NIST Framework Outlines Cyber Physical Systems Security Challenges

The goal of the working group’s framework is to establish a common language around CPS to facilitate clear communication among stakeholders like architects, engineers, and users. To that end, the framework lays out a set of overarching concepts, their relationships, and the terminology used to discuss them. Cyber physical systems (CPS), for instance, are defined as those that “integrate computation, communication, sensing, and actuation with physical systems to fulfill time-sensitive functions with varying degrees of interaction with the environment, including human interaction.” The document goes on to call out common characteristics of CPS, which include:

• Comprised of both computational and physical components,
• Support a variety of communication modes,
• Sensing and controls loops (and feedback) are central,
• Systems result from co-design of the hardware and software,
• Need awareness of time (and often physical location to an appropriate level), and 
• Interactive with environment.

Additional considerations for CPS arise from frequently shared qualities - often taking a systems of systems approach (SOS), benefiting from standardization, the need for systems and architectures to support flexibility across applications and domains, often performing critical applications, the necessity of security, and the prominence of data exchange in system operation.

The draft highlights five properties for CPS trustworthiness: cybersecurity (or security), privacy, safety, reliability, and resilience. Exploration of cybersecurity for CPS underscores resilience as the most important feature. The other four elements, like reliability, are significant as well but fall secondary. At the same time, the treatment of resilience suggests a strong link to establishing and maintaining security. Challenges surrounding the provision of cybersecurity for CPS are numerous and complex. The ongoing evolution of CPS through integration of technologies and expansion of operational conditions adds further complexity to the issue. Other trustworthiness challenges stem from the system-of-systems approach adopted for some CPS and the demand for extreme scalability.

These challenges are likely to draw additional attention to the overlap and divergence between CPS and IT systems. While CPS are susceptible to some of the same cybersecurity issues that IT systems face, some shared challenges differ in their levels of criticality. The physical components of CPS may give rise to challenges beyond those related to IT components. This also means that some IT cybersecurity solutions may not fully address CPS cybersecurity requirements. The physical component of CPS creates possibilities for novel protection strategies. Beyond demand for resilience and reliability, the requirements around privacy will also evolve beyond those faced by IT systems. Vendors well positioned to expand and adapt cybersecurity tools and mechanisms for CPS will be able to take advantage of these emerging opportunities.

The 213-page draft framework is available for public comment until November 2, 2015.