8.2.1 Cyber Simulators

Maintaining model to system validity, at the same level as current emulators, requires verification of the subsequent model/description. EFs are one way to capture the intended uses that make the emulator/model a successful description in the domain of interest. Table 8.2 provides both the conceptual definitions of verification/validation/abstraction and their Modeling and Simulation Framework (MSF) formalizations (Zeigler and Nutaro 2016).

Besides validity, as a fundamental modeling relationship, there are other relations that are important for understanding modeling and simulation work. These relations have to do with EF use in model development. Successful modeling can be seen as valid simplification. We need to simplify, or reduce the complexity, of cyber behaviors if scalable descriptions, mimicking the large‐scale systems that currently support our daily lives, are to be developed for planning and analysis. But the simplified model must also be valid, at some level, and within some EF of interest.

As shown in Figure 8.1, there is always a pair of models involved – call them the base and lumped models (Zeigler et al. 2000). Here, the base model is typically “more capable” and requires more resources for interpretation than the lumped model. By the term “more capable,” this means that the base model is valid within a larger set of EFs (with respect to a real system) than the lumped model. However, the important point is that within a particular frame of interest the lumped model might be just as valid as the base model. Figure 8.1’s morphism approach provides a method to judge base and lumped model equivalence with respect to an EF.

Abstracting from base to lumped model presents a challenge in cyber system description due to the necessary context (e.g. representative Course of Action) that the cyber system portrays. In addition, the moving parts represented by the attack cycle, or representative taxonomy (e.g. ATT&CK, MACE, etc.) might be considered at this stage, concerning the role that vulnerability evaluation will play in what the overall model describes. Subsequent metrics might also be considered during the lumping to ensure that the final representation provides the analytical insight that the user is focused on.

While keeping the systems’ considerations in mind in abstracting the model, a key enabler for developing more capable simulators that build on Figure 8.1’s morphism example is the ability to construct lumped models, from individual base models, that represent more abstract system of systems (SoS) (Figure 8.2) (Zeigler and Nutaro 2016).

Figure 8.2 shows how the data sets, intended uses, and EFs roll up to provide both SoS base and lumped models; an aspirational approach for current cyber M&S. While Figure 8.2 provides an overview of all of the components for a constructive simulation system that incorporates mappings required for emulator incorporation into simulators, test beds are still the primary means for testing emulator/simulator combinations for cyber–physical systems. In addition, Kim et al. (2008) developed the DEVS/NS‐2 Environment for network‐based discrete event simulation within the DEVS framework for easy capture of EF and other DEVS‐based concepts presented here: NS‐2 sometimes viewed as a parallel to an emulation with its topology and node/link configuration requirements.

8.2.2 Cyber Emulators

Cyber ranges (CRs) often include elements of both emulation and simulation of networks. For example, exercises usually include simulation of an attack on the network and its progress, and countermeasures by human defenders. In addition, CRs leverage this paradigm, which is often used to evaluate a system or technology concept.

Several CRs are provided by Davis and Magrath (2013). Cyber VAN (Chadha et al. 2016) provides an example of a portable range for standard computing equipment, while mobile devices are profiled in (Serban et al. 2015). Each of the authors explored approaches used to build CRS, including the merits of each approach and their functionality. The review (Davis and Magrath 2013) first categorizes CRs by their type and second by their supporting sector: academic, military, or commercial, with their types described in Table 8.3.

CRs are usually used in conjunction with emulator/simulator combinations for evaluating overall systems.

8.2.3 Emulator/Simulator Combinations for Cyber Systems

While the theory is in place for providing valid cyber M&S, in practice, cyberphysical systems are still evaluated as independent functional manifestations on CRs composed of virtual machines. Modeling provides for the evaluation of system states, in the abstract, apart from the strict function calls found in software system regression testing. Leveraging both system state understanding and attack graphs (Jajodia et al. 2015), modeling provides the opportunity to clearly identify the system states that lead to the vulnerabilities enumerated by Cam (2015), and discussed more clearly in the MITRE ATT&CK framework. In addition, mapping a system’s state space also provides for the application of quality control approaches (e.g. factorial design, etc.) to better enumerate a system’s state combinations and potential vulnerabilities.

Attacks against cyber (IT) and physical (e.g. industrial control system, actuators, etc.) systems are usually evaluated independently, at present, emulating the individual systems of interest and their respective logical anomalies. The SoS that makes up a Cyber–Physical System (CPS) is therefore only evaluated component by component, intended uses of which may not account for system states found in combination.

Thus, there is a pressing need to evaluate both cyber and physical systems together for a rapidly growing number of applications using simulation and emulation in a realistic environment, which brings realistic attacks against the defensive capabilities of CPS. Without support from appropriate tools and run‐time environments, this assessment process can be extremely time‐consuming and error‐prone, if possible at all. Integrating simulation and emulation together, in a single platform for security experimentation, exists at the concept stage,^1,2 further proving out the need for such an environment and bringing out some of the considerations required for a full‐scale application. Major components for a mixed simulation/emulation environment include (Yan et al. 2012):

1. Modeling environment for system specification and experiment configuration.
2. Run‐time environment that supports experiment execution.

At run time, the cyber simulator/emulator provides time synchronization and data communication, coordinating the execution of the security experiment across simulation and emulation platforms (Figure 8.3). As previously discussed (Chapter 7), COATS provides this hybrid simulation/emulation combination via communicating cyber effects from an emulation test bed to a more traditional command‐level training simulation environment.

An extension of individual system testing, similar to the COATS (Morse et al. 2014a, b) example for incorporating cyber effects into training, requiring a combination of CRs (i.e. emulated environments) and trainees, there is also interest (often for engineering purposes) to combine range emulators with constructive simulations. Simulations have the potential to provide “cheap” scalability not available in other “real” applications.

A key addition in Figure 8.3’s combined emulation and simulation environment is the synchronization of temporal and data communications. As shown in Figure 8.4, this was a gap in DETERLAB and is handled in iSEE (Yan et al. 2012) setup (Figure 8.4).

While Figure 8.4 provides a method for combining emulation and simulation environments for generalized cyber–physical testing, a cost and portability target for this work is to increasingly leverage structured modeling of both individual and SoS’, for valid evaluation of associated cyber systems.

8.2.4 Verification, Validation, and Accreditation (VV&A)

Leveraging simulations, and using EFs in particular, shows that the user has a clear picture of acceptance criteria for the final M&S system (Roza et al. 2010). The acceptance goal is to convincingly show that an M&S system will satisfy its purpose in use. This abstract acceptance goal is translated into a set of necessary and sufficient concrete acceptability criteria; criteria for which convincing evidence is obtained. General Methodology for Verification and Validation (GM‐VV) defines three classes of acceptability criteria for M&S artifacts, called VV&A properties (Figure 8.7) that each address and provide a set of assessment metrics for a specific part of an M&S artifact (Roza et al. 2013) (Table 8.4).

While the GM‐VV (Roza et al. 2013) provides an overall process for system evaluation, each of the respective steps requires a tool to clarify whether the tool is verified (meets the specifications/requirements you have written – “Did I build what I said I would?”) and valid (addressed the business needs that caused you to write those requirements – “Did I build what I need?”). One way of representing system development incorporating these considerations is shown in Figure 8.5.

One of GM‐VV’s tools to accomplish V&V is the goal claim network (Figure 8.6).

The VV&A goal–claim network is an information and argumentation structure rooted in both goal‐oriented requirements engineering and claim–argument–evidence safety engineering principles. The left part of the goal–claim network is used to derive the acceptability criteria from the acceptance goal; and design solutions for collecting evidence to demonstrate that the M&S system, intermediate product, or result satisfies these criteria. The acceptance goal reflects the VV&A needs and scope (e.g. system of interest, intended use). Evidence solutions include the specification of tests/experiments, referent for the simuland (e.g. expected results, observed real data), methods for comparing and evaluating the test/experimental results against the referent. Collectively, they specify the design of the V&V EF used to assess the M&S system and its results. When implemented, the EF produces the actual V&V results. After a quality assessment (e.g. for errors, reliability, and strength), these results can be used as the items of evidence in the right part of the goal–claim network. These items of evidence support the arguments that underpin the acceptability claims. An acceptability claim states whether a related acceptability criterion has been met or not. Acceptability claims provide the arguments for assessing whether or to what extent the M&S system and its results are acceptable for the intended use. This assessment results in an acceptance claim inside the VV&A goal–claim network.

Ideally, the goal–network is built in a top‐down manner and the claim network in a bottom‐up manner, as indicated by the rectangular arrows in Figure 8.6. However, in practice, the total VV&A goal–claim network is built iteratively as indicated by the circular arrows. The VV&A goal–claim network as such encapsulates, manages, and consolidates all underlying evidence and argumentation necessary for developing an appropriate and defensible acceptance recommendation.

In addition to the goal–claim network in providing a V&V framework, the GM‐VV (Roza et al. 2013) can also be constructed to preserve the attributes, or meta‐properties, used for system evaluation. Meta‐properties are used to assess the level of confidence with which the utility, validity, and correctness have been assessed, i.e. the convincing force of the evidence for these three properties. Meta‐properties typically include aspects such as completeness, consistency, independence, uncertainty, and relevance (Figure 8.7).

Figure 8.7 expands on the type of analysis possible, once a standard, reusable foundation for simulation (e.g. DEVS formalism) is relied upon for developing the representative component and system models (Table 8.5).

Table 8.5 provides some basic M&S definitions extensible to describing cyber systems. Additional work on quantifying the uncertainty (Grange and Deiotte 2015) in representations holds promise for increasing developer understanding on “how good” a model‐based simulation platform is for a particular cyber evaluation task.

1. 1 Where do requirements fit into the constructing of a cyber model?
2. 2 How is abstraction, from real world to model, usually accomplished?
3. 3 What is the difference between a base and lumped model?
4. 4 When is a cyber model verified?
5. 5 What are the main issues in validating a cyber model?
6. 6 What does an Experimental Frame (EF) provide the cyber modeler to facilitate V&V efforts?
7. 7 Why is a goal–claim network a good approach for documenting model validity?