The Cyber Security Research Alliance (CSRA) and the National Institute of Standards and Technology (NIST) joined forces recently for a two-day workshop, where they discussed vulnerabilities and potential solutions for critical cyber-physical systems.
The result of the workshop was a 60-page report — Designed-In Cyber Security for Cyber-Physical Systems — which defines cyber-physical systems as "industrial controls, data communications, and other IT systems that support critical infrastructure operations such as utilities and communications." Many people rely on these systems for everyday needs like energy and water, making them attractive targets for hackers.
"Cyber-physical systems can and will be found in such diverse industries as aerospace, automotive, energy, healthcare, manufacturing, infrastructure, consumer electronics, and communications," says Chuck Romine, Director of NIST's Information Technology Laboratory, in a press release.
FedTech caught up with CSRA president Lee Holcomb and AMD security architect Ron Perez to discuss the report's findings and recommendations.
FedTech: What are the key findings in the CSRA report?
Holcomb: There are a dozen or so findings in the report, but there are three that we have latched on to and want to pursue with more research. First, we need to find out what technological solutions exist to address the security of cyber-physical systems. Second, we want to investigate practical perspectives on evaluating roots of trust. Lastly, we want to create a taxonomy of terms and relationships with respect to roots of trust in cyber-physical systems. How can we analytically design roots of trust in hardware and software associated with these systems?
FedTech: Is open-source technology the key to balancing cost-savings with the highest security?
Holcomb: Open-source technology has proven to be an attractive avenue. If you look at the history of some open-source projects, like Linux, the security is enhanced by a worldwide developer community that can respond to vulnerabilities quickly. Often, the clock does not stop, since contributors are located around the world.
The ecosystem around open-source software has proven to be a powerful one. Is open-source versus propriety software more secure or less secure? It really depends on the design of the software in the first place. One of the things we are trying to do with this study is understand the methodologies in software design that breed trust.
It's really about quality. What we need is software that is tested and trusted.
Perez: Open-source software isn't automatically better or worse than propriety software. Something we've found in the cyber-physical systems space is that there are sometimes very few security experts for a given piece of commercial software. That is one reason that leveraging the open-source community could be an advantage for cyber-physical systems. The key is: Can we leverage the wider community to build high-quality software in these niche markets for specific-use cases?
FedTech: How does the Internet of Things affect the cyber-physical world?
Holcomb: The Internet of Things creates a lot more attack paths. In the past, cyber-physical systems have operated independently of the web, but we're finding that people want to connect their systems to the Internet. I used to joke with Vint Cerf that one day there would be IP addresses for lightbulbs, and that's the direction we're heading. The Internet of Things, theoretically, could place a lot of our systems on the web, opening up new avenues for attacks.
Perez: The Internet of Things is nothing new, it's a realization and an embracement of a trend that's been happening for some time. We are connecting things to the Internet that have never needed security before, and a class of vulnerabilities is surfacing. The Internet of Things is the realization of the value of connectivity and the resulting data, be it to an electric grid or a transportation system. What's happening is that we are connecting devices, and therefore systems, that weren't designed to be connected to a network.
FedTech: How do we futureproof cyber-physical systems?
Holcomb: That's the objective of this report. How do we architect systems so that we can isolate threats? How can we prove, mathematically or otherwise, that we are designing software securely? In the cyber-physical space and the Internet of Things, that means digging into the design of high-end methodologies. We spent a lot of effort building the F-35 to be secure. It's America's most advanced fighter plane, and we'd like to take some of the methodologies used on advanced systems like this and apply them to consumer products.
FedTech: What's next?
Perez: If you look at the ten recommendations, none of them seem earth-shattering. The real value of this workshop is that it brought together a diverse group of people from government, academia and industry. Getting these stakeholders together is the fastest way to set priorities and make real progress towards more secure cyber-physical systems. Now we have a list of priorities that all stakeholders can agree on and act on.