How Do Feds Use and Secure Cyber-Physical Systems?

CPS can be extremely valuable in a variety of fields, but are also difficult to secure since many were not built with cybersecurity in mind.

The Internet of Things brings technology to the physical world, instrumenting objects and locations with sensors that collect data that can then be analyzed. But what about physical systems that are already built with sensors and computing inside of them?

Those are known as cyber-physical systems, or CPS. They are, according to the National Science Foundation, "engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components." CPS, as they evolve, "will enable capability, adaptability, scalability, resiliency, safety, security and usability that will far exceed the simple embedded systems of today," according to an NSF proposal for CPS research grants.

While the NSF and other federal agencies see great value and potential in CPS to transform a variety of industries, the systems also pose a security concern. That's because many of them were not designed with cybersecurity in mind, so security protections must be retrofitted into them or designed in future versions of the systems.

SIGN UP: Get more news from the FedTech newsletter in your inbox every two weeks!

What Are Cyber-Physical Systems?

Cyber-physical systems "are co-engineered interacting networks of physical and computational components," according to the National Institute of Standards and Technology.

The Homeland Security Department's Science and Technology Directorate notes on its website that automobiles, medical devices, building controls and smart grid systems are examples of CPS.

"Each includes smart networked systems with embedded sensors, processors and actuators that sense and interact with the physical world and support real-time, guaranteed performance in safety-critical applications," DHS says.

The government sees great potential in CPS. "New smart CPS will drive innovation and competition in sectors such as agriculture, energy, transportation, building design and automation, healthcare, and manufacturing," the NSF proposal states.

DHS notes that CPS can enable forward-collision prevention capabilities of a car or allow a medical device to adapt to circumstances around it in real time. CPS "are a source of competitive advantage in today's innovation economy and provide vast opportunities for DHS and Homeland Security Enterprise missions," the department notes.

While significant progress has been made in advancing CPS technology, and the NSF has explored foundational technologies that have spanned an ever-growing set of application domains related to CPS, more work needs to be done. "At the same time, the demand for innovation in these domains continues to grow, and is driving the need to accelerate fundamental research to keep pace," the NSF says.

How Feds Use Cyber-Physical Systems

Several agencies are using or have experimented with CPS. At least as far back as 2012, NASA's Ames Research Center started exploring CPS.

The research center, in a 2012 post on its website, notes that it established the Cyber-Physical Systems Modeling and Analysis (CPSMA) Initiative to "focus on propulsion, autonomy and life support, including key products and applications, technical approaches, mechanisms and facilities."

The key elements of the initiative are the unique capabilities of the research center "in biological technologies, synthetic biology, physics-based and data-based modeling, prognostics and system health management, and supercomputing."

The Defense Advanced Research Projects Agency, the Defense Department's research arm, is using CPS to test autonomous vehicles, GCN reports. DARPA wants to use machine learning techniques to make unmanned systems in its Assured Autonomy program safer and smarter over time.

Cyber-Physical Systems Pose Cybersecurity Challenges

DHS, like NSF, is funding research into cyber-physical systems. However, as DHS acknowledges, CPS and IoT "increase cybersecurity risks and attack surfaces." That poses challenges for CIOs and CISOs looking to deploy CPS in their agencies.

"The consequences of unintentional faults or malicious attacks could have severe impact on human lives and the environment," DHS says. "Proactive and coordinated efforts are needed to strengthen security and reliance for CPS and IoT."

Just as with many IoT devices, security is often an afterthought with CPS, DHS says, and the private sector is driven by functional requirements and fast-moving markets. The consequences for making CPS secure from the start could be significant, according to DHS. "Many devices now being deployed have life spans measured in decades, so current design choices will impact the next several decades in the transportation, healthcare, building controls, emergency response, energy and other sectors," the agency notes.

Jerry Davis, CIO at NASA Ames, echoes these sentiments in an interview with Federal News Radio. "They were not originally designed with security in mind," Davis says of CPS. "They were designed for functionality and for their ability to do real-time processing and create actuation on some physical process. It's just now we're getting around to the point that we're finding that security is absolute paramount to a good order and keeping critical infrastructure running."

That poses a challenge not only to safety in areas such as aviation and transportation, but to physical systems more broadly, Davis says, since "a device that is compromised becomes exacerbated — when you connect them to the internet, you connect them onto a physical network."

Davis thinks CIOs and CISOs are not adequately preparing for the security risks CPS poses.

"Cyber-physical systems incorporate some level of commoditized IT, but it's very highly specialized outside of that," he says to Federal News Radio. "So, the skill sets you need to design security schemes around that is very different than what we have today."

chombosan/Getty Images
Jan 24 2018