By William D. Bryant and Robert E. Ball


  • Learning Objective 8 — Describe a Cyber Survivability Enhancement Feature (CSEF)
  • Learning Objective 9 — Describe How to Develop CSEFs for a Particular Aircraft Cyber System


In Part 1 of this series, we introduced the cyber weapon as a new category of antiaircraft weapons that can attack and “kill” aircraft in flight in the same functional manner as kinetic energy (KE) guns and guided missiles attack, damage, and kill aircraft [1]. In addition, we proposed that the fundamentals of the existing Aircraft Combat Survivability (ACS) discipline, developed for the KE antiaircraft weapons, be used to develop a new survivability discipline for the cyber weapon, with the designation of Aircraft Cyber Combat Survivability (ACCS). In Part 2, we showed how cyber weapons function in the sequenced ACS probabilistic kill chain (PKC), resulting in the analogous ACCS PKC [2]. Part 3 then presented the 12 broad categories of cyber survivability enhancement concepts (CSECs), analogous to the KE survivability enhancement concepts (SECs), that can be used to reduce the probability of a successful cyber attack [3].

In this fourth and final part of the development of the fundamentals of ACCS, we turn to describing the methodology for developing specific cyber survivability enhancement features (CSEFs) for an aircraft in development that is based upon the analogous methodology for developing specific aircraft survivability enhancement features (SEFs) for KE antiaircraft weapons. This methodology can then be used by aircraft developers and designers to develop combat cost-effective CSEFs that will make our aircraft more survivable when under attack from cyber weapons [4].

The definitions of the terms SEC and SEF for both ACS and ACCS (given in Table 1, Part 3 [3]) and the 12 SECs for both ACS and ACCS (given in Table 2, Part 3 [3]) are repeated here for completeness (see Tables 1 and 2). These tables are followed first by the methodology for developing the SEFs for the KE weapons and second by the analogous methodology for developing the SEFs for the cyber weapons.

Finally, the general Applied Information Economics (AIE) approach of using probability distributions (not single values) for each event or outcome probability in conjunction with the iterative Monte Carlo method is used here on the PKC to determine the probability distribution the aircraft is killed, PK [5]. This more realistic approach to random outcomes mitigates some of the problems associated with the traditional single-value PKCs for both the ACS and ACCS threats described in Part 2. The AIE approach is used to demonstrate how to develop the PK probability distribution with one specific SEF not included, and then included, in an aircraft’s design for both the KE and the cyber antiaircraft weapons. These PK distributions for an aircraft can then be used in any pertinent iterative computer campaign trade study program that includes a random variable for the aircraft’s PK to determine the distribution of the number of aircraft that would be killed in a campaign both with and without SEFs.


Our aircraft have been contending with KE antiaircraft weapons for more than 100 years now. As a consequence, hundreds—if not thousands—of SEFs have been developed for individual aircraft in the past. In our ACS discipline, starting in the late 1970s, we developed a formal methodology that can be used to develop the SEFs for aircraft threatened by KE weapons. This methodology can also be used in our ACCS discipline to develop CSEFs for cyber weapons. The following text briefly describes this methodology for KE antiaircraft weapons.

In general, the survivability of an aircraft threatened by KE weapons can be enhanced or increased by (1) a good design that does not cause significant weight, cost, or performance impacts; (2) the addition of extra elements to the design that do involve weight, cost, or performance impacts; and (3) the proper use of the aircraft. Any particular characteristic of an aircraft, specific piece of equipment, design technique, armaments’, or use that reduces either the susceptibility PH (the probability the aircraft is hit by one or more warhead damage mechanisms) or the vulnerability PK|H (the probability the aircraft is killed given one or more warhead damage mechanism hits on the aircraft) has the potential for increasing the aircraft’s survivability PS and is thus referred to as an SEF [4].

Figure 1, which is derived from Ball (2003), is a representation of the one-on-one KE PKC presented in Part 2, with a number of SEFs or concepts located within each phase of the PKC that the feature is designed to affect [4]. Every SEF, or SEC, in Figure 1 is intended to reduce the applicable right-branch probability of a successful outcome or event (from the perspective of the enemy air defense), and therefore increases the likelihood that the outcome of each of the sequential phases will branch to the left, and the aircraft will survive the attack.

Figure 1. ACS PKC With SEFs [4].

Each of the SEFs listed in Figure 1 is an example of one of the 12 SECs. Each SEF either:

(1) reduces the aircraft’s susceptibility, or likelihood the aircraft is hit by one or more warhead damage mechanisms (e.g., ballistic penetrators and HE warhead blast and fragments), by reducing the likelihood that one or more of the first five essential events in the KE weapon kill chain (weapon active, target detected, missile launched, target intercepted, and target hit by one or more of the missile warhead damage mechanisms) are successfully completed


(2) reduces the aircraft’s vulnerability by enhancing the aircraft’s ability to withstand one or more unavoidable damage mechanism hits.

First, consider the susceptibility reduction SEFs shown in Figure 1. Avoiding the man-made hostile threat environment can be achieved by suppressing or destroying the enemy air defence elements (Threat Suppression), or by the use of low signature aircraft that cannot be detected in sufficient time to engage our aircraft (Signature Control); by the use of stand-off weapons that allow our nonstealthy aircraft to launch long-range, precision-guided weapons, thus avoiding engagements with enemy weapons (Offensive Weapons); and by ejecting infrared (IR) flares from our aircraft that can prevent a launched IR missile from intercepting our aircraft by appearing as a more attractive target to the missile (Expendables).

In the end, the important point here is that every susceptibility reduction feature listed in Figure 1 is an example of one of the six SRCs; is specifically intended to reduce the conditional probability of occurrence of one or more of the five essential events in the susceptibility phase of the ACS PKC, as indicated in Figure 1; and thus reduces the aircraft’s susceptibility measure, PH.

(For more detail on the three major tasks in a susceptibility program—namely, identifying the essential elements and events [what makes an aircraft susceptible?], performing a susceptibility assessment [how susceptible is the aircraft?], and designing for low susceptibility using susceptibility reduction technology [what can be done about it?]—the interested reader is referred to chapter 4 of Ball (2003) [4].)

Now consider the vulnerability phase of the PKC shown in Figure 1. Aircraft vulnerability, or the inability of the aircraft to “withstand one or more unavoidable damage mechanism hits” (i.e., to withstand the man-made hostile environment), is reduced by preventing a kill of one or more of the aircraft’s critical components when the aircraft is hit by one or more damage mechanisms. An aircraft’s critical components are those components whose kill, loss, or degradation in capability, either individually (known as a nonredundant critical component) or jointly with other components (referred to as redundant critical components), results in the loss of either a flight-essential function (lift, thrust, control, and structural integrity) or a mission-essential function (any component whose proper functioning is essential for continued mission prosecution) when the aircraft is hit.

(Note: The inability of a component to provide the function it was designed to provide because of hits by one or more damage mechanisms on the aircraft is referred to variously as a component dysfunction, malfunction, damage, failure, loss, or kill, depending upon the type of analysis being performed and the performing organization.)

Examples of nonredundant critical components are a single pilot (loss of control), a single engine (loss of thrust), and a wing fuel tank that explodes when hit, causing the loss of a wing (loss of lift, control, and structural integrity). Examples of redundant critical components for an attrition kill are a pilot and copilot, both engines on a two-engine aircraft, and an electrically powered flight control system with multiple electrical power sources.

Every critical component on an aircraft has one or more possible component kill modes that could occur when an aircraft is hit. In general, a critical component can be killed either directly by a direct hit on the component by one or more warhead damage mechanisms that causes physical damage to the component or indirectly by the physical consequences of secondary damage mechanisms, such as the radiated heat from an onboard fire or the blast from a fuel tank explosion. An indirect kill without physical damage could also occur when an essential input to the component such as electrical power is lost directly due to a hit on the aircraft’s electrical power system (or indirectly due to a hit-caused fire affecting the electrical power system). System kill modes refer to the ways that flight- or mission-essential functions provided by systems or subsystems can be lost when one or more critical components are killed.

Examples of a system kill mode are the loss of sufficient thrust that occurs when both engines are killed and the loss of control that occurs when all sources of electrical power to flight control surfaces are lost.

(Note that more detail on critical component kill modes, with all of their ramifications, can be found on pp. 621–631 of Ball (2003) [4].) In the end, the measure of an aircraft’s vulnerability, PK|H, can be reduced when the aircraft is designed using SEFs that reduce the probability that one or more critical component, or critical system, kill modes occur when an aircraft is hit by one or more warhead damage mechanisms.

For example, the fire/explosion protection SEF shown in Figure 1 is an example of the Passive and Active Damage Suppression VRC, in which fires or explosions are either prevented passively or the physical and func­tional effects of the fire or explosion are suppressed. The “more than one engine, separated” is an example of the Component and System Redundancy (with Effective Separation) VRC, and the “no fuel adjacent to air inlets” SEF is an example of the Component Location VRC.

In this brief summary of the methodol­ogy for developing SEFs for the KE weapons, aircraft susceptibility, PH, is reduced by incorporating both design and operational SEFs that are intended to reduce the probability that one or more of the first five essential events in the ACS PKC occur; and PK|H is reduced by incorporating design SEFs that are intended to reduce the likelihood that one or more critical component, or critical system, kill modes occur when the aircraft is hit by one or more warhead damage mechanisms.

(For more detail on the three major tasks in a vulnerability program—namely, identifying the critical components and their kill modes [what makes the aircraft vulnerable?], performing a vulnerability assessment [how vulnerable is the aircraft?], and designing for low vulnerability using vulnerability reduction technology [what can be done about it?]—the interested reader is referred to chapter 5 of Ball (2003) [4].)


The process of developing cyber weapon CSEFs is fundamentally the same as it is for developing KE SEFs. Accordingly, Figure 2 is a representa­tion of the one-on-one cyber PKC presented in Part 2, with a number of CSEFs or CSECs located within each phase of the PKC that the feature is designed to affect. Every CSEF or CSEC in Figure 2 is intended to reduce the applicable right-branch probability of a successful outcome or event (from the perspective of the enemy air defense), and therefore increases the likelihood that the outcome of each of the sequential phases will branch to the left, and hence the aircraft will survive the attack.

Figure 2. ACCS PKC with CSEFs.

Cyber susceptibility can be reduced by developing CSEFs that reduce the probability that one or more of the first five essential events in the ACCS kill chain described in Part 2 occurs. Cyber vulnerability is reduced by developing CSEFs that reduce the probability that one or more critical component malfunction modes occur after an aircraft is hit and one or more malfunction mechanisms associated with the cyber warhead are implanted and triggered. For explanations of how the various CSECs and CSEFs listed in Figure 2 function, refer to Part 3 of the ACCS development [3]. The ACCS SEFs shown in Figure 2 track closely with the ACS SEFs shown in Figure 1, but there are some areas where the differences between KE and cyber weapons drive some changes.


Listing all of the SEFs that can reduce the probability at each link in the PKC is a useful exercise, but it does not help an engineer select between different SEFs or determine which ones will have the most increase in survivability relative to the dollar cost or the operational capability degraded. Every program is going to have limited resources at some point; thus, it is important for designers to be able to optimize their designs for the maximum increase in survivability available within their budgets, both in terms of dollars and mission performance. For example, is the increase in survivability achieved using explosion suppression reticulated foam in the ullage of an aircraft’s fuel tanks “worth” the relatively “small” reduction in range or time on station due to the fuel displaced by the foam? Only a dedicated study can answer that question.

The procedure used in the ACS discipline at the time of the appearance of Ball (2003) [4] to determine those specific SEFs that should be included in the design of the aircraft to enhance the combat cost effectiveness of the aircraft as a weapon system consisted of (1) the assessment of the aircraft’s survivability in the predicted threat environment to determine the combat survivability measure PS (the probability the aircraft survives an encounter with a KE weapon or a mission) and (2) the conduct of operational effectiveness and survivability trade studies to determine those SEFs that increase the combat cost effectiveness of the aircraft as a weapon system. (This is not an easy task.)

Use of the PKC, with its six probabilities shown in Figure 1, to determine first PK (the probability the aircraft is killed in an encounter with a KE weapon or is forced to abort the mission) and then PS, is tempting but ultimately unsatisfactory. A major problem with using the PKC approach to assess, or quantify, an aircraft’s survivability is the fact that so much of combat is random and any prediction of a single accurate value for PS using the product of the six conditional outcome probabilities shown in Figure 1 can be highly questionable due to so many assumptions that have to be made and so many inherent dependencies throughout the kill chain. For example, consider the outcome probability PK|H in Figure 1 that the aircraft is killed (mission or permanent) given a hit on the aircraft by a particular weapon warhead (e.g., a 12.7-mm armor-piercing incendiary [API] projectile).

The next question after the identification of the threat warhead with its damage mechanisms is where the hit occurred on the aircraft. The PK|H value depends upon where the aircraft is hit; and the aircraft could be hit anywhere, from any direction, and at a range of velocities. These facts are difficult to account for in the PKC because the pertinent outcome probability in the chain that affects the PK is the probability the aircraft is killed given a hit, with no conditions specified on the hit scenario. So, in essence, the individual outcome probabilities in the PKC are treated as independent of the details associated with the other outcome probabilities (e.g., a hit occurs; we just don’t know where it occurred). As long as the hit takes place, the chain remains unbroken.

(Note that a detailed computerized modeling and simulation [M&S] of the physics and actions of the attack scenario, with or without randomness included, could determine where the aircraft is predicted to be hit and the conditions at the time of the hit. However, if we knew where it was hit and the hit conditions, we would need to know the particular value for the PK|H for that location under those conditions, which significantly increases the complexity and size of the assessment and the pertinent database.)

As a consequence of this “single value for every probability” problem for each link in the PKC for the KE weapons, and for the cyber weapons as well, we introduced in Part 2 a statistical procedure for determining not a single value for PS for an attack or a mission but rather a distribution for PS values. This approach—known as the AIE approach—is applicable to both types of weapons. The AIE approach applied here for the KE weapons uses the PKC’s sequence of six outcome probabilities, one for each link in the kill chain shown in Figure 1. Each of the six outcome probabilities is then assigned a probability distribution or density function, such as the normal distribution or the uniform distribution, with a mean and an estimated 90% confidence interval (90CI) around the mean. The 90CIs could be estimated by subject-matter experts (SMEs) in ACS for the KE weapons and by the SMEs in ACCS for the cyber weapons.

So, instead of inputting that the single probability an adversary will detect an aircraft in a particular scenario is 0.70, a normal probability distribution could be assumed with a mean of 70% and a 90CI that would be 50% to 90%. This ensures that not only is the mean probability value captured, but a measurement of its uncertainty is captured as well. A probability that is based on extensive physical testing and historical experience should have a relatively narrow 90CI, while one that has significant uncertainty based only on one SME’s experience with minimal testing and historical experience would be expected to have a much wider 90CI. The knowledgeable SME, with resources, might base his/her 90CI estimate on the possible hit conditions, such as the probable hit direction and location, if known. Finally, the assigned probability distributions for each of the six outcome probabilities are then “multiplied” together using the Monte Carlo iterative approach with thousands of iterations. The final result is a distribution for the values of PK.

The 90CI distribution for each vector shown in the PKCs illustrated in Figures 1 and 2 cannot be simply multiplied as point probability values are, to determine a single value for PK; but the process of multiplying a sequence of probability distributions can be accomplished using a process called a Monte Carlo simulation.

First, an assumption is made about the shape of the probability distribution of the data. The shape of the distribution depends on the nature of the underlying data, and it can take any number of different shapes. For the calculations in this simple example, a normal distribution is assumed, but a normal distribution will not always be the correct choice; power law, triangular, or even more general distributions may more accurately model the underlying probabilities.

Next, a point value is pulled or drawn from each assumed distribution in accordance with the probability distribution of that link in the chain. In a normal distribution, a point near the mean is much more likely to be selected by the draw than a point far out on the “tail.” Those pulled or selected values from each of the six outcome probabilities for this iteration are then multiplied, and the results for the single PK value for this sample draw is recorded. That procedure is repeated thousands of times.

Finally, each of the thousands of numerical results for PK is then located in one of a number of discrete bins or increments along a horizontal axis from 0% to 100%, where each increment is, say, 1% wide. The number of draw results in each increment forms a final probability distribution that is the product combination of the six input 90CI distributions.

This resulting distribution will have a mean value, a standard deviation, and a 90CI. Larger uncertainties and greater divergence will give a distribu­tion with a wide 90CI; smaller uncertainties and scores that are closer together will give narrower 90CIs. If there are several SME estimates of the 90CI for any one, or more, of the outcome probabilities, they can be combined by using another Monte Carlo random process. This Monte Carlo selects random points from each SME’s distribution in accordance with the probabilities and then takes an average across all of them and repeats that process many thousands of times to create a new combined probability distribution.

To illustrate this new process of measuring the survivability associated with a particular SEF, we use one of the current aircraft survivability features: explosion suppression reticulated foam inserted in the ullage of aircraft fuel tanks to reduce the chance of an explosion inside of the tank. The aircraft being designed or updated in this example is a generic multirole fighter that currently does not have explosion suppression features in its fuel tanks. The threat weapon is a small surface-to-air missile (SAM) with a contact-fuzed high-explosive (HE) warhead. Note that for this particular SEF, the only outcome probability in the PKC that will change due to the presence of the foam is the PK|H. For purposes of illustration, PK|H was reduced from 75% to 55%.

The probabilities developed throughout this example are not reflective of any particular aircraft and were created using round numbers purely to illustrate the process and avoid any possible classification issues. The normal probability distribution has been assumed for each of the out­come probabilities in our example. Ten thousand iterations were chosen for the Monte Carlo method. The results for our baseline example of a generic multirole fighter without any fuel tank foam are shown in Figure 3; and the results when there is foam in the fuel tanks are shown in Figure 4.

Figure 3. Notional Probability That a Generic MultiRole Fighter Will Be Killed by a Generic SAM Without Fire Suppression Features in Its Fuel Tanks.

Figure 4. Notional Probability That a Generic Multirole Fighter Will Be Killed by a Generic SAM With Explosion Suppression Foam in Its Fuel Tanks.

Note in Figure 3 that the product of the six individual outcome probability means in the input data = PK = (0.975* 0.70*0.70*0.60*0.70*0.75) = 0.1505 and that the single AIE distribution mean generated by the Monte Carlo method = 0.1518. The slight difference indicates that the two probabilities have not converged yet due to the relatively small number of iterations. Furthermore, note the skewed lean of the PK distribution in Figure 3 toward the lower value. Also note that the probability distribution the aircraft survives the mission, PS = 1 – PK, is given in the figure in terms of the 90%CI upper and lower values, the standard deviation, and the mean values.

Examining the results of the foam trade study given in Figures 3 (without the SEF) and 4 (with the SEF), we can conclude that if we send 100 aircraft on this particular mission, and if we use the mean probabilities of PK = 0.152 without foam and PK = 0.109 with foam, we would expect to lose 100*0.152 = 15.2 unprotected aircraft (and possibly the 15.2 pilots) and only 100*0.109 = 10.9 protected aircraft (and possibly the 10.9 pilots), for a net savings of 4.3 aircraft (and possibly 4.3 pilots) due to the foam.

In general, a reduced PK, with the accompanying reduction in aircraft and pilot losses in combat, does not yet tell senior decision-makers enough for them to make an informed decision on whether or not adding a particular SEF contributes to the combat cost effectiveness of the aircraft. Note that, as is the case with many survivability features, there may be a dollar and a performance or opera­tional effectiveness cost associated with the SEF. For the fuel tank foam, there is the cost of purchasing, installing, and maintaining the foam, as well as the loss in range and time on station due to the fuel displaced by the foam.

To determine the overall increase in the combat cost effectiveness associated with the SEF, an under­standing of how the addition of a particular SEF will affect operational results—such as aircraft killed (and possibly the pilots) and targets killed—at the campaign level is needed. Fortunately, a number of campaign-level M&S tools—such as the Advanced Framework for Simulation, Integration and Modeling (AFSIMS)—are available, allowing for a simulation of an overall campaign with one set of assumptions (e.g., no foam in the fuel tanks of multirole fighter X) to be run and then run again with an updated set of assumptions (e.g., foam in the fuel tanks) to compare the results. (If the M&S program has the capability to consider random variables, such as the PK, the AIE approach described here can be used.) If fewer of our aircraft are shot down due to a reduced PK, that can also translate into more targets hit later as those pilots and aircraft are still available. Negative effects, such as reduced range, can also be mod­eled. The results of campaign-level simulations on campaigns relevant to the aircraft under consideration give decision-makers a clearer understand­ing of the expected costs and benefits of various SEFs under consideration and compare their expected cost in money and performance and expected benefits in saved aircraft and their flight crews. (We want to remind the reader here that for every aircraft killed in combat, there is a good chance that we will also lose the pilot. This is an important consideration that must be taken into account when evaluating the costs and benefits associated with the SEFs.)

The aforementioned analysis can then be repeated for various potential SEFs, and then the final part of the trade study process is to determine what set of SEFs within available budget optimizes survivability. Three less expensive SEFs may be more effective than one expensive SEF or vice versa, and this problem can be effectively analyzed using a “knapsack algorithm” that determines the optimal cost-benefit combination of various sets of SEFs at various budget levels. For an excellent discussion of this process, see pp. 323–326 of Saydjari (2018) [6].


To illustrate the process of using M&S to select CSEFs, we give another example similar to the kinetic SEF example given previously. In this cyber weapon example, we use the same generic multirole fighter as before, but we examine its survivability against a generic cyber weapon intended to access the internal avionics on the aircraft and cause either an attrition kill (the aircraft is physically destroyed) or a mission kill (the aircraft has to terminate the mission but can return to fight another day). Obviously, attrition kills are more significant to the defender; and attacks that could lead to them, such as those that could cause significant malfunctions in engines or flight controls, should in most cases be prioritized by defenders.

High levels of uncertainty in the probabilities in the ACCS kill chain can highlight areas where more analysis and measurement can have great value. For example, if the uncertainty of PI|L (or the probability that the weapon warhead’s malfunction mechanism is successfully implanted) is wide, further decomposing the probability using attack trees can help the analysis. Attack trees were popularized by Mr. Bruce Schneier, and an excellent introductory-level discussion can be found on pp. 116–127 of Saydjari (2018) [6]. In addition to further analytical decom­position, cybersecurity testing can have great value in reducing uncer­tainty. For example, if different analysts have divergent ideas on how likely a particular attack is, a test of that particular attack against repre­sentative hardware can illustrate how easy, or difficult, the attack actually is and reduce uncertainty. For an introductory discussion of cyber testing of weapon systems, see the recently published article by Bryant and Odom (2020) [7].

For this cyber example, we used a group of expert SMEs involved in developing defenses to cyber weapons to determine reasonable generic 90CIs for the probabilities, but none of these probabilities refers to any particular aircraft or cyber weapon. The inputs from the cyber experts were combined using a Monte Carlo simulation to create a combined distribution. The results of the baseline model can be seen in Figure 5.

Figure 5. Probability That a Generic Multirole Fighter Will Be Killed by a Generic Cyber Weapon Without Cyber Defenses.

It is not surprising that the PK of the cyber weapon is relatively high, since the baseline case assumed minimal defenses, as is common on older legacy aircraft.

To make the first mitigation example comparable to the explosive suppres­sant foam kinetic case, we modeled a single engineering mitigation that would be designed into the hypotheti­cal multirole fighter for our first example. After consultation with a range of cybersecurity experts, we chose to model adding an Intrusion Detection System (IDS) to the main bus of the aircraft’s avionics as the CSEF. As there is currently no visibility for defenders to see adversary attacks on the notional data bus, the addition of any monitoring was expected to have a significant effect on the probability that the adversary would be able to successfully implant their weapon (PI|L) and minimal to no significant change to the other probabilities. The scoring with the addition of a data bus IDS is given in Figure 6.

Figure 6. Probability That a Generic Multirole Fighter Will Be Killed by a Generic Cyber Weapon With a Data Bus IDS.

Data bus IDS systems are conceptually similar to traditional information technology (IT) IDS systems although they operate in different architectures using different protocols and rule sets. While not yet commonly deployed, they are maturing rapidly, and a number of commercial aviation-focused IDS systems are currently on the market. The mission impact of the increase in survivability given by adding an IDS can be modeled at the campaign level with a modeling system such as AFSIMS in exactly the same way as was discussed previously for foam in the fuel tanks.

For a second mitigation example, the cybersecurity engineers selected their preferred set of mitigations or CSEFs. As they were unconstrained by budget they selected a robust set of defenses, including the following:

  1. Secured bus communications between avionics components (CSEFs: cryptography, cyber hardening)
  2. A bus monitoring solution looking at both data and physical characteristics of signals across all buses (CSEF: IDS)
  3. A “firewall-like solution” or “crypto data validator” for all data “installs/ uploads” to onboard systems (CSEFs: Intrusion Prevention System [IPS], integrity checking)
  4. Critical avionics secured with a hardware root of trust (CSEF: secure root of trust)
  5. Formal verification of critical elements of avionics software, to ensure clean code from vendors (CSEF: formally verified critical code).

All of these defenses and CSEFs exist today and have been implemented in various settings, although some of these defenses would certainly be challenging and expensive to implement on a legacy platform. As shown in Figure 7, with these robust defenses, the rescored PK dropped by 2 orders of magnitude from the baseline case.

If the high cost of implementing such a robust set of defenses was unachievable for a real aircraft program, the program could use the knapsack algorithm discussed previously to determine what subset of these defenses provided the greatest survivability within available budget.


Over this four-part series of articles, we have shown that the fundamental principles and approach used in the ACS design discipline provide an extremely useful framework for ACCS, though some modifications are needed to account for the different “physics” of cyber vs. kinetic weapons.

In Part 1, we discussed the major elements of a cyber antiaircraft weapon, in terms of the analogous KE weapon elements, and how cyber antiaircraft weapons can kill aircraft. Part 2 provided definitions for the fundamental ACCS terms drawn from kinetic ACS terms, described the ACCS kill chain in terms of the KE weapon kill chain, and explained how probabilities can be used to model that kill chain. In Part 3, we pivoted to CSECs and discussed both the susceptibility and vulnerability reduction concepts that apply to cyber weapons. Finally, in this fourth and final part, we have shown how specific CSEFs can be developed, modeled, and scored to determine which set of specific design features will provide the greatest survivability enhancement within an available budget.

In conclusion, it should be noted that there are two equally wrong ways for combat aircraft designers to think about cyber weapons. The first is to ignore or discount them because we have not yet seen their large-scale use in combat (much like infantry and cavalry officers ignored aircraft just prior to World War I). Conversely, the second wrong way to think about cyber weapons is to place too much emphasis on them and see them as nearly unstoppable. Building aircraft that are so cyber secure that they are not combat cost effective can be the result of this line of thinking—such as with the flying tank aircraft analogy.

Accordingly, the middle road of considering cyber weapons in the same way that we think about guns and guided missiles, is, in our opinion, the right way forward. Defenses and survivability enhancements against cyber weapons need to be considered and designed into combat aircraft in the same way that defenses and survivability enhancements against KE threats are, and then balanced against each other. Admittedly, design optimization is always a hard problem, and now we need to add one more performance area that must be balanced with all of the rest to ensure that we build the most capable and most cost-effective combat aircraft possible for our Warfighters.


Dr. William D. “Data” Bryant is a cyberspace defense and risk leader who currently works for Modern Technology Solutions, Incorporated (MTSI). His diverse background in operations, planning, and strategy includes more than 25 years of service in the Air Force, where he was a fighter pilot, planner, and strategist. Dr. Bryant helped create Task Force Cyber Secure and also served as the Air Force Deputy Chief Information Security Officer while developing and successfully implementing numerous proposals and policies to improve the cyber defense of weapon systems. He holds multiple degrees in aeronautical engineering, space systems, military strategy, and organizational management. He has also authored numerous works on various aspects of defending cyber physical systems and cyberspace superiority, including International Conflict and Cyberspace Superiority: Theory and Practice [8].

Dr. Robert E. Ball is a Distinguished Professor Emeritus at the Naval Postgraduate School (NPS), where he has spent more than 33 years teaching ACS, structures, and structural dynamics. He has been the principal developer and presenter of the fundamentals of ACS over the past four decades and is the author of The Fundamentals of Aircraft Combat Survivability Analysis and Design (first and second editions) [4, 9]. In addition, his more than 57 years of experience have included serving as president of two companies (Structural Analytics, Inc., and Aerospace Educational Services, Inc.) and as a consultant to Anamet Labs, the SURVICE Engineering Company, and the Institute for Defense Analyses (IDA). Dr. Ball holds a B.S., M.S., and Ph.D. in structural engineering from Northwestern University.


[1] Bryant, William D., and Robert E. Ball. “Developing the Fundamentals of Aircraft Cyber Combat Survivability: Part 1.” Aircraft Survivability, spring 2020.
[2] Bryant, William D., and Robert E. Ball. “Developing the Fundamentals of Aircraft Cyber Combat Survivability: Part 2.” Aircraft Survivability, summer 2020.
[3] Bryant, William D., and Robert E. Ball. “Developing the Fundamentals of Aircraft Cyber Combat Survivability: Part 3.” Aircraft Survivability, fall 2020.
[4] Ball, Robert E. The Fundamentals of Aircraft Combat Survivability Analysis and Design. Second Edition, American Institute of Aeronautics and Astronautics, 2003.
[5] Hubbard, Douglas W. How to Measure Anything: Finding the Value of “Intangibles” in Business. Third edition, Hoboken, NJ: Wiley, 2014.
[6] Saydjari, O. Sami. Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time. Amazon: McGraw-Hill Education, 2018.
[7] Bryant, William D., and R. Lane Odom. “Integrating Test Into Secure Systems Engineering Process.” ITEA Journal of Test and Evaluation, volume 41, no. pp. 92–97, 2020.
[8] Bryant, William D. International Conflict and Cyberspace Superiority: Theory and Practice. New York: Routledge, 2015.
[9] Ball, Robert E. The Fundamentals of Aircraft Combat Survivability Analysis and Design. First Edition, American Institute of Aeronautics and Astronautics, 1985.