Charles River Analytics, Inc. SBIR Phase I Award, June 2018

While the resilience of Navy systems to cyber attacks is critically important, cybersecurity is still frequently bolted-on to deployed systems and is rarely built-in during the early design stages. Bolted-on security is costly and not as effective as building it in from the start. Current approaches for assessing security during the design stage tend to be manual, which is slow, expensive, and can also lead to conflicting recommendations. Tools in this space often provide qualitative results and struggle with a lack of detailed information that is often not available during the system design stage. Cybersecurity Assessment and Risk Enumeration for Systems (CARES) will provide a means for modeling systems during the early design stages. It will use systemic functional grammars to provide an expressive, scalable enumeration of the entire attack space. It will automatically produce a quantitative list of security vulnerabilities for the target system and provide a list of consistent recommendations for remediating the vulnerabilities, while taking into account the other needs of the system and designers, such as performance and cost.