NIST Framework Outlines Cyber Physical Systems Security Challenges
Published: September 23, 2015
Mid 2014, the National Institute of Standards and Technology (NIST) kicked off a public working group to address the concepts and terminology around cyber physical systems. After over a year of work, the group has released a draft framework for public comment.
Additional considerations for CPS arise from frequently shared qualities - often taking a systems of systems approach (SOS), benefiting from standardization, the need for systems and architectures to support flexibility across applications and domains, often performing critical applications, the necessity of security, and the prominence of data exchange in system operation.
The draft highlights five properties for CPS trustworthiness: cybersecurity (or security), privacy, safety, reliability, and resilience. Exploration of cybersecurity for CPS underscores resilience as the most important feature. The other four elements, like reliability, are significant as well but fall secondary. At the same time, the treatment of resilience suggests a strong link to establishing and maintaining security. Challenges surrounding the provision of cybersecurity for CPS are numerous and complex. The ongoing evolution of CPS through integration of technologies and expansion of operational conditions adds further complexity to the issue. Other trustworthiness challenges stem from the system-of-systems approach adopted for some CPS and the demand for extreme scalability.
These challenges are likely to draw additional attention to the overlap and divergence between CPS and IT systems. While CPS are susceptible to some of the same cybersecurity issues that IT systems face, some shared challenges differ in their levels of criticality. The physical components of CPS may give rise to challenges beyond those related to IT components. This also means that some IT cybersecurity solutions may not fully address CPS cybersecurity requirements. The physical component of CPS creates possibilities for novel protection strategies. Beyond demand for resilience and reliability, the requirements around privacy will also evolve beyond those faced by IT systems. Vendors well positioned to expand and adapt cybersecurity tools and mechanisms for CPS will be able to take advantage of these emerging opportunities.
The 213-page draft framework is available for public comment until November 2, 2015.