Policy Issues Regarding Implementations of Cyber Attack Resilience Solutions for Cyber Physical Systems

Transcription

1 The 2018 AAAI Spring Symposium Series Policy Issues Regarding Implementations of Cyber Attack Resilience Solutions for Cyber Physical Systems Barry M. Horowitz Munster Professor of Systems and Information Engineering University of Virginia, Charlottesville, Virginia Abstract The Internet of Things (IoT) is dramatically increasing complexity in cities, commerce and homes. This complexity is increasing the risk to cyber threats. To reduce these risks, resilient cyberphysical systems must be able to respond to different types of disturbances (errors; cyberattacks). Organizational, system and infrastructure security pose new challenges for policy considerations that reduce cyber risks rather than simply reacting to cyberattacks. Indeed, policies must be crafted to require anticipatory responses able to discriminate between anomalies caused by errors and those driven by cyberattackers for malicious purposes that may result in obvious damage (e.g., equipment destruction, injury or death) or subtle control (e.g., Stuxnet). We conclude that anticipatory resilience solutions for cyberphysical systems will require teams of government and commercial organizations to address the consequences of cyberattacks, to detect them and to defend against them. Introduction: Context A resilient cyber physical system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature (Rieger et al., 2009). Responding to cyber attacks against cyber physical systems such as automated vehicles, weapon systems, and manufacturing systems requires addressing cyber attack risks that can potentially include consequences such as injuries or death. The difference in the severity of these consequences compared to those of information system cyber attacks brings with it new policy considerations related to cybersecurity. However, as was the case for the integration of information systems through the Internet, unless special attention is paid to this matter early on, security will likely be dominated by responses to actual attacks, Copyright 2018, Association for the Advancement of Artificial Intelligence ( All rights reserved. rather than anticipatory solutions designed to reduce the risks. Over the past seven years, the author has been leading a technology-focused research effort that addresses cyber attack resilience for physical systems (Jones et al., 2012; Jones et al., 2013; Horowitz & Pence, 2013; Bayuk & Horowitz, 2011; Gay et al., 2017; Babineau et al., 2012; Jones et al., 2011; Horowitz, 2016; Horowitz & Lucero, 2017). Unlike cyber attack defense solutions, resilience solutions involve monitoring to detect successful cyber attacks and support for rapid reconfiguration of the attacked system for continued operation with contained consequences. The reconfigurations can include modifications in the roles and procedures for human system operators as well as technology related adjustments. The monitoring sub-system(s), referred to as a Sentinel, for detection of attacks and derivation of potential reconfigurations must be very highly secured to avoid becoming an attractive target for attacks. Note that resilience solutions can serve as a deterrent to attackers since they promise to reduce the highest risk consequences of potential cyber attacks. As an example of cyber attack resiliency, consider an automobile equipped with an automated collision avoidance capability. A variety of cyber attacks have been demonstrated in which an automobile could be automatically directed toward a possible collision with another nearby vehicle. Monitoring the automobile s sensor outputs, control system inputs and outputs, and driver inputs through the acceleration and brake pedals, would provide a basis for recognition of an inconsistency potentially caused by a cyber-attack impacting the control system. However, the control error could also be the result of erroneous sensor inputs. Comparing measurements from a diverse set of sensors would provide a basis for detecting and responding to either a failed or cyber attacked sensor sub-system. Integration of the alternate explanations for the control error provides the opportunity to automatically correct the situation or alternately, provide opportunity for the driver to 128

2 respond. Note that a resilience solution impacts the effectiveness of a variety of possible cyber attacks that would create common symptoms. The technology-focused research effort has included a number of prototyping projects involving protection of currently available, highly automated physical systems that are being cyber-attacked. These prototyping activities have served to demonstrate the importance of, and potential for, cyber attack resiliency solutions. Specific operational prototyping activities have included: 1) a DoD-sponsored effort involving cyber defense of an unmanned air vehicle (UAV) conducting surveillance missions (including inflight evaluations) Miller, 2014a, 2) defending automobiles (including Virginia State Police exercises with unsuspecting policemen driving cyber attacked police cars) (NBC.29, 2015; Higgins, 2015a), and 3) a National Institute of Standards sponsored effort involving the defense of a 3D Printer through the monitoring of its motors, temperature controllers and other physical component controllers, while in the process of printing defective parts due to cyber-attacks on the machine s internal technology components. These real-world cases have served to illuminate a number of important and complex policy issues made visible to government and industry participants involved with the prototype projects. These policy issues are the subjects of this paper. The Need to Address Cybersecurity for Physical Systems Two important, closely related technology trends are occurring simultaneously; however, the two trends are not reinforcing. Trend 1: The integration of technology-based automation capabilities associated with physical systems. This trend includes: Development of autonomous and highly automated vehicles for transportation (air, ground and sea) Development of increasingly-capable 3D printers and robots for manufacturing Use of network-based access to physical systems to enable remote control and/or monitoring (e.g., physical system maintenance plans based upon measured conditions of use, customized patient health care related responses based upon collected information from on-body sensors) Emergent Internet of Things (IoT) opportunities that relate to consumer products, the home, smart cities, etc. Trend 2: The increasing recognition of the potential risks related to cyber attacks on physical systems, particularly with regard to human safety, not typically associated with cyber attacks on conventional information systems. While attacks on physical systems have not yet emerged as a high risk, various technology demonstrations have shown the potential threat of these types of attacks. Such demonstrations include the following: Recent automobile attacks (Higgins, 2015b) showing the feasibility of cyber attacks to cause physical harm. Actual high visibility cyber attacks on physical systems, such as the Stuxnet attacks (Falliere et al., 2011) highlighting the potential for other attacks of this kind. The Stuxnet attacks impacted a large number of Iranian nuclear reactors, serving as a warning that industrial computer-controlled physical systems are vulnerable to attack. Less publicized attacks on physical systems that have also occurred. For example, a German government security report indicated that an unnamed steel plant suffered an attack that impacted its blast furnace, causing significant damage (CART, 2013). To-date, the cybersecurity engineering community has principally been focused on information systems, an area where the risks are different and the technical factors regarding cyber defense pose significantly different challenges. Historic Patterns for Addressing Cybersecurity While cybersecurity experts point to the fact that anticipatory design of cybersecurity features into systems provides a pathway for achieving better security, historically most solutions have been add-ons to systems in response to actual attacks (Miller, 2014b). The reasons for this are economic. When new innovations are in their early development phase (such as autonomous vehicles), designers are consumed with achieving a working system, and security is treated as something that will follow. When the innovation is ready to bring to market, concern about the cost impacts of security on the new products prices further delays security implementation. When the new products are selling, but significant attacks have yet to occur, there is no pressing demand to anticipate attacks. When attacks start occurring, and there are already large numbers of existing systems in use, responsive patching becomes the de facto solution. For existing information systems, the major consequences of cyber attacks have been financial in nature or related to privacy. Should human safety become a primary risk of cyber-attacks in the future, new societal patterns may emerge that demand stronger anticipatory solutions. Anticipatory solutions must be designed not only on the basis of prior attacks, but also based upon predictions of what cyber attackers might target in the future and how they might implement these attacks. Prediction of attacker behavior is quite complex, requiring considerations such 129

3 as: 1) historic attacks, 2) attacker motivations; 3) attack complexity and corresponding attacker skill requirements; 4) costs of design and implementation; 5) risks of attacks failing; and 6) risks of getting caught. This situation is exacerbated by the need for competitors to share information (e.g., historic attack information) in order to have a more complete basis for making predictions and to provide the opportunity to derive a common framework for considering solutions that are related to a domain of similar products. Furthermore, for physical systems classes that include rapidly changing automation features, predictions can be unstable (e.g., the increasing rate for adding new automation features in automobiles points to the need for annual reconsideration of potential cyber attacks and the corresponding defenses). This situation is further complicated by the fact that it would be difficult to measure the success of resilience solutions serving to deter attacks, since deterrence is not directly observable. For all of these reasons, one can expect that managing the design of anticipatory defenses would be quite difficult. Furthermore, should successful, high-visibility cyber-attacks occur, confidence in anticipatory solutions serving as a deterrent would likely suffer, thereby resulting in reconsiderations regarding their effectiveness. In the event that more emphasis is placed on implementing anticipatory solutions to cyber-attacks, questions arise regarding the roles of industry and government in deciding on specific resilience requirements. With its superior knowledge of physical system design details and potential means of exploiting those details, industry is in a much stronger position than government to address the selection of anticipatory solutions. On the other hand, with its access to information regarding actual cyber-attacks, along with our country s history of relying on government for implementing safety measures, government does possess some advantages. This suggests a shared role, but a variety of cybersecurity-specific complications, discussed below, emerge when dividing accountabilities. To demonstrate policy issues regarding the anticipation of cyber-attacks, we return to the automobile collision avoidance system scenario described in the initial section of this article. Note that this automobile example is pertinent to other classes of physical systems. Assume that a collision event were to actually occur as a result of the earlier-described cyber attack. Members of the law enforcement community would be the principal investigators as to cause, but they would have no basis for determining the cause as being a cyber attack. Doing so would likely require access to a portion of the stored data from the involved automobiles onboard systems. Depending on the specific manufacturers and models of the involved automobiles, the data required to identify the cause as a cyber attack would likely vary from vehicle to vehicle. Due to these variations, the costs associated with necessary field tools and officer training would be driven up. This may suggest standardization as a needed solution, but the standardization of pertinent data implies corresponding commonalities in the designs of automation features, which creates issues related to competition. To further complicate matters, the cybersecurity community recognizes risks associated with monoculture solutions ; i.e., common designs are vulnerable to common cyber attacks, enabling undesirable reuse opportunities by those who employ or sell software that accomplishes cyber attacks. In addition, the automobile companies and individual drivers may be reticent to provide such data (e.g., Intellectual Property protection reasons, and privacy reasons unrelated to the incident). This very complex set of circumstances will require significant attention and government and industry collaboration. Yet without evidence that cyber attacks on automobiles are actually occurring, it would take very strong leadership to push through measures allowing law enforcement to address cyber attacks on automobiles in an anticipatory manner. Recognizing the natural desire to avoid costs associated with anticipating cybersecurity, perhaps historical roles in safety regulation can provide a starting point for government involvement. Historically, with certain exceptions, safety analyses have not considered cyber attacks as a safety issue. The trend of advancing highly automated physical systems into general use raises the issue of whether or not the safety communities (government and industry) should start to address this intersection. In doing so, it becomes necessary to understand and account for the relationships between the systems at risk and other interconnected and interrelated systems that can be a pathway for generating a cyber attack. If one starts down this path, some new and complex issues arise. Mission-Based Cybersecurity In this section, an integrated set of interconnected systems combined mission is considered as the point of departure regarding anticipation of cyber attacks. The technologyfocused research efforts that the author has been engaged with have addressed a number of illuminating scenarios. For example, as part of addressing UAV cybersecurity solutions, a variety of potential cyber attacks were considered as potential concerns that call for defensive capabilities. For illustration purposes, consider cyber attacks aimed at modifying a UAV s flight path, adversely impacting its ability to carry out its safety-related surveillance mission (e.g., monitoring an oil or gas pipeline). Such an attack could, for example, accompany a physical attack on the pipeline. One way for an attacker to accomplish this outcome is to modify mission-related waypoints that have been entered into the navigation system on board the aircraft. One possible solution addresses a cyber-attack in which the ground-based portion of the UAV system is utilized by the attacker to automatically send surveillancedisrupting changes to the navigation waypoints loaded on 130

4 board the aircraft. These changes would cause the aircraft to be routed in a manner that prevents gathering of the critical information the mission was intended to collect. A potential solution could involve monitoring the aircraft s navigation system and the pilot s data entry system (e.g., key stroke monitoring). If, when a change in waypoint is detected on the aircraft, there is no corresponding pilot data input, then a cyber attack is a possible cause. In response, the aircraft could transmit information to designated personnel who could then take actions to confirm and address the cyber attack possibility. This example highlights the fact that certain attack detections require coordinating information retrieved from multiple subsystems at different locations. If one considers air traffic control systems, a parallel set of circumstances can occur involving groundbased subsystems (e.g., surveillance, communications, navigation, air traffic controller support systems) and corresponding airborne subsystems. Implementation of solutions would require decisions regarding the perceived level of risk, solution costs, the allocation of costs to subsystems, and decisions regarding the sources for paying for the solutions. Furthermore, for certain attacks that can create the same outcomes through different points of insertion, our technology-focused research efforts have shown that the ease of attack on one subsystem can be very different from that of another subsystem, providing opportunities to address the minimization of total costs when dealing with high priority targets. However, lowering total costs can bring with it controversial cost allocation issues, requiring policies that manage such situations. As stated earlier, without prior data that provides evidence that relevant cyber attacks are actually occurring, it will very take strong leadership to address the issues of anticipating safetyrelated outcomes and cost allocation for implementation of solutions. Education of Engineers and Policy-Makers The discussions presented above do not address what may be the most critical issue in implementing cybersecurity for physical systems, namely the education of both our engineering and policy-making communities. Teams that include mechanical, electrical, and system engineers design physical systems. Engineering schools do not integrate computer security courses into the individual curriculums of these engineering disciplines. As a result, there are a very limited number of physical system design engineers who have the requisite knowledge to design systems that better account for cybersecurity considerations. Furthermore, educators in these areas of engineering have no historic basis for engaging in the cybersecurity-related aspects of their fields. As a result, our colleges and universities need to consider this emergent need and develop crossdepartment programs that are responsive to this new, important requirement. Development of new programs can be influenced by a strong calling from industry to the education system, including providing financial support for development of new integrated programs, student internships, and professional education programs that support their current workforce. Similar to the issues discussed earlier, it will take strong industry leadership to support such programs without prior data providing evidence that cyberattacks on physical systems are occurring. A similar situation faces the policy-making community. As part of structuring resilience-related prototyping efforts, researchers have to address project-specific safety issues associated with conducting experiments. This requirement calls for interactions with a variety of policy organizations. Based on such interactions, it became clear to the author that the imagination of policy-makers with regards to what cyber-attacks could potentially accomplish far exceeded reality. Furthermore, discussions surrounding particular cyber-attacks and their consequences, as well as the solutions to be evaluated, made clear that the requisite technology-related knowledge became an issue in deriving safety controls. Interestingly, in some cases, the policy outcomes could have been unnecessarily conservative and in others, not conservative enough. Another important finding was that that the policy community found that the security community was greatly steeped in specialized technical jargon, providing a barrier to beneficial discussions regarding solutions and policies. Of course, addressing this particular issue would require an education element for both policy-makers and cybersecurity engineers who engage in policy matters. Perhaps a side issue, but one that could greatly influence matters, is that the demonstrations of cyber attacks on physical systems and their impacts can be interpreted as a consequence of the manufacturers or industrial users of those physical systems not being sufficiently sensitive to cybersecurity/safety-related outcomes in their product and system designs. As a result, in carrying out projects, the issue arises regarding reporting on the cybersecurity risks of current systems and the undue reputation impact it could have on the companies whose systems are being used for experimentation. It is not generally understood that the risks are emergent, and that the nature of these findings would be expected across all current software-controlled physical systems that have safety-related outcome potentials. A need exists to address this topic, including defining professional behavior for engineers regarding reporting on the results of their work involving current commercial systems and cyber-attacks and its relationship to the related companies reputations. The author of this article has recently served as a Commissioner for Cybersecurity for the Commonwealth of Virginia, which, with strong support from the Governor, has been engaged in strategy development regarding cy- 131

5 bersecurity (CoV, 2015). The 11-person Cybersecurity Commission for Virginia, working with Virginia s Cabinet members, has made strong recommendations regarding education programs, and the state has developed budgets to start addressing this need. This state-level initiative is the type of anticipatory action that will be required in order to be prepared should the cyber-attack risks for physical systems materialize. Cybersecurity Role and Certification of the Operators of Physical Systems An important aspect of the defense of physical systems from cyber-attacks is that immediate systemreconfiguration responses to attack detections (including what can be very expensive system shut-downs) may be necessary in order to provide the desired level of safety. This calls for doctrine regarding immediate responses. Doctrine must include: 1) the allocation of decisionmaking and response control roles to specified personnel, 2) selection criteria for, and training of those people, 3) exercising for preparedness, and 4) addressing the possibilities of unanticipated confusion regarding operator judgments related to the possibilities of missed or incorrect attack detections (including zero-day attacks). Part of the author s research on physical system defense included human involvement in cyber attack scenarios. In the UAV case, a desktop simulation environment was used to gain an initial understanding of operator responses to a monitoring system that detects cyber attacks and provides suggested responses to the UAV pilots. In the State Police case, a controlled exercise was conducted, involving unsuspecting policemen being dispatched, and their cars being attacked and failing to operate properly. The results of these activities highlighted the point that the doctrinal processes to be developed must recognize the fact that cyber attacks on physical systems are an area where people do not and will not have practical experience to rely upon. Furthermore, since attacks are very unlikely to occur, responses may stray from what operators are trained for. The research efforts showed that operators, based on their past experiences, can usually imagine other causes for observed consequences of a cyber attack and, as a result, may not be as responsive to automated decision support as expected. Consider the case in which a Sentinel detects a cyberattack that consists of an improper digital control message preventing a car from operating properly. From the operator s perspective there can be many different causes for the car not operating properly (e.g. failed battery), and these are typically causes they have previously experienced. Consequently, under the immediate pressure of needing to take decisive action, the operator may be more likely to assume these causes of failure, rather than a never experienced cyber-attack. Research results showed that even when an operator accepts a Sentinel s input as being correct, uncertainty remains regarding the possibility for additional elements of the cyber-attack having yet to emerge. This element of uncertainty is escalated when there are high consequences associated with an operator s decisions, and the operator s accountability for those decisions can impact behavior, including asking for access to cybersecurity experts before making a critical decision. Of course, such calls for help can potentially delay decision-making to an undesirable degree. As a result of these scenarios actually emerging during our research experiments, a significant effort has been initiated to better understand human behavior in uncertain circumstances that are likely to exist in scenarios regarding cyber-attacks on physical systems. From a policy vantage point, research efforts are needed to address questions regarding selection, certification and readiness training requirements for operators of physical systems for which cyber-attacks could have serious consequences. Data Curation Data curation can be defined as the active and ongoing management of data through its lifecycle of interest and usefulness. If one assumes that a critical step in vigorously addressing cybersecurity for physical systems is the need for early evidence that cyber-attacks are actually occurring, significant issues emerge regarding curation of the data that would provide the needed evidence. Based on the automobile-focused State Police project referred to above, an important next step would be the development of accepted policies and processes regarding the collection, storage, security, sharing, analysis, and supplementation of data. For example, consider the case of distribution of specific data that were to be collected at the scene of an automobile incident and, based upon analysis, indicated a possible cyber-attack. Recognizing the international manufacturing base for automobiles and the international sales of automobiles, information would need to be shared across the world. It would be important that worldwide law enforcement agencies, national governments engaged in addressing automobile cybersecurity, automobile companies, and numerous others gain access to that data. As a result, international curation policies and processes would be called for. Organizations such as INTERPOL could potentially play a key role in creating the needed international orientation. Market Incentives In February 2014, the National Institute of Standards and Technology (NIST) released Version 1 of White House Executive Order Cybersecurity Framework, an initial structure for organizations, government and customers to use in considering comprehensive cybersecurity programs (WH, 2013). In April 2015, a NIST presentation 132

6 provided a status report on the evolving framework (NIST, 2015). The framework broadly addresses the specific needs that are discussed above, but without the required specificity to illuminate the complexity associated with anticipatory physical system solutions. Past efforts to establish market incentives for improved information system cybersecurity illustrate the consequences of inaction, and also demonstrate the uncertainties and difficulties surrounding anticipatory actions. The example provided by information systems highlights the importance of initiating early data collection efforts so that incidents can be assessed for potential cyber attacks and confirmed attacks can be documented. With this evidence in hand, it will be easier to evaluate next step responses, and incentives for anticipatory forms of cybersecurity will be increased. As emphasized above, it will be difficult to motivate anticipatory solutions without confirmation that attacks on physical systems are actually occurring. The National Highway Safety Traffic System (NHTSA), through guidance that they are providing for improving automobile-related cybersecurity, has taken encouraging steps to anticipate some of the needs addressed above (USDOT, 2016). A potential sequence of events is that data collection starts early and provides incontrovertible evidence of attacks on physical systems, which then drives the development of the needed government, industry and consumer relationships which underpin market incentives for investment in anticipatory cybersecurity. As suggested above, attacks on physical systems generally pose a much greater risk to human safety than attacks on information systems. Therefore, it may be easier to motivate firms and policymakers to invest in physical system security, since potential consequences are so severe. The development of data curation processes that could promote the involvement of appropriate government, industry and consumer groups appears to be a critical early step towards achieving market incentives. Conclusions and Recommendations This article emphasizes the point that due to the risk of injuries and deaths associated with cyber-attacks on physical systems, anticipatory cybersecurity solutions are likely to be desired; potentially much more so than has been the case for information system cybersecurity. In addition, a number of examples have been provided that illuminate both the complexity of addressing anticipation and the difficulties associated with selecting and applying the most critical solutions. This complexity includes recognizing the impacts of subsystem interconnections in critical systems, such as air traffic control systems. It has been suggested that managing the implementation of anticipatory solutions will require teams of government and industrial organizations, both to address the consequences of attacks and to design systems for detecting and responding to attacks. The examples highlight the fact that this is an international issue, involving government as well as the relevant industries. The examples also demonstrate that standardization solutions have to consider their monoculture implications in addition to the normal factors that relate to standardization. In order to make progress, our education system needs to prioritize addressing cybersecurity across a broader set of education programs than is currently the practice. Additionally, it appears likely that evidence of actual cyber attacks on physical systems will be a necessary precursor for anticipatory solutions; due to the associated costs, it is unlikely that self-motivation will be sufficient to drive investment in cybersecurity for physical systems. The creation of market incentives for investment in cybersecurity for physical systems will require the engagement of government, industry and consumer organizations. Since they are first on the scene for incidents of the kind being addressed here, the law enforcement community would seemingly be a logical choice for collecting the needed data. Consequently, the first step in post-event data analysis is equipping law enforcement officers with applicable equipment, so that they can identify events caused by cyber attacks. It is also suggested that industry members engage with the law enforcement community to determine data requirements necessary to identify a cyber attack. Once a number of instances are documented, the policy responses suggested above will likely increase in priority. Hopefully, with appropriate engagement of consumer groups, anticipatory solutions will arise. In order for a rapid response to be possible, an early emphasis must be placed on supporting relevant research and education. An interesting side note related to this paper is that technology-focused, system prototype experiments served to create early interactions between technologists and policymakers that illuminated a number of important issues related to policy. It would appear that prototype-based projects that serve to couple government and industry would be a valuable method for accelerating the partnerships necessary to identifying and addressing critical policy issues. A preliminary strategy would include identifying safetyrelated domains that demand the rapid integration of fast changing technologies into their physical systems. This article provides examples related to advanced air traffic control and automated automotive systems. Acknowledgments This material is based upon work supported, in whole or in part, by the U.S. Department of Defense through the Systems Engineering Research Center under Contracts HQ D The SERC is a federally funded University Affiliated Research Center managed by Stevens Institute of Technology, Hoboken, NJ, USA. Any opinions, findings, and conclusions or recommendations expressed 133

7 in this material are those of the authors and do not necessarily reflect the views of the U.S. Department of Defense. References Babineau, G. L., Jones, R. A. and Horowitz, B. M. (2012), A system-aware cyber security method for shipboard control systems with a method described to evaluate cyber security solutions, 2012 IEEE International Conference on Technologies for Homeland Security (HST). Bayuk, J. L. and Horowitz, B. M. (2011), An architectural systems engineering methodology for addressing cyber security, Systems Engineering 14: Commonwealth of Virginia (CoV) (2015, August), Cyber Security Commission, Threats and Opportunities. Cyber Security Research Alliance (CART) (2013, April), Designed-in Cyber Security for Cyber-Physical Systems, Workshop Report. Falliere, N., Murchu, L. O. and Chien, E. (2011), W32.Stuxnet Dossier, Symantec. Gay, C. Horowitz, B. Bobko, P., Elshaw, J. & Kim, I. (2017), Operator Suspicion and Decision Responses to Cyber-Attacks on Unmanned Ground Vehicle Systems, HFES 2017 International Annual Meeting, Austin, TX Higgins, Kelly Jackson, (2015a, September), State Trooper Vehicles Hacked, Dark Reading. Higgins, Kelly Jackson (2015b, July), Car Hacking Shifts into High Gear Dark Reading. Horowitz, B.M. (2016, April), AFCEA SIGNAL Cybersecurity for Unmanned Aerial Vehicle Missions, pp Horowtiz, B.M. and Pierce, K.M. (2013), The integration of diversely redundant designs, dynamic system models, and state estimation technology to the cyber security of physical systems, Systems Engineering, 16(4): Horowitz, B.M., Scott Lucero, D. (2017, September), System- Aware Cybersecurity: A Systems Engineering Approach for Enhancing Cybersecurity, INCOSE INSIGHT, /inst Jones, R.A., Nguyen, T.V. and Horowitz, B.M. (2011), System- Aware security for nuclear power systems, 2011 IEEE International Conference on Technologies for Homeland Security (HST), pp Jones, R. A. Luckett, B., Beling, P. & Horowitz, B.M. (2013). Architectural Scoring Framework for the Creation and Evaluation of System-Aware Cyber Security Solutions, Journal of Environmental Systems and Decisions 33(3): Jones, R. A., and Horowitz, B. M. (2012). System-Aware Cyber Security Architecture. Systems Engineering, February Kovacs, Eduard (2014, December), Cyberattack on German Steel Plant Caused Significant Damage:Report, Security Week Miller, Patrick C., (2014a, December), University of Virginia research protects UAS from cyber-attackers, UAS Magazine. Miller, Patrick C. (2014b, December), Dual Knowledge for UAS Cybersecurity, UAS Magazine. NBC29.com (2015, October), Va. CyberSecurity Research Working to Protect First Responders, Press Release from the Office of Governor Terry McAuliffe NIST presentation (2015, April), Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order Rieger, C. Gertman, D. & McQueen, M. (2009, May), Resilient Control Systems: Next Generation Design Research, International Conference on Human System Interaction. The White House (WH) (2013, February), Executive Order Improving Critical Infrastructure Cybersecurity. US DOT (2016) Vissues Federal guidance to the automotive industry for improving motor vehicle security, 134