This paper presents a threat-driven quantitative mathematical framework for secure cyber-physical system design
and assessment. Called The Three Tenets, this originally empirical approach has been used by the US Air Force
Research Laboratory (AFRL) for secure system research and development. The Tenets were first documented
in 2005 as a teachable methodology. The Tenets are motivated by a system threat model that itself consists of
three elements which must exist for successful attacks to occur:
– system susceptibility;
– threat accessibility and;
– threat capability.
The Three Tenets arise naturally by countering each threat element individually. Specifically, the tenets are:
Tenet 1: Focus on What’s Critical - systems should include only essential functions (to reduce susceptibility);
Tenet 2: Move Key Assets Out-of-Band - make mission essential elements and security controls difficult
for attackers to reach logically and physically (to reduce accessibility);
Tenet 3: Detect, React, Adapt - confound the attacker by implementing sensing system elements with
dynamic response technologies (to counteract the attackers’ capabilities).
As a design methodology, the Tenets mitigate reverse engineering and subsequent attacks on complex systems.
Quantified by a Bayesian analysis and further justified by analytic properties of attack graph models, the Tenets
suggest concrete cyber security metrics for system assessment.