycle.