Cyber Physical Systems (CPSs) are electronic control systems that control physical machines such as motors and valves in an industrial plant. In a networked environment, the security of the physical machines depends on the security of the electronic control systems, but cybersecurity is not typically the main design concern. The main concern for CPSs is the availability of the physical machines governing operations. As CPS owners continue to install remote network control devices and incorporate an increasing number of insecure Internet-of-Things (IoT) devices in their industrial processes, the underlying security of their operations becomes increasingly vulnerable. This article outlines current cybersecurity issues of CPSs and potential concerns for future CPS designers and operators. Secure future CPSs are necessary for keeping our critical infrastructure safe.
Introduction
The term Cyber-Physical System (CPS) is a generic term for a variety of other control systems, such as SCADA (Supervisory Control and Data Acquisition) systems, ICSs (Industrial Control Systems), BCSs (Building Control Systems), and the global electrical smart grid. These control systems are comprised of computers, electrical and mechanical devices, and manual processes overseen by humans. CPSs perform automated or partially automated control of physical equipment in manufacturing and chemical plants, electric utilities, distribution and transportation systems and many other industries. CPSs integrate computational resources, communication capabilities, sensing, and actuation in effort to monitor and control physical processes. CPSs are found in critical infrastructure such as transportation networks, Unmanned Aerial Vehicles (UAVs), nuclear power generation, electric power distribution networks, water and gas distribution networks, and advanced communication systems.
A key difference between CPSs and traditional Information Technology (IT) systems is that CPSs interact strongly with the physical environment, and the availability of the physical devices is the most important security aspect. However, CPSs are also cyber systems and are therefore vulnerable to cyber-attacks. This connection with the physical world, however, presents unique challenges and opportunities.
In traditional critical infrastructure systems, great efforts are expended to address concerns about safety and reliability, and to develop the appropriate techniques for fault detection, isolation, and recovery. In CPSs, however, the additional cyber element introduces specific vulnerabilities which are not directly addressed in traditional fault tolerance and reliable computing practices. Addressing the cyber element in the safety and reliability of CPSs is of utmost importance, since the introduction of highly integrated CPSs into critical infrastructures and emerging systems could lead to situations where cyber based attacks against CPSs could adversely affect widespread public safety (e.g. Cardenas, Amin & Sastry 2008).
CPSs monitor and control industrial processes across a myriad of industries and critical infrastructures on a global scale (Weiss 2010) and therefore must be protected. Besides controlling critical infrastructure such as transportation and energy production, CPSs are increasingly used by consumers and therefore influence our everyday personal lives. Current and future CPSs are becoming widespread in our homes, automobiles and on our person, and will eventually be a large part of the “Internet-of-Things” in which an extensive array of physical devices will be heavily interconnected.
Figure 1: Sample of a Simple CPS
In Figure 3 we show a rough sketch of a simple Industrial Control System (ICS), which is a CPS used in an industrial setting. This control system has two Programmable Logic Controllers (PLCs), each of which are connected (upper panel) to a standard IT device network with a few Workstations. The workstations typically run Microsoft Windows or Linux, as in a standard Enterprise network. In the diagram, this “cyber” network is annotated as “Primary Bus.” The traffic on this network is usually IP packet-based.
Downward from the PLCs are Secondary Buses that control field devices, such as boilers, electronic lighting, and packaging units. While these buses or networks may be IP packet-based, they are usually serial links or simple hard-wired cables with specialized voltage or current control needed to run the field devices. In other words, they are not meant to have a standard network communication protocol such as TCP/IP. This is the “physical” component to the CPS.
Also, notice that most of the equipment in the ICS is NOT computer servers, network switches, or routers, such as you might find in an IT network. Even the workstations connected to the Primary Bus (the cyber component) are doing atypical work. They are not meant to be connected to the Internet to browse the web. They are specifically configured to only perform their function in the CPS. There is often little interest in following security measures such as installing anti-virus or keeping the operating system up to date because, ideally, the systems are not supposed to be accessed from the outside, and are not supposed to access the outside. The field devices and PLCs in the Secondary Buses do not run standard operating systems or security protection applications, and most likely will never be modified to do so.
The scope of a CPS may vary enormously. It can range from a single PLC controlling a motor to larger distributed system controlling many devices in a power utility generation plant, for example. CPS configurations also differ greatly. Configurations may range from a single component to a highly distributed configuration with wide area networks spanning a whole continent with many thousands of physical devices.
In spite of such diversity, the basic building blocks of a CPS can be assigned to only a few classes. These include for example Programmable Logic Controllers, Remote Terminal Units, and Communication Gateways. A CPS may be completely automated, but normally is controlled or at least supervised by a human operator. Therefore, human machine interfaces (HMIs) are important components of a CPS.
CPSs are traditionally operational systems, where process control is priority for the human operators (see Hahn 2016). Of the four components of security (Confidentiality, Integrity, Availability, and Safety), Availability and Safety dominate security concerns for CPS. Typically, Confidentiality and Integrity have high priority on IT networks. Whereas IT systems have similar standard computer hardware and network infrastructure, human usage policies, performance requirements, and security defense methods, CPSs are diverse. Their hardware, policies, and process requirements are typically unique to the system, so that a unique security solution for all CPSs is extremely difficult to develop. As IT system technologies begin to converge into CPSs, it becomes more critical to understand and analyze these differences in order to manage expectations of future CPS security. This is especially important if IT security methods are considered for defending CPSs from attack.
While strong concerns about security of CPSs, particularly in the context of critical national infrastructure, were expressed even in the early 2000s (US Department of Energy 2002; Luders 2005), it was not until the legendary 2010 Stuxnet episode (e.g., Langner 2011) that security of industrial control systems entered public and government discourse and acquired today’s saliency (Executive Order 2013; Stouffer et al 2015).
A recent overview of cyber-security issues in CPSs, specifically Industrial Control Systems, can be found in Colbert & Kott (2016). Some pertinent aspects from that work are repeated here.