No connected system is ever going to be both useful and absolutely impenetrable , and no single defence of that system aside can guarantee impenetrability. It therefore makes sense to protect it proportionately to the level of risk involved if it were to be compromised, and that means applying multiple levels of security so that if one level fails, others are standing guard – a “defence in depth” approach . Secure application code represents just one component in such a strategy.
Across the sectors, the rise of connectivity and the need to systematically implement correspondingly secure systems has been a challenge. The established approach of developing and refining process standards over many years that has proved so successful in achieving functional safety is only partially suited to the world of security , not least because of the ever-changing nature of security threats . It is much easier to protect the world from a system, than it is to protect a system from the world.
T h at said, the wise words offered by the likes of DefStan 05-138, NIST SP 800-171 and ISO/IEC 27001:2013 are potentially applicable to securing the systems of digital battlefield. In particular, the g lobally renowned aerospace standards of the ‘DO’ family include DO-326A which might lend itself admirably to the circumstances, give n its consideration of the implications of security for certification.