1

Cybersecurity for Computer- Controlled Physical Systems

System-Aware CybersecurityBarry Horowitz

University of VirginiaSeptember 2015

2

A Fast-moving Merger: Advanced Automation, the Internet (of Things), Physical Systems

• Significant Investments in Innovation:– Autonomy: UAV’s, Cars, Robots– Manufacturing: Additive Manufacturing, Digital

Factory, Robots– Advanced Logistics: Use-based Maintenance, 3D

Printing• But relatively little investment in the

associated cybersecurity

3

Two Different Outlooks Regarding Addressing Cybersecurity

– Too early in the innovation cycle to bog things down with security considerations – do it later

– Factor security considerations into the design process from the start– Less effective and more costly to do security strap-ons after the new system is designed

4

Traditional Cybersecurity for Internet-based Information Systems

• Standard cybersecurity approaches are infrastructural in nature: Network protections/System perimeter protections

• Little emphasis on protecting applications within specific information systems– Considered as too expensive– Too many unique systems and apps to practically deal with– Change too fast– Too big, distributed and complex– Too many suppliers and variable quality– Solutions impact user friendliness– Costs of financial losses can be absorbed by spreading over large user bases

• As a result, the cybersecurity community does not have experience in securing system functions, especially physical system control functions

• And system designers do not have experience with designing for better cybersecurity, especially physical system designers

5

UVa’s System-Aware Cybersecurity for Computer-Controlled Physical Systems

• Added layer of security to protect physical system control functions

• Monitoring the highest risk system functions for illogical behavior and, upon detection, reconfiguring for continuous operation

• Build on cybersecurity, fault tolerant and automatic control technologies

• Monitoring/reconfiguring accomplished through a highly secured Sentinel – employ many more security features for protecting the Sentinel than the system being protected can practically employ

• Addresses not only network-based attacks, but also insider and supply chain attacks

• Reusable design patterns to enable more economical solution development

6

High Level Architectural Overview

System to be Protected+ Diverse

Redundancy

Sentinel Providing

System-Aware Security

Internal MeasurementsOutputs

Internal Controls

“Super Secure”

Reconfiguration Controls

7

Early Experience with Multiple Prototypes

• DoD– UAV/Surveillance system, including in-flight evaluation– Currently employed AF/Army AIMES video exploitation system– Radar system (In early design phase)– Laboratory-based multi-sensor collection system

• 3d Printers – NIST

• Ship physical plant control - Northrop

• Automobile cybersecurity – DARPA Urban Challenge autonomous vehicle

8

Important Factors Regarding Securing Physical Systems• Attack possibilities for physical systems are more contained than

for information systems– More limited access to physical controls– Fewer system functions– Less distributed – Bounded by laws of physics– Less SW

• But– Successful attacks can do physical harm – Reconfiguration requires operational procedures for rapid response– Solutions requires confident operators who are trained to react to

unprecedented cyber attack events– Physical system operators have no experience or expectations

regarding physical system attacks, although demos are coming out of the woodwork

– Attacks requiring situation awareness add new dimensions that attackers need to address

9

Important Factors Regarding Securing Physical Systems• Attack possibilities for physical systems are more contained than for

information systems– More limited access to physical controls– Fewer system functions– Less distributed – Bounded by laws of physics– Less SW

• But– Successful attacks can do physical harm – Reconfiguration requires operational procedures for rapid response– Solutions requires confident operators who are trained to react to unprecedented

cyber attack events– We have no experience or expectations regarding physical system attacks, although

demos are coming out of the woodwork– Attacks requiring situation awareness add new dimensions that attackers need to

address• And

Design of solutions requires knowledge of electro-mechanical systems and cybersecurity – significant Workforce and Education issues

10

Virginia State Police Project

• • FOR IMMEDIATE RELEASE• Date: May 15, 2015 Commonwealth of Virginia

– Office of Governor Terry McAuliffe

• • Office of the Governor

• • Governor McAuliffe Announces Initiative to Protect Against Cybersecurity Threats•

• RICHMOND – Governor Terry McAuliffe announced today that the Commonwealth of Virginia is establishing a public-private working group to explore the technology needed to safeguard Virginia’s citizens and public safety agencies from cybersecurity attacks targeting automobiles.

11

Virginia State Police Project

• • FOR IMMEDIATE RELEASE• Date: May 15, 2015 Commonwealth of Virginia

– Office of Governor Terry McAuliffe

• • Office of the Governor

• • Governor McAuliffe Announces Initiative to Protect Against Cybersecurity Threats•

• RICHMOND – Governor Terry McAuliffe announced today that the Commonwealth of Virginia is establishing a public-private working group to explore the technology needed to safeguard Virginia’s citizens and public safety agencies from cybersecurity attacks targeting automobiles.

• Police Lead – Captain Jerry Davis

Participating Partners

….and in coordination with:---------------------------------------------------------------------------------------------------------------------------

Virginia State Police

Cybersecurity For Law Enforcement

13

Two Virginia State Police Cybersecurity Requirements

• Need to be able, at the scene of an automobile incident, to assess possibility of a cyber attack as the cause – Indication of electronic tampering to enable cyber attacks– Data collection from the damaged auto and supporting

analysis tools• Need to secure police vehicles against cyber attacks

– Less automation features– Private communications network– More likely target for attack

14

Two Virginia State Police Cybersecurity Requirements

• Need to be able, at the scene of an automobile incident, to assess possibility of a cyber attack as the cause – Physical indicators– Data collection from the auto and supporting analysis

tools• Need to secure police vehicles against cyber attacks– Less automation features– Private communications network– More likely target for attack

Less vulnerability

Greater risk

15

Guiding Principles for the Project

The suggested sequence for addressing needs for police organizations:

1. Increase awareness and training regarding the emerging risks

2. As possible, develop early responses that can be put into practice to reduce risks

3. Illuminate manageable next steps that help police forces to collect information about actual cyber attacks, as they emerge

4. Based on the reality and specifics of attacks, inspire rapid implementation of D3 responses (Deter, Detect, Defend)

16

Project Objectives

• Explore potential attacks against 2 different police vehicles – Ford Taurus, Chevy Impala

• Explore possible techniques for detecting attacks

• Explore possible attack defense techniques • Develop potential immediate steps for

reducing risks of cyber attacks• Recommend next steps for risk reduction

17

Project Plan

• Develop attacks against each of the cars• Develop solution concepts regarding such attacks• Conduct a live controlled exercise involving unsuspecting

police to validate the potential effectiveness of the developed attacks for disrupting operations

• Use video recordings of the exercise as an initial basis for training

• Use exercise outcomes to start initiating involvement of the broader community that needs to respond to this emerging risk

18

Project Plan

• Develop attacks against each of the cars• Develop solution concepts regarding such attacks• Conduct a live controlled exercise involving unsuspecting

police to validate the potential effectiveness of the developed attacks to disrupt operations – Occurred on September 21st

• Use video recordings of the exercise as an initial basis for training

• Use exercise outcomes to start initiating involvement of the broader community that needs to respond to this emerging risk

19

September 21st Exercise

• Videos

20

Initial Outcomes• None of the 4 drivers suspected a cyber attack – A

simple driver inspection under the dash board would have revealed the connected electronics that enabled the attacks– One driver suspected an electronic system failure– Another driver suspected that he did not correctly carry

out a normally required physical control action• All of the drivers appeared to be bewildered by what

happened• In all cases, the call for a replacement car would

likely result in a failure to provide a timely response to the original dispatch call

21

Working Group Recommendations Based Upon Exercise Outcomes

• Immediate Steps: Reduce risk of attacks that involve tampering/insertion of electronics into cars– Awareness video under development– Inspection procedures need to be developed

• Need to initiate interactions between auto industry, cybersecurity community and law enforcement communities regarding technical need for rapid implementations regarding extraction of data to support post-attack police detection of cyber attacks

• Need research programs to develop technology-based defensive solutions so as to enable rapid implementation opportunities should attacks start to emerge

22

Move to Live Demonstration in Parking Lot