Cybersecurity for Computer- Controlled Physical Systems System-Aware Cybersecurity Barry Horowitz University of Virginia September

A Fast-moving Merger : Advanced Automation, the Internet (of Things), Physical Systems Significant Investments in Innovation: – Autonomy: UAV’s, Cars, Robots – Manufacturing: Additive Manufacturing, Digital Factory, Robots – Advanced Logistics: Use-based Maintenance, 3D Printing But relatively little investment in the associated cybersecurity 2

Two Different Outlooks Regarding Addressing Cybersecurity – Too early in the innovation cycle to bog things down with security considerations – do it later – Factor security considerations into the design process from the start– Less effective and more costly to do security strap-ons after the new system is designed 3

Traditional Cybersecurity for Internet-based Information Systems Standard cybersecurity approaches are infrastructural in nature: Network protections/System perimeter protections Little emphasis on protecting applications within specific information systems – Considered as too expensive – Too many unique systems and apps to practically deal with – Change too fast – Too big, distributed and complex – Too many suppliers and variable quality – Solutions impact user friendliness – Costs of financial losses can be absorbed by spreading over large user bases As a result, the cybersecurity community does not have experience in securing system functions, especially physical system control functions And system designers do not have experience with designing for better cybersecurity, especially physical system designers 4

UVa’s System-Aware Cybersecurity for Computer-Controlled Physical Systems Added layer of security to protect physical system control functions Monitoring the highest risk system functions for illogical behavior and, upon detection, reconfiguring for continuous operation Build on cybersecurity, fault tolerant and automatic control technologies Monitoring/reconfiguring accomplished through a highly secured Sentinel – employ many more security features for protecting the Sentinel than the system being protected can practically employ Addresses not only network-based attacks, but also insider and supply chain attacks Reusable design patterns to enable more economical solution development 5

High Level Architectural Overview System to be Protected + Diverse Redundancy Sentinel Providing System-Aware Security Internal Measurements Outputs Internal Controls “Super Secure” Reconfiguration Controls 6

Early Experience with Multiple Prototypes DoD – UAV/Surveillance system, including in-flight evaluation – Currently employed AF/Army AIMES video exploitation system – Radar system (In early design phase) – Laboratory-based multi-sensor collection system 3d Printers – NIST Ship physical plant control - Northrop Automobile cybersecurity – DARPA Urban Challenge autonomous vehicle 7

Important Factors Regarding Securing Physical Systems Attack possibilities for physical systems are more contained than for information systems – More limited access to physical controls – Fewer system functions – Less distributed – Bounded by laws of physics – Less SW But – Successful attacks can do physical harm – Reconfiguration requires operational procedures for rapid response – Solutions requires confident operators who are trained to react to unprecedented cyber attack events – Physical system operators have no experience or expectations regarding physical system attacks, although demos are coming out of the woodwork – Attacks requiring situation awareness add new dimensions that attackers need to address 8

Important Factors Regarding Securing Physical Systems Attack possibilities for physical systems are more contained than for information systems – More limited access to physical controls – Fewer system functions – Less distributed – Bounded by laws of physics – Less SW But – Successful attacks can do physical harm – Reconfiguration requires operational procedures for rapid response – Solutions requires confident operators who are trained to react to unprecedented cyber attack events – We have no experience or expectations regarding physical system attacks, although demos are coming out of the woodwork – Attacks requiring situation awareness add new dimensions that attackers need to address And Design of solutions requires knowledge of electro-mechanical systems and cybersecurity – significant Workforce and Education issues 9

Virginia State Police Project FOR IMMEDIATE RELEASE Date: May 15, 2015 Commonwealth of Virginia – Office of Governor Terry McAuliffe Office of the Governor Governor McAuliffe Announces Initiative to Protect Against Cybersecurity Threats RICHMOND – Governor Terry McAuliffe announced today that the Commonwealth of Virginia is establishing a public-private working group to explore the technology needed to safeguard Virginia’s citizens and public safety agencies from cybersecurity attacks targeting automobiles. 10

Virginia State Police Project FOR IMMEDIATE RELEASE Date: May 15, 2015 Commonwealth of Virginia – Office of Governor Terry McAuliffe Office of the Governor Governor McAuliffe Announces Initiative to Protect Against Cybersecurity Threats RICHMOND – Governor Terry McAuliffe announced today that the Commonwealth of Virginia is establishing a public-private working group to explore the technology needed to safeguard Virginia’s citizens and public safety agencies from cybersecurity attacks targeting automobiles. Police Lead – Captain Jerry Davis 11

Participating Partners ….and in coordination with: Virginia State Police Cybersecurity For Law Enforcement

Two Virginia State Police Cybersecurity Requirements Need to be able, at the scene of an automobile incident, to assess possibility of a cyber attack as the cause – Indication of electronic tampering to enable cyber attacks – Data collection from the damaged auto and supporting analysis tools Need to secure police vehicles against cyber attacks – Less automation features – Private communications network – More likely target for attack 13

Two Virginia State Police Cybersecurity Requirements Need to be able, at the scene of an automobile incident, to assess possibility of a cyber attack as the cause – Physical indicators – Data collection from the auto and supporting analysis tools Need to secure police vehicles against cyber attacks – Less automation features – Private communications network – More likely target for attack Less vulnerability Greater risk 14

Guiding Principles for the Project The suggested sequence for addressing needs for police organizations: 1.Increase awareness and training regarding the emerging risks 2.As possible, develop early responses that can be put into practice to reduce risks 3.Illuminate manageable next steps that help police forces to collect information about actual cyber attacks, as they emerge 4.Based on the reality and specifics of attacks, inspire rapid implementation of D3 responses (Deter, Detect, Defend) 15

Project Objectives Explore potential attacks against 2 different police vehicles – Ford Taurus, Chevy Impala Explore possible techniques for detecting attacks Explore possible attack defense techniques Develop potential immediate steps for reducing risks of cyber attacks Recommend next steps for risk reduction 16

Project Plan Develop attacks against each of the cars Develop solution concepts regarding such attacks Conduct a live controlled exercise involving unsuspecting police to validate the potential effectiveness of the developed attacks for disrupting operations Use video recordings of the exercise as an initial basis for training Use exercise outcomes to start initiating involvement of the broader community that needs to respond to this emerging risk 17

Project Plan Develop attacks against each of the cars Develop solution concepts regarding such attacks Conduct a live controlled exercise involving unsuspecting police to validate the potential effectiveness of the developed attacks to disrupt operations – Occurred on September 21st Use video recordings of the exercise as an initial basis for training Use exercise outcomes to start initiating involvement of the broader community that needs to respond to this emerging risk 18

September 21 st Exercise Videos 19

Initial Outcomes None of the 4 drivers suspected a cyber attack – A simple driver inspection under the dash board would have revealed the connected electronics that enabled the attacks – One driver suspected an electronic system failure – Another driver suspected that he did not correctly carry out a normally required physical control action All of the drivers appeared to be bewildered by what happened In all cases, the call for a replacement car would likely result in a failure to provide a timely response to the original dispatch call 20

Working Group Recommendations Based Upon Exercise Outcomes Immediate Steps: Reduce risk of attacks that involve tampering/insertion of electronics into cars – Awareness video under development – Inspection procedures need to be developed Need to initiate interactions between auto industry, cybersecurity community and law enforcement communities regarding technical need for rapid implementations regarding extraction of data to support post-attack police detection of cyber attacks Need research programs to develop technology-based defensive solutions so as to enable rapid implementation opportunities should attacks start to emerge 21

Move to Live Demonstration in Parking Lot 22