Policy Issues Regarding Implementations of Cyber Attack Resilience Solutions for Cyber Physical Systems

Similar documents
Mission Aware Cybersecurity

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

National Policy and Guiding Principles

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Introducing Cyber Resiliency Concerns Into Engineering Education

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

JSC THE JUSTICE & SAFETY CENTER. Snapshot 2014

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

ISAO SO Product Outline

Chapter X Security Performance Metrics

CALIFORNIA CYBERSECURITY TASK FORCE

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Measurement Challenges and Opportunities for Developing Smart Grid Testbeds

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

National Initiative for Cyber Education (NICE) and the Cybersecurity Workforce Framework: Attract and Retain the Best in InfoSec.

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

SECURING THE UK S DIGITAL PROSPERITY. Enabling the joint delivery of the National Cyber Security Strategy's objectives

Cisco Smart+Connected Communities

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

RSA INCIDENT RESPONSE SERVICES

COUNTERING IMPROVISED EXPLOSIVE DEVICES

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Defence services. Independent systems and technology advice that delivers real value. Systems and Engineering Technology

Space Cyber: An Aerospace Perspective

Cybersecurity & Digital Privacy in the Energy sector

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

How Cisco IT Improved Development Processes with a New Operating Model

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Symantec Security Monitoring Services

Innovation policy for Industry 4.0

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Security Solutions Assisting Social Infrastructure Digitalization

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Control Systems Cyber Security Awareness

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

Overview of ABET Kent Hamlin Director Institute of Nuclear Power Operations Commissioner TAC of ABET

Provisional Translation

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

CYBERSECURITY RESILIENCE

PIPELINE SECURITY An Overview of TSA Programs

How AlienVault ICS SIEM Supports Compliance with CFATS

CyberSecurity Training and Capacity Building: A Starting Point for Collaboration and Partnerships. from the most trusted name in information security

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

European Union Agency for Network and Information Security

THE CYBERSECURITY LITERACY CONFIDENCE GAP

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

STRATEGIC PLAN. USF Emergency Management

U.S. Department of Homeland Security Office of Cybersecurity & Communications

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Cybersecurity and Hospitals: A Board Perspective

Cyber Security and Cyber Fraud

Chapter X Security Performance Metrics

Annual Report for the Utility Savings Initiative

The public sector s cybersecurity imperative

Chapter X Security Performance Metrics

Accelerate Your Enterprise Private Cloud Initiative

Tackling Crime, Protecting Citizens and Assisting First Responders. IN COLLABORATION WITH A Frost & Sullivan Executive Brief

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Commission for Environmental Cooperation (CEC) Sponsored Workshop on Environmental Assistance Programs and Resources for Automotive OEMs and Suppliers

RSA INCIDENT RESPONSE SERVICES

Protecting Control Systems from Cyber Attack: A Primer on How to Safeguard Your Utility May 15, 2012

National Institute of Standards and Technology

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Understanding Cybersecurity Talent Needs Findings From Surveys of Business Executives and College Presidents

Department of Homeland Security Updates

Community-Based Water Resiliency

UNCLASSIFIED. R-1 ITEM NOMENCLATURE PE D8Z: Data to Decisions Advanced Technology FY 2012 OCO

Applying Mitigation. to Build Resilient Communities

CYBER RESILIENCE & INCIDENT RESPONSE

Symantec Business Continuity Solutions for Operational Risk Management

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Effective Cyber Incident Response in Insurance Companies

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

INFORMATION ASSURANCE DIRECTORATE

Data to Decisions Terminate, Tolerate, Transfer, or Treat

Energy Assurance Energy Assurance and Interdependency Workshop Fairmont Hotel, Washington D.C. December 2 3, 2013

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

White Paper. View cyber and mission-critical data in one dashboard

Security for V2X Communications

Cybersecurity and the Board of Directors

Nokia Conference Call 1Q 2012 Financial Results

Framework for Improving Critical Infrastructure Cybersecurity

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

EMPOWER PEOPLE IMPROVE LIVES INSPIRE SUCCESS

The US National Near-Earth Object Preparedness Strategy and Action Plan

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

The NIST Cybersecurity Framework

Vulnerability Assessments and Penetration Testing

Connected & Automated Vehicle Activities

EPRO. Electric Infrastructure Protection Initiative EPRO BLACK SKY SYSTEMS ENGINEERING PROCESS

EMERGENCY SUPPORT FUNCTION (ESF) 13 PUBLIC SAFETY AND SECURITY

Future Resilience of the UK Electricity System Are we resilient to meet the needs of this rapidly changing world?

Defense Engineering Excellence

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Transcription:

The 2018 AAAI Spring Symposium Series Policy Issues Regarding Implementations of Cyber Attack Resilience Solutions for Cyber Physical Systems Barry M. Horowitz Munster Professor of Systems and Information Engineering University of Virginia, Charlottesville, Virginia 22904 bh8e@virginia.edu Abstract The Internet of Things (IoT) is dramatically increasing complexity in cities, commerce and homes. This complexity is increasing the risk to cyber threats. To reduce these risks, resilient cyberphysical systems must be able to respond to different types of disturbances (errors; cyberattacks). Organizational, system and infrastructure security pose new challenges for policy considerations that reduce cyber risks rather than simply reacting to cyberattacks. Indeed, policies must be crafted to require anticipatory responses able to discriminate between anomalies caused by errors and those driven by cyberattackers for malicious purposes that may result in obvious damage (e.g., equipment destruction, injury or death) or subtle control (e.g., Stuxnet). We conclude that anticipatory resilience solutions for cyberphysical systems will require teams of government and commercial organizations to address the consequences of cyberattacks, to detect them and to defend against them. Introduction: Context A resilient cyber physical system is one that maintains state awareness and an accepted level of operational normalcy in response to disturbances, including threats of an unexpected and malicious nature (Rieger et al., 2009). Responding to cyber attacks against cyber physical systems such as automated vehicles, weapon systems, and manufacturing systems requires addressing cyber attack risks that can potentially include consequences such as injuries or death. The difference in the severity of these consequences compared to those of information system cyber attacks brings with it new policy considerations related to cybersecurity. However, as was the case for the integration of information systems through the Internet, unless special attention is paid to this matter early on, security will likely be dominated by responses to actual attacks, Copyright 2018, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved. rather than anticipatory solutions designed to reduce the risks. Over the past seven years, the author has been leading a technology-focused research effort that addresses cyber attack resilience for physical systems (Jones et al., 2012; Jones et al., 2013; Horowitz & Pence, 2013; Bayuk & Horowitz, 2011; Gay et al., 2017; Babineau et al., 2012; Jones et al., 2011; Horowitz, 2016; Horowitz & Lucero, 2017). Unlike cyber attack defense solutions, resilience solutions involve monitoring to detect successful cyber attacks and support for rapid reconfiguration of the attacked system for continued operation with contained consequences. The reconfigurations can include modifications in the roles and procedures for human system operators as well as technology related adjustments. The monitoring sub-system(s), referred to as a Sentinel, for detection of attacks and derivation of potential reconfigurations must be very highly secured to avoid becoming an attractive target for attacks. Note that resilience solutions can serve as a deterrent to attackers since they promise to reduce the highest risk consequences of potential cyber attacks. As an example of cyber attack resiliency, consider an automobile equipped with an automated collision avoidance capability. A variety of cyber attacks have been demonstrated in which an automobile could be automatically directed toward a possible collision with another nearby vehicle. Monitoring the automobile s sensor outputs, control system inputs and outputs, and driver inputs through the acceleration and brake pedals, would provide a basis for recognition of an inconsistency potentially caused by a cyber-attack impacting the control system. However, the control error could also be the result of erroneous sensor inputs. Comparing measurements from a diverse set of sensors would provide a basis for detecting and responding to either a failed or cyber attacked sensor sub-system. Integration of the alternate explanations for the control error provides the opportunity to automatically correct the situation or alternately, provide opportunity for the driver to 128

respond. Note that a resilience solution impacts the effectiveness of a variety of possible cyber attacks that would create common symptoms. The technology-focused research effort has included a number of prototyping projects involving protection of currently available, highly automated physical systems that are being cyber-attacked. These prototyping activities have served to demonstrate the importance of, and potential for, cyber attack resiliency solutions. Specific operational prototyping activities have included: 1) a DoD-sponsored effort involving cyber defense of an unmanned air vehicle (UAV) conducting surveillance missions (including inflight evaluations) Miller, 2014a, 2) defending automobiles (including Virginia State Police exercises with unsuspecting policemen driving cyber attacked police cars) (NBC.29, 2015; Higgins, 2015a), and 3) a National Institute of Standards sponsored effort involving the defense of a 3D Printer through the monitoring of its motors, temperature controllers and other physical component controllers, while in the process of printing defective parts due to cyber-attacks on the machine s internal technology components. These real-world cases have served to illuminate a number of important and complex policy issues made visible to government and industry participants involved with the prototype projects. These policy issues are the subjects of this paper. The Need to Address Cybersecurity for Physical Systems Two important, closely related technology trends are occurring simultaneously; however, the two trends are not reinforcing. Trend 1: The integration of technology-based automation capabilities associated with physical systems. This trend includes: Development of autonomous and highly automated vehicles for transportation (air, ground and sea) Development of increasingly-capable 3D printers and robots for manufacturing Use of network-based access to physical systems to enable remote control and/or monitoring (e.g., physical system maintenance plans based upon measured conditions of use, customized patient health care related responses based upon collected information from on-body sensors) Emergent Internet of Things (IoT) opportunities that relate to consumer products, the home, smart cities, etc. Trend 2: The increasing recognition of the potential risks related to cyber attacks on physical systems, particularly with regard to human safety, not typically associated with cyber attacks on conventional information systems. While attacks on physical systems have not yet emerged as a high risk, various technology demonstrations have shown the potential threat of these types of attacks. Such demonstrations include the following: Recent automobile attacks (Higgins, 2015b) showing the feasibility of cyber attacks to cause physical harm. Actual high visibility cyber attacks on physical systems, such as the Stuxnet attacks (Falliere et al., 2011) highlighting the potential for other attacks of this kind. The Stuxnet attacks impacted a large number of Iranian nuclear reactors, serving as a warning that industrial computer-controlled physical systems are vulnerable to attack. Less publicized attacks on physical systems that have also occurred. For example, a German government security report indicated that an unnamed steel plant suffered an attack that impacted its blast furnace, causing significant damage (CART, 2013). To-date, the cybersecurity engineering community has principally been focused on information systems, an area where the risks are different and the technical factors regarding cyber defense pose significantly different challenges. Historic Patterns for Addressing Cybersecurity While cybersecurity experts point to the fact that anticipatory design of cybersecurity features into systems provides a pathway for achieving better security, historically most solutions have been add-ons to systems in response to actual attacks (Miller, 2014b). The reasons for this are economic. When new innovations are in their early development phase (such as autonomous vehicles), designers are consumed with achieving a working system, and security is treated as something that will follow. When the innovation is ready to bring to market, concern about the cost impacts of security on the new products prices further delays security implementation. When the new products are selling, but significant attacks have yet to occur, there is no pressing demand to anticipate attacks. When attacks start occurring, and there are already large numbers of existing systems in use, responsive patching becomes the de facto solution. For existing information systems, the major consequences of cyber attacks have been financial in nature or related to privacy. Should human safety become a primary risk of cyber-attacks in the future, new societal patterns may emerge that demand stronger anticipatory solutions. Anticipatory solutions must be designed not only on the basis of prior attacks, but also based upon predictions of what cyber attackers might target in the future and how they might implement these attacks. Prediction of attacker behavior is quite complex, requiring considerations such 129

as: 1) historic attacks, 2) attacker motivations; 3) attack complexity and corresponding attacker skill requirements; 4) costs of design and implementation; 5) risks of attacks failing; and 6) risks of getting caught. This situation is exacerbated by the need for competitors to share information (e.g., historic attack information) in order to have a more complete basis for making predictions and to provide the opportunity to derive a common framework for considering solutions that are related to a domain of similar products. Furthermore, for physical systems classes that include rapidly changing automation features, predictions can be unstable (e.g., the increasing rate for adding new automation features in automobiles points to the need for annual reconsideration of potential cyber attacks and the corresponding defenses). This situation is further complicated by the fact that it would be difficult to measure the success of resilience solutions serving to deter attacks, since deterrence is not directly observable. For all of these reasons, one can expect that managing the design of anticipatory defenses would be quite difficult. Furthermore, should successful, high-visibility cyber-attacks occur, confidence in anticipatory solutions serving as a deterrent would likely suffer, thereby resulting in reconsiderations regarding their effectiveness. In the event that more emphasis is placed on implementing anticipatory solutions to cyber-attacks, questions arise regarding the roles of industry and government in deciding on specific resilience requirements. With its superior knowledge of physical system design details and potential means of exploiting those details, industry is in a much stronger position than government to address the selection of anticipatory solutions. On the other hand, with its access to information regarding actual cyber-attacks, along with our country s history of relying on government for implementing safety measures, government does possess some advantages. This suggests a shared role, but a variety of cybersecurity-specific complications, discussed below, emerge when dividing accountabilities. To demonstrate policy issues regarding the anticipation of cyber-attacks, we return to the automobile collision avoidance system scenario described in the initial section of this article. Note that this automobile example is pertinent to other classes of physical systems. Assume that a collision event were to actually occur as a result of the earlier-described cyber attack. Members of the law enforcement community would be the principal investigators as to cause, but they would have no basis for determining the cause as being a cyber attack. Doing so would likely require access to a portion of the stored data from the involved automobiles onboard systems. Depending on the specific manufacturers and models of the involved automobiles, the data required to identify the cause as a cyber attack would likely vary from vehicle to vehicle. Due to these variations, the costs associated with necessary field tools and officer training would be driven up. This may suggest standardization as a needed solution, but the standardization of pertinent data implies corresponding commonalities in the designs of automation features, which creates issues related to competition. To further complicate matters, the cybersecurity community recognizes risks associated with monoculture solutions ; i.e., common designs are vulnerable to common cyber attacks, enabling undesirable reuse opportunities by those who employ or sell software that accomplishes cyber attacks. In addition, the automobile companies and individual drivers may be reticent to provide such data (e.g., Intellectual Property protection reasons, and privacy reasons unrelated to the incident). This very complex set of circumstances will require significant attention and government and industry collaboration. Yet without evidence that cyber attacks on automobiles are actually occurring, it would take very strong leadership to push through measures allowing law enforcement to address cyber attacks on automobiles in an anticipatory manner. Recognizing the natural desire to avoid costs associated with anticipating cybersecurity, perhaps historical roles in safety regulation can provide a starting point for government involvement. Historically, with certain exceptions, safety analyses have not considered cyber attacks as a safety issue. The trend of advancing highly automated physical systems into general use raises the issue of whether or not the safety communities (government and industry) should start to address this intersection. In doing so, it becomes necessary to understand and account for the relationships between the systems at risk and other interconnected and interrelated systems that can be a pathway for generating a cyber attack. If one starts down this path, some new and complex issues arise. Mission-Based Cybersecurity In this section, an integrated set of interconnected systems combined mission is considered as the point of departure regarding anticipation of cyber attacks. The technologyfocused research efforts that the author has been engaged with have addressed a number of illuminating scenarios. For example, as part of addressing UAV cybersecurity solutions, a variety of potential cyber attacks were considered as potential concerns that call for defensive capabilities. For illustration purposes, consider cyber attacks aimed at modifying a UAV s flight path, adversely impacting its ability to carry out its safety-related surveillance mission (e.g., monitoring an oil or gas pipeline). Such an attack could, for example, accompany a physical attack on the pipeline. One way for an attacker to accomplish this outcome is to modify mission-related waypoints that have been entered into the navigation system on board the aircraft. One possible solution addresses a cyber-attack in which the ground-based portion of the UAV system is utilized by the attacker to automatically send surveillancedisrupting changes to the navigation waypoints loaded on 130

board the aircraft. These changes would cause the aircraft to be routed in a manner that prevents gathering of the critical information the mission was intended to collect. A potential solution could involve monitoring the aircraft s navigation system and the pilot s data entry system (e.g., key stroke monitoring). If, when a change in waypoint is detected on the aircraft, there is no corresponding pilot data input, then a cyber attack is a possible cause. In response, the aircraft could transmit information to designated personnel who could then take actions to confirm and address the cyber attack possibility. This example highlights the fact that certain attack detections require coordinating information retrieved from multiple subsystems at different locations. If one considers air traffic control systems, a parallel set of circumstances can occur involving groundbased subsystems (e.g., surveillance, communications, navigation, air traffic controller support systems) and corresponding airborne subsystems. Implementation of solutions would require decisions regarding the perceived level of risk, solution costs, the allocation of costs to subsystems, and decisions regarding the sources for paying for the solutions. Furthermore, for certain attacks that can create the same outcomes through different points of insertion, our technology-focused research efforts have shown that the ease of attack on one subsystem can be very different from that of another subsystem, providing opportunities to address the minimization of total costs when dealing with high priority targets. However, lowering total costs can bring with it controversial cost allocation issues, requiring policies that manage such situations. As stated earlier, without prior data that provides evidence that relevant cyber attacks are actually occurring, it will very take strong leadership to address the issues of anticipating safetyrelated outcomes and cost allocation for implementation of solutions. Education of Engineers and Policy-Makers The discussions presented above do not address what may be the most critical issue in implementing cybersecurity for physical systems, namely the education of both our engineering and policy-making communities. Teams that include mechanical, electrical, and system engineers design physical systems. Engineering schools do not integrate computer security courses into the individual curriculums of these engineering disciplines. As a result, there are a very limited number of physical system design engineers who have the requisite knowledge to design systems that better account for cybersecurity considerations. Furthermore, educators in these areas of engineering have no historic basis for engaging in the cybersecurity-related aspects of their fields. As a result, our colleges and universities need to consider this emergent need and develop crossdepartment programs that are responsive to this new, important requirement. Development of new programs can be influenced by a strong calling from industry to the education system, including providing financial support for development of new integrated programs, student internships, and professional education programs that support their current workforce. Similar to the issues discussed earlier, it will take strong industry leadership to support such programs without prior data providing evidence that cyberattacks on physical systems are occurring. A similar situation faces the policy-making community. As part of structuring resilience-related prototyping efforts, researchers have to address project-specific safety issues associated with conducting experiments. This requirement calls for interactions with a variety of policy organizations. Based on such interactions, it became clear to the author that the imagination of policy-makers with regards to what cyber-attacks could potentially accomplish far exceeded reality. Furthermore, discussions surrounding particular cyber-attacks and their consequences, as well as the solutions to be evaluated, made clear that the requisite technology-related knowledge became an issue in deriving safety controls. Interestingly, in some cases, the policy outcomes could have been unnecessarily conservative and in others, not conservative enough. Another important finding was that that the policy community found that the security community was greatly steeped in specialized technical jargon, providing a barrier to beneficial discussions regarding solutions and policies. Of course, addressing this particular issue would require an education element for both policy-makers and cybersecurity engineers who engage in policy matters. Perhaps a side issue, but one that could greatly influence matters, is that the demonstrations of cyber attacks on physical systems and their impacts can be interpreted as a consequence of the manufacturers or industrial users of those physical systems not being sufficiently sensitive to cybersecurity/safety-related outcomes in their product and system designs. As a result, in carrying out projects, the issue arises regarding reporting on the cybersecurity risks of current systems and the undue reputation impact it could have on the companies whose systems are being used for experimentation. It is not generally understood that the risks are emergent, and that the nature of these findings would be expected across all current software-controlled physical systems that have safety-related outcome potentials. A need exists to address this topic, including defining professional behavior for engineers regarding reporting on the results of their work involving current commercial systems and cyber-attacks and its relationship to the related companies reputations. The author of this article has recently served as a Commissioner for Cybersecurity for the Commonwealth of Virginia, which, with strong support from the Governor, has been engaged in strategy development regarding cy- 131

bersecurity (CoV, 2015). The 11-person Cybersecurity Commission for Virginia, working with Virginia s Cabinet members, has made strong recommendations regarding education programs, and the state has developed budgets to start addressing this need. This state-level initiative is the type of anticipatory action that will be required in order to be prepared should the cyber-attack risks for physical systems materialize. Cybersecurity Role and Certification of the Operators of Physical Systems An important aspect of the defense of physical systems from cyber-attacks is that immediate systemreconfiguration responses to attack detections (including what can be very expensive system shut-downs) may be necessary in order to provide the desired level of safety. This calls for doctrine regarding immediate responses. Doctrine must include: 1) the allocation of decisionmaking and response control roles to specified personnel, 2) selection criteria for, and training of those people, 3) exercising for preparedness, and 4) addressing the possibilities of unanticipated confusion regarding operator judgments related to the possibilities of missed or incorrect attack detections (including zero-day attacks). Part of the author s research on physical system defense included human involvement in cyber attack scenarios. In the UAV case, a desktop simulation environment was used to gain an initial understanding of operator responses to a monitoring system that detects cyber attacks and provides suggested responses to the UAV pilots. In the State Police case, a controlled exercise was conducted, involving unsuspecting policemen being dispatched, and their cars being attacked and failing to operate properly. The results of these activities highlighted the point that the doctrinal processes to be developed must recognize the fact that cyber attacks on physical systems are an area where people do not and will not have practical experience to rely upon. Furthermore, since attacks are very unlikely to occur, responses may stray from what operators are trained for. The research efforts showed that operators, based on their past experiences, can usually imagine other causes for observed consequences of a cyber attack and, as a result, may not be as responsive to automated decision support as expected. Consider the case in which a Sentinel detects a cyberattack that consists of an improper digital control message preventing a car from operating properly. From the operator s perspective there can be many different causes for the car not operating properly (e.g. failed battery), and these are typically causes they have previously experienced. Consequently, under the immediate pressure of needing to take decisive action, the operator may be more likely to assume these causes of failure, rather than a never experienced cyber-attack. Research results showed that even when an operator accepts a Sentinel s input as being correct, uncertainty remains regarding the possibility for additional elements of the cyber-attack having yet to emerge. This element of uncertainty is escalated when there are high consequences associated with an operator s decisions, and the operator s accountability for those decisions can impact behavior, including asking for access to cybersecurity experts before making a critical decision. Of course, such calls for help can potentially delay decision-making to an undesirable degree. As a result of these scenarios actually emerging during our research experiments, a significant effort has been initiated to better understand human behavior in uncertain circumstances that are likely to exist in scenarios regarding cyber-attacks on physical systems. From a policy vantage point, research efforts are needed to address questions regarding selection, certification and readiness training requirements for operators of physical systems for which cyber-attacks could have serious consequences. Data Curation Data curation can be defined as the active and ongoing management of data through its lifecycle of interest and usefulness. If one assumes that a critical step in vigorously addressing cybersecurity for physical systems is the need for early evidence that cyber-attacks are actually occurring, significant issues emerge regarding curation of the data that would provide the needed evidence. Based on the automobile-focused State Police project referred to above, an important next step would be the development of accepted policies and processes regarding the collection, storage, security, sharing, analysis, and supplementation of data. For example, consider the case of distribution of specific data that were to be collected at the scene of an automobile incident and, based upon analysis, indicated a possible cyber-attack. Recognizing the international manufacturing base for automobiles and the international sales of automobiles, information would need to be shared across the world. It would be important that worldwide law enforcement agencies, national governments engaged in addressing automobile cybersecurity, automobile companies, and numerous others gain access to that data. As a result, international curation policies and processes would be called for. Organizations such as INTERPOL could potentially play a key role in creating the needed international orientation. Market Incentives In February 2014, the National Institute of Standards and Technology (NIST) released Version 1 of White House Executive Order 13636 - Cybersecurity Framework, an initial structure for organizations, government and customers to use in considering comprehensive cybersecurity programs (WH, 2013). In April 2015, a NIST presentation 132

provided a status report on the evolving framework (NIST, 2015). The framework broadly addresses the specific needs that are discussed above, but without the required specificity to illuminate the complexity associated with anticipatory physical system solutions. Past efforts to establish market incentives for improved information system cybersecurity illustrate the consequences of inaction, and also demonstrate the uncertainties and difficulties surrounding anticipatory actions. The example provided by information systems highlights the importance of initiating early data collection efforts so that incidents can be assessed for potential cyber attacks and confirmed attacks can be documented. With this evidence in hand, it will be easier to evaluate next step responses, and incentives for anticipatory forms of cybersecurity will be increased. As emphasized above, it will be difficult to motivate anticipatory solutions without confirmation that attacks on physical systems are actually occurring. The National Highway Safety Traffic System (NHTSA), through guidance that they are providing for improving automobile-related cybersecurity, has taken encouraging steps to anticipate some of the needs addressed above (USDOT, 2016). A potential sequence of events is that data collection starts early and provides incontrovertible evidence of attacks on physical systems, which then drives the development of the needed government, industry and consumer relationships which underpin market incentives for investment in anticipatory cybersecurity. As suggested above, attacks on physical systems generally pose a much greater risk to human safety than attacks on information systems. Therefore, it may be easier to motivate firms and policymakers to invest in physical system security, since potential consequences are so severe. The development of data curation processes that could promote the involvement of appropriate government, industry and consumer groups appears to be a critical early step towards achieving market incentives. Conclusions and Recommendations This article emphasizes the point that due to the risk of injuries and deaths associated with cyber-attacks on physical systems, anticipatory cybersecurity solutions are likely to be desired; potentially much more so than has been the case for information system cybersecurity. In addition, a number of examples have been provided that illuminate both the complexity of addressing anticipation and the difficulties associated with selecting and applying the most critical solutions. This complexity includes recognizing the impacts of subsystem interconnections in critical systems, such as air traffic control systems. It has been suggested that managing the implementation of anticipatory solutions will require teams of government and industrial organizations, both to address the consequences of attacks and to design systems for detecting and responding to attacks. The examples highlight the fact that this is an international issue, involving government as well as the relevant industries. The examples also demonstrate that standardization solutions have to consider their monoculture implications in addition to the normal factors that relate to standardization. In order to make progress, our education system needs to prioritize addressing cybersecurity across a broader set of education programs than is currently the practice. Additionally, it appears likely that evidence of actual cyber attacks on physical systems will be a necessary precursor for anticipatory solutions; due to the associated costs, it is unlikely that self-motivation will be sufficient to drive investment in cybersecurity for physical systems. The creation of market incentives for investment in cybersecurity for physical systems will require the engagement of government, industry and consumer organizations. Since they are first on the scene for incidents of the kind being addressed here, the law enforcement community would seemingly be a logical choice for collecting the needed data. Consequently, the first step in post-event data analysis is equipping law enforcement officers with applicable equipment, so that they can identify events caused by cyber attacks. It is also suggested that industry members engage with the law enforcement community to determine data requirements necessary to identify a cyber attack. Once a number of instances are documented, the policy responses suggested above will likely increase in priority. Hopefully, with appropriate engagement of consumer groups, anticipatory solutions will arise. In order for a rapid response to be possible, an early emphasis must be placed on supporting relevant research and education. An interesting side note related to this paper is that technology-focused, system prototype experiments served to create early interactions between technologists and policymakers that illuminated a number of important issues related to policy. It would appear that prototype-based projects that serve to couple government and industry would be a valuable method for accelerating the partnerships necessary to identifying and addressing critical policy issues. A preliminary strategy would include identifying safetyrelated domains that demand the rapid integration of fast changing technologies into their physical systems. This article provides examples related to advanced air traffic control and automated automotive systems. Acknowledgments This material is based upon work supported, in whole or in part, by the U.S. Department of Defense through the Systems Engineering Research Center under Contracts HQ0034-13-D-0004. The SERC is a federally funded University Affiliated Research Center managed by Stevens Institute of Technology, Hoboken, NJ, USA. Any opinions, findings, and conclusions or recommendations expressed 133

in this material are those of the authors and do not necessarily reflect the views of the U.S. Department of Defense. References Babineau, G. L., Jones, R. A. and Horowitz, B. M. (2012), A system-aware cyber security method for shipboard control systems with a method described to evaluate cyber security solutions, 2012 IEEE International Conference on Technologies for Homeland Security (HST). Bayuk, J. L. and Horowitz, B. M. (2011), An architectural systems engineering methodology for addressing cyber security, Systems Engineering 14: 294-304. Commonwealth of Virginia (CoV) (2015, August), Cyber Security Commission, Threats and Opportunities. Cyber Security Research Alliance (CART) (2013, April), Designed-in Cyber Security for Cyber-Physical Systems, Workshop Report. Falliere, N., Murchu, L. O. and Chien, E. (2011), W32.Stuxnet Dossier, Symantec. Gay, C. Horowitz, B. Bobko, P., Elshaw, J. & Kim, I. (2017), Operator Suspicion and Decision Responses to Cyber-Attacks on Unmanned Ground Vehicle Systems, HFES 2017 International Annual Meeting, Austin, TX Higgins, Kelly Jackson, (2015a, September), State Trooper Vehicles Hacked, Dark Reading. Higgins, Kelly Jackson (2015b, July), Car Hacking Shifts into High Gear Dark Reading. Horowitz, B.M. (2016, April), AFCEA SIGNAL Cybersecurity for Unmanned Aerial Vehicle Missions, pp.40-43. Horowtiz, B.M. and Pierce, K.M. (2013), The integration of diversely redundant designs, dynamic system models, and state estimation technology to the cyber security of physical systems, Systems Engineering, 16(4): 401-412 Horowitz, B.M., Scott Lucero, D. (2017, September), System- Aware Cybersecurity: A Systems Engineering Approach for Enhancing Cybersecurity, INCOSE INSIGHT, 10.1002/inst.12165 Jones, R.A., Nguyen, T.V. and Horowitz, B.M. (2011), System- Aware security for nuclear power systems, 2011 IEEE International Conference on Technologies for Homeland Security (HST), pp. 224-229. Jones, R. A. Luckett, B., Beling, P. & Horowitz, B.M. (2013). Architectural Scoring Framework for the Creation and Evaluation of System-Aware Cyber Security Solutions, Journal of Environmental Systems and Decisions 33(3): 341-361. Jones, R. A., and Horowitz, B. M. (2012). System-Aware Cyber Security Architecture. Systems Engineering, February 2012. Kovacs, Eduard (2014, December), Cyberattack on German Steel Plant Caused Significant Damage:Report, Security Week Miller, Patrick C., (2014a, December), University of Virginia research protects UAS from cyber-attackers, UAS Magazine. Miller, Patrick C. (2014b, December), Dual Knowledge for UAS Cybersecurity, UAS Magazine. NBC29.com (2015, October), Va. CyberSecurity Research Working to Protect First Responders, Press Release from the Office of Governor Terry McAuliffe NIST presentation (2015, April), Framework for Improving Critical Infrastructure Cybersecurity Implementation of Executive Order 13636. Rieger, C. Gertman, D. & McQueen, M. (2009, May), Resilient Control Systems: Next Generation Design Research, International Conference on Human System Interaction. The White House (WH) (2013, February), Executive Order Improving Critical Infrastructure Cybersecurity. US DOT (2016) Vissues Federal guidance to the automotive industry for improving motor vehicle security, https://www.nhtsa.gov/press-releases/us-dot-issues-federalguidance-automotive-industry-improving-motor-vehicle. 134

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback