The Cyber Physical Systems Security (CPSSEC) program addresses security concerns for Cyber Physical Systems (CPS) and the Internet of Things (IoT). CPS and IoT play an increasingly important role in critical infrastructure, government and everyday life. Automobiles, medical devices, building controls and the smart grid are examples of CPS. Each includes smart networked systems with embedded sensors, processors and actuators that sense and interact with the physical world and support real-time, guaranteed performance in safety-critical applications. The closely related area of IoT continues to emerge and expand as costs drop and the confluence of sensors, platforms and networks increases. Whether referencing the forward collision prevention capability of a car, a medical device’s ability to adapt to circumstances in real-time, or the latest IoT innovation, these systems are a source of competitive advantage in today’s innovation economy and provide vast opportunities for DHS and Homeland Security Enterprise missions. At the same time, CPS and IoT also increase cyber security risks and attack surfaces.  The consequences of unintentional faults or malicious attacks could have severe impact on human lives and the environment. Proactive and coordinated efforts are needed to strengthen security and reliance for CPS and IoT.

Motivation

This is a critical time in the design and deployment of CPS and IoT.  Advances in networking, computing, sensing and control systems have enabled a broad range of new devices. These systems are being designed and deployed now, however, security often is left for later. Industry is driven by functional requirements and fast-moving markets. Designs are evolving rapidly and standards are only now emerging. Many devices being deployed now have lifespans measured in decades, so current design choices will impact the next several decades in transportation, health care, building controls, emergency response, energy and other sectors.

To understand the scope of the challenge, consider the recent advances in the cars we drive, the medical devices we depend on, the systems that operate our buildings, the power grid and a vast number of new IoT devices. Modern cars can automatically brake to avoid a collision, modern medical devices can monitor conditions in real time and adapt to changes, buildings,and the energy grid are being enhanced with a number of new smart services, and it is anticipated billions of new IoT devices will be connected to the Internet. If security is overlooked, we run the risk of unintentional faults or even malicious attacks changing how cars brake, how medical devices adapt, and how buildings and the smart grid respond to events. Cybersecurity only becomes more challenging if billions of devices with security vulnerabilities are added. Addressing security issues by bolting solutions onto widely deployed systems is not viable. Security issues must be analyzed, understood and addressed in the early stages of design and deployment. 

Objectives

The overarching objective of the CPSSEC project is to ensure CPS and IoT security vulnerabilities are identified and addressed before system designs are complete and the resulting devices are widely deployed. In other words, the overarching goal is to build security in rather than bolt on it on later. To accomplish this, the project will:

• Rapidly develop cyber security technical guidance for critical infrastructure sectors facing CPS and IoT challenges
• Conduct this effort in collaboration with key government, infrastructure and industry partners
• Transition guidance in a sustainable way so security is an integral part of CPS and IoT designs
• When appropriate, produce reference implementations and risk-assessment tools to promote the inclusion of security in CPS and IoT devices. 

Approach

The CPS and IoT space is vast and covers many distinct sectors. The Cyber Physical Systems Vision Statement from the Networking Information Technology Research and Development (NITRD) Program identifies nine areas of critical importance to government: agriculture, building controls, defense, energy, emergency response, health care, manufacturing and industry, society and transportation. Further, these areas share crosscutting issues of cybersecurity, economics, interoperability, privacy, safety and reliability, and social aspects. No single agency can tackle these areas alone.

The CPSSEC project is taking a layered approach to these challenges as illustrated in the CPS Security Pyramid. 

At the pyramid’s base, DHS is working with other agencies such as the National Science Foundation (NSF) to address fundamental and crosscutting challenges. The goal is to ensure the basic building blocks for CPS and IoT security are available and realistically feasible for use in specific systems.

At the core of the pyramid, DHS-funded applied research and development addresses sectors where S&T investments can have maximum impact. These areas are chosen based on a combination of impact delivered to DHS’s homeland security mission, technical readiness, and investments by other federal funding agencies. The CPSSEC project is focused on security for automotive, medical devices and building controls with an increasing interest in IoT security.

At the pyramid’s top, CPSSEC engages through a combination of coordination with the appropriate sector-specific oversight agency, government research agencies, industry engagement and support for sector-focused innovation, small business efforts and technology transition. This work encompasses the development of sector-specific industry consortiums.

Performers

Efforts funded through BAA HSHQDC-14-R-B0016

• Ken Hoyme, Adventium Labs: Intrinsically Secure, Open, and Safe Control of Essential LayErS (ISOSCELES)
• David Payton, HRL Laboratories: Side-Channel Causal Analysis for Design of Cyber Physical Security
• Sam Lauzon, University of Michigan Transportation Research Institute (UMTRI): Secure Software Update Over-the-Air for Ground Vehicles Specification and Prototype
• Justin Cappos, New York University (NYU): Securely Updating Automobiles
• Dale Nordenberg, Medical Device Innovation Safety and Security (MDISS): Medical Device Risk Assessment Platform
• Simon Oui, Kansas State University: Modeling Security/Safety Interactions for Buildings for Compositional Safety Control

Jointly funded efforts with the National Science Foundation (NSF) CPS Program

• Lalitha Sankar, Arizona State University: A Verifiable Framework for Cyber Physical Attacks and Countermeasures in a Resilient Electric Power Grid
• Manimaran Govindarasu, Iowa State University: PowerCyber: CPS Security Testbed for Smart Grid
• Christopher Williams, Virginia Tech & Jules White, Vanderbilt University: Securing Manufacturing Systems

Other CPSSEC-Funded Efforts

• Kevin Harnett, Department of Transportation Volpe Transportation Center: Joint Agency Work on Automotive Cyber Security
• Sean Warnick, Brigham Young University (BYU): Mission Impact Situational Awareness Tool for Distributed Operations Management of Cyber Physical Human Critical Infrastructures
• John Larkin, Food Protection Defense Institute (FPDI): Strengthening Food Industry Cybersecurity Capacity

Resources

• Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity
• Presidential Policy Directive (PPD) 21: Critical Infrastructure Security and Resilience
• 2015 NITRD Cyber Physical Systems Vision Statement (PDF, 08 Pages, 355.76 KB)
• Trustworthy Cyberspace: Strategic Plan for the Federal Cybersecurity Research and Development Program (PDF, 36 Pages, 794.66 KB)
• Cyberspace Policy Review (PDF, 76 Pages, 710.50 KB)
• 2014 Quadrennial Homeland Security Review (QSHR)
• National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience
• National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (PDF, 41 Pages, 930 KB)
• NIST Special Publication 800-183: Network of ‘Things’ (PDF, 30 Pages, 2.73 MB)

Press Releases

• DHS S&T Awards Minneapolis Company $2.2M for Medical Device Cyber Security Research, February 2016
• DHS S&T Awards $7.8 Million for Cyber Physical System Security Research, December 2015
• DHS S&T Awards New York Based Consortium $1.8M for Medical Device Cyber Security Research, November 2015
• DHS S&T Awards Kansas State University $900K for Building Control Cyber Security Research, November 2015
• DHS S&T Awards HRL Laboratories $2.5M for Automotive Cyber Security Research, October 2015
• DHS S&T Awards the University of Michigan $1.2M for Automotive Cyber Security Research, October 2015
• DHS S&T Awards New York University $1.4M for Automotive Cyber Security Research, October 2015