In-brief: the National Institute of Standards and Technology (NIST) has released a draft framework to help manufacturers create cyber physical systems that can interact with other applications and systems securely.
The National Institute of Standards and Technology (NIST) has released a draft framework that addresses security threats to cyber physical systems, including connected vehicles, wearable technology and “intelligent” buildings. The document is intended to help manufacturers create cyber physical systems that can interact with other applications and systems securely.
The Draft Framework for Cyber-Physical Systems (PDF here) was created by NIST’s cyber physical working group and published on September 18. It is designed to be a common reference for engineers, product designers and testers, according to David Wollman, NIST’s Deputy Director of the Smart Grid and Cyber-Physical Systems Program Office. It is open for public comment for 45 days, according to a statement on the NIST website.
[Read more Security Ledger coverage of concerns over the security of cyber physical systems.]
“Creating a complex device involves a lot of people with varying interests and concerns, from the designers to the engineers to the safety testers,” said Wollman in a statement. “What the framework provides is an organized treatment of these concerns so the group can address and manage them all effectively. It will prompt them to think of concerns they may not be aware of, and support understanding and integration of different CPS.”
Security for cyber physical systems is becoming a pressing issue, as key industries including transportation, manufacturing, healthcare and the public sector embrace features like wireless connectivity and remote sensing to enable new services. But the combination of software-based systems, remote connectivity and kinetic systems has the potential to cause new and dangerous new threats. Those dangers were brought into sharp relief in recent months, as Fiat Chrysler recalled 1.4 million vehicles after researchers demonstrated wireless, software based attacks on critical vehicle control systems, and the Food and Drug Administration urged hospitals to stop using drug infusion pumps that had been shown to be vulnerable to attack.
The NIST framework is meant to be applied across industries by setting high-level objectives. For example: applications should “resist change due to external perturbations or to respond to those changes in ways that preserves the correct operation of the critical application.”
The security aspects of the framework are targeted to prevent cyber physical systems from being compromised by “malicious agents,” and that the data stored on them “has its integrity preserved and is kept confidential where needed.” But it also addresses issues considered unique to cyber physical systems: timing-based threats unique to cyber physical scenarios and the way that security issues must be prioritized alongside privacy, safety, reliability, and resilience.