How to reason, to requisite levels of accuracy and at an appropriate pace, about the security state at runtime to provide continuity of oversight and trust, when several elements may be partially trusted, under attack, vulnerable or compromised?
For well-structured systems (e.g., control systems, database/transactional systems) with clearly specified security requirements on a) interactions and dependencies across sub-systems, services and components, and b) the expected threats, research has developed a variety of sophisticated capabilities to monitor and analyse their security posture to assert (with varying levels of confidence and accuracy) the requisite levels of security assurances. This is not the case for globally interconnected open-ended networked heterogeneous environments where a complete awareness of all dependencies and knowledge of all operational paths is not viable. This becomes even more challenging in an ultra-large scale environment where conjunctions of secure and unsecure, trusted and untrusted, and reliable and unreliable elements are present.
For instance, for complex and dynamically interconnected systems, the consequent lack of a) complete and stable system and security specifications including the threats, and b) complete and stable dependency and interface specifications, make provisioning of continual assurance a challenge. Such systems are typically heterogeneous couplings of structured, unstructured, synchronous and asynchronous elements and services. This precludes a single system model invariably considered in state-of-the-practice/art approaches.