1. Cybersecurity for UAS Systems System-Aware Cybersecurity Barry Horowitz University of Virginia November 2015

2. Three Aspects to Cybersec for UAS’s Securing the manufacturing of the system Securing the final product Securing the final product in the context of the integrated air/ground system

3. A Systems Engineering View Because cybersec for UAS’s: – Impacts safety (Policy) – Requires operational doctrine to effectively respond to attacks (Process) – Requires solutions that span a broad array of risks (Technology) System-oriented research efforts are needed to develop solutions that account for the mix of: – Technology opportunities and limitations – Policy objectives – Process Issues (including human factors)

4. Traditional Cybersecurity for Internet-based Information Systems Standard cybersecurity approaches are infrastructural in nature: Network protections/System perimeter protections Little emphasis on protecting applications within specific information systems As a result, the cybersecurity community does not have needed experience in securing applications, and in particular physical system control functions And physical system designers do not have needed experience with designing for better cybersecurity

5. UVa’s System-Aware Cybersecurity for Computer-Controlled Physical Systems (1 of 2) Added layer of security, in addition to network and perimeter security, to protect physical system control functions Monitoring the highest risk system functions for illogical behavior and, upon detection, reconfiguring for continuous operation Build on cybersecurity, fault tolerant and automatic control technologies System monitoring/reconfiguring accomplished with support from a highly secured Sentinel – employ many more security features for protecting the Sentinel than the system being protected can practically employ

6. UVa’s System-Aware Cybersecurity for Computer-Controlled Physical Systems (2 of 2) Addresses not only externally generated attacks, but also insider and supply chain attacks Employs reusable design patterns to enable more economical solution development Includes doctrine for operator response to detected attacks Includes integrated methodology and tools developed to support assessment of both the consequences of attacks and the impact of potential defenses on the cyber attacker’s potential selection of attacks – Use SysMl for sufficiently detailed description of system to be protected – Use Attack Trees to support a two-sided assessment methodology

7. High Level Architectural Overview System to be Protected + Diverse Redundancy Sentinel Providing System-Aware Security Internal Measurements Outputs Internal Controls “Super Secure” Reconfiguration Controls

8. Sample of Reusable Design Patterns Being Prototyped Diverse Redundancy for post-attack restoration Diverse Redundancy + Verifiable Voting for trans-attack attack deflection Physical Configuration Hopping for moving target defense Data Consistency Checking for data integrity and operator display protection Parameter Assurance for parameter controlled SW functions Conditional Disablement of automation features Doctrinal Assurance Checking for critical decisions

9. UAV Prototype Live flight tests in December 2014 at Early County Airport in Blakely Georgia Multiple attacks/detections/responses – Waypoint changes – Camera pointing control – GPS navigation errors – Meta data to support video interpretation Secure Sentinel, including: – Triple diverse redundancy – Computer HW/Operating Systems/ Monitoring SW for monitoring – Configuration hopping – Monitoring both the airborne and ground-based subsystems for continuity Accomplished within power, cooling and physical footprint of an Outlaw UAV carrying video cameras and small phased array radar (currently implemented within a 3”cube

10. UAV Video

11. Continuing to Learn through Multiple Prototype Projects DoD – UAV/Surveillance system, including in-flight evaluation – Creech AF Base human factors exercise – Currently employed AF/Army AIMES video exploitation system – Radar system (In early design phase) – Initiating Army tank project related to advanced fire control system – Laboratory-based multi-sensor collection system 3d Printers – NIST Automobile cybersecurity – DARPA Urban Challenge autonomous vehicle – Virginia State Police project

12. Important Factors Regarding Securing Physical Systems Monitoring for and responding to attacks that have gained control of physical systems is a more contained objective than for information systems – More limited access to physical controls – Fewer system functions – Less distributed – Bounded by laws of physics – Less SW But – Successful attacks can do physical harm – Reconfiguration requires operational procedures for rapid response – Solutions requires operators who are trained and ready to react to very infrequent and unprecedented (zero day) cyber attack events – Physical system operators have no experience or expectations regarding physical system attacks, and – When selecting attacks to defend agains, need to be careful when building on historic safety related analyses - multiple concurrent failures, considered as independent and acceptably rare from a safety viewpoint, can be purposefully accomplished as part of a cyber attack (e.g., Stuxnet)

13. Scope of System-Aware Research Activities Human Factors – Working with AF Human Factors community at Wright Pat exploring “suspicion” as a measurable human characteristic, and how it relates to behavior in cyber attack situations and response to Sentinel information Methodology for selection of physical system functions to protect, based upon: – Operational risk-based prioritization – Dependable SysMl system descriptions – Integrated SysMl descriptions/ Attack Tree tools for red team participation – Penetration testing System-of-Systems based, mission-level security considerations governing widget level security implementation decisions – Currently using a laboratory environment (emulated base defense system) to address solution requirements and doctrine

14. System Aware Cyber Security Publications JOURNAL ARTICLES: B. M. Horowitz, R.A. Jones, Smart security sentinels for providing cybersecurity for critical system functions: unmanned aerial vehicle case study, Journal of Aerospace Operations, (Under review) R. A. Jones, B. Luckett, P. Beling, B. M. Horowitz, Architectural Scoring Framework for the Creation and Evaluation of System-Aware Cyber Security Solutions, Journal of Environmental Systems and Decisions 33, no. 3 (2013): 341-361. B. M. Horowtiz and K. M. Pierce, The integration of diversely redundant designs, dynamic system models, and state estimation technology to the cyber security of physical systems, Systems Engineering, vol 16, Issue 4 (2013): 401-412 R. A. Jones and B. M. Horowitz, A system-aware cyber security architecture, Systems Engineering, Volume 15, No. 2 (2012), 224-240. J. L. Bayuk and B. M. Horowitz, An architectural systems engineering methodology for addressing cyber security, Systems Engineering 14 (2011), 294-304. REFEREED CONFERENCE ARTICLES G. L. Babineau, R. A. Jones, and B. M. Horowitz, A system-aware cyber security method for shipboard control systems with a method described to evaluate cyber security solutions, 2012 IEEE International Conference on Technologies for Homeland Security (HST), 2012. R.A. Jones, T.V. Nguyen, and B.M. Horowitz, System-Aware security for nuclear power systems, 2011 IEEE International Conference on Technologies for Homeland Security (HST), 2011, pp. 224-229.

15. Patent Related Activity US Patent Application – US Patent App No. 14/660,278: “Cyber-Physical System Defense” Provisional Patents – US Prov. No. 61/955,669: “Cloud Based System Aware Cybersecurity and Related Methods Thereof” – US Prov. No. 62/075,179: “System Aware Cybersecurity and Related Methods Thereof” In Preparation – Additive Manufacturing (3D Printer) Cyber Security