Cyber Physical System Security University of South Florida Xinming (Simon) Ou SCOWCT Annual Meeting Oct 26, 2016

Key Issue in CPS Security Cyber breaches may drive physical processes/systems to an unsafe state. Smart buildings Smart grids Smart cars Smart transportation Smart city Smart …

What might future ITS look like? TMC

Cybersecurity Challenges Complete isolation between the transportation control network and the Internet may not be feasible Increasing number of points of entry Adversaries may compromise devices connected to the control network

A Related Project: Building Security Buildings are ubiquitous critical infrastructure, yet often the last to be considered as such Building Automation Systems (BAS) are a class of complex network-based distributed system BAS is a system of Cyber- Physical Systems

Bio-Containment Facility Example Scenario Bio-Containment Facility

Key Safety Requirement Mockup BAS for a Zone The BAS is responsible for: Security control Interlock control Fire alarm control Decontamination control Temperature control Air pressure control Key Safety Requirement

Differential Pressure Requirement Exhaust airflow Supply airflow

Big attack surface, serious risks Zero security in communication Little Protection for Controller and Processes on it

Current Controllers Fall Short Software vulnerable to arbitrary code injection Compromised applications can infect/impact others Devices on the network lack trust

What do We Need from Controllers? Process Isolation Robust Design with Small Trusted Computing Base Explicit Management of Critical Constraints Device/task Identification and Network Access Control

How to Secure the Controllers? Kernel is the “pinch point” of all information flows, including malicious ones. In monolithic kernels the entire OS works in kernel space with absolute power With time OS gets bigger, more complex, slower, and more error prone Nearly impossible to secure the entire OS Microkernel: easier path to security

Two Candidate Microkernels MINIX 3 Free, open-source microkernel OS; developed over 30 years (V3 released in 2005) 4000 LOC Small, simple, and easy to modify Lack of real-time support, Lack of formal verification seL4 “The world's first operating-system kernel with an end-to-end proof of implementation correctness and security enforcement” 10.2 KLOC Support real-time constraints (not formally verified yet)

Secure RTOS Architecture Process isolation with microkernel Fine-grained mandatory access control Real-time guarantees even with presence of malice Platform unforgeable identity and proxy- based network communication Co-existing with unmodified legacy OS and apps

Current Efforts Modify MINIX to support Mandatory access control for Inter Process Communication and network communication Real-time property enforcement Understand seL4 with an eye towards targeting implementation Design a constraint language to model the security/safety properties of the system Map domain requirements to kernel policies

Benefits Build security in – fundamentally change the "breach and patch" cycle Manage security and safety in the same framework Support diverse constraints for different types of buildings; extensible to other CPS domains Minimize barrier to adoption by allowing running existing untrusted legacy devices

Going back to the Transportation System Will integration with other CPSes become a trend/need? Will controllers/PLCs be widely used in ITS? What are the possible safety failures for future ITSes?