Distinguished Lecturer Series
 
Cyber-Physical Security Through Information Flow
Bruce McMillin
 

 

Abstract:

A Cyber-Physical System (CPS) is an engineered physical system with a significant cyber component and consists of many interacting distributed cyber and physical components. CPSs are deployed in critical applications such as such as advanced power electronics in a green electric power system, vehicles in an automated highway system, distributed aircraft navigation systems, chemical process plants, and consumer components of a smart house in which correct operation is paramount. Unintended or misunderstood interactions among the components of a CPS cause unpredictable behavior leading to serious errors. While each component may independently function correctly, their composition may yield incorrectness due to Interference. Interference that violates correctness or security is well-understood in the purely software (cyber) domain. In the CPS domain, interference is much less understood. Security and confidentiality problems are particularly vexing. Attacks such as Stuxnet show how formal security properties can be violated through physical interference with the cyber components. To add to the difficulty, CPS security is difficult to specify in terms of traditional “high” and “low” security.

This talk presents an interpretation of formal information flow properties and interference within the context of a cyber-physical system blending both physical and cyber information flow properties across multiple security domains. This poses the deep scientific question: how to make such systems secure and correct?

 

Transcript:

Kerry Cosby: Good morning, everybody. This is the IEEE Computer Society Distinguished lecture webinar series brought to you by the distinguished visitors program. The distinguished visitors program delivers tools for individuals at all stages of their professional careers, through visits to chapters, offering opportunities for individual interactions and to the membership through webinars. By respected professionals. We have distinguished visitors around the world who cover machine learning, cybersecurity, robotics, big data cloud computing, block chain, and cryptography among others. Chapters can request a distinguished visitor on computer.org/distinguished-visitors. The distinguished visitors program is able to pay up to a thousand dollars for a visit to a chapter, but by working with other nearby chapters to develop a tour, that amount can be increased. So when your chapter is planning, its next event, think of the distinguished visitors program.

Hello to everyone joining us around the world. It’s a beautiful day in Washington DC area, and I’m enjoying it safely behind a plate glass window. I hope all of your acute things safe and healthy. Welcome to our distinguished lecture webinar series. Before we go any further. My name is Kerry Cosby and I’m the chapter’s manager here at the IEEE Computer Society. I oversee our 500 professional and student chapters around the world and manage our distinguished visitors program. Before we get started, I’d like to get a couple of housekeeping tasks out of the way. You can ask your questions in the Q and A panel. Dr. McMillan will answer as many questions as you can following the presentation. The webinar is being recorded and the slides and recording will be made available within a few days after the webinar, today’s lecture will cover an interpretation of formal information flow properties and interference within the context of a cyber physical system, blending, both physical and cyber information flow properties across multiple security domains.

Today’s speaker is Dr. Bruce McMillan, professor and interim chair of computer science at the Missouri university of science and technology. He’s also the director of the center for information assurance and co-director of the center for smart living at the Missouri university of science and technology. He leads and participates in interdisciplinary teams in formal methods for fault tolerance and security and distributed embedded systems with an eye towards critical infrastructure protection. His current work focuses on protection for advanced power grid control dr. McMillan. Thank you very much for presenting to us today. I’d like to hand the floor over to you.

Dr. Bruce McMillan: Thank you, Kerry. And again, good morning. Good afternoon. Good day. Anything around the world? thanks for joining today. So again, my name is McMillan I’m with the Missouri university of science and technology, and, that I just found their days to look at that. I’m not in Washington D C I’m actually at my home location here in the state of Missouri. Where am I? How, okay, so you know where you are. So let’s try to figure out where I am, ah, United States and literally right in the center of the United States. And if you’re familiar with the U S or maybe not, Missouri, university of Missouri S and T or just S and T, cause it gets to be quite a mouthful. Isn’t it town called Rolla. We’re near st. Louis, the st. Louis arch. we have our own primitive computer, which has a half scale model of Stonehenge or water jet technology people.

And we are really a very large STEM school science technology, engineering, and mathematics. We have 7,500 students across 17 engineering programs. I tell you that because of the topic that I’m really talking about, which is cyber physical systems, and this term has been popularized, I guess, within the last 20 years. And you could see the definition here, the way to think about it is that it is some sort of physical device, some sort of physical system with computing deeply embedded in some examples might be a water treatment plant where you’ve got physical pumps and filters controlled by programmable logic controllers or your electric smart grid, which we carry talked about a little bit in the introduction. it’s not just power flowing the way power wants to flow, but power being directed under cyber control, advanced manufacturing and autonomous vehicles. Another example where you’ve got artificial intelligence, controlling control systems, controlling the physical systems, aerospace management, aircraft moving around and, essentially Matt running into each other, but also taking off and landing under autonomous cyber control to be able to do this requires that we really have a deep understanding of how computation relates to the physical system into control, how communications relates to different parts of the physical system and back to computation.

So let me give you an example of something. I maybe a, a, a transition here as we transition towards more cyber physical systems. So that’s an abstracted picture of a power distribution system. That role pretty much the player with in the background there in the gray are the source of electric power. You’ve got coal, nuclear, maybe wind, you can even put hydro in there and the power comes down to your house, to your neighborhood. Well, cyber physical system starts to look at this a little bit differently and you see the big sign on the front that says governance, messy, a leaderboard system that might be used within a neighborhood to be able to talk about, collectively your usage of electric power and how do you more efficient to use electric power. So we changed the world from just receiving electric power produced by some other type of producer, into a community type of, of discussion.

Well, how do you actually do a community governance? So how do you community shared governance? It’s actually a localized management of your energy resources instead of a distributed or a set of remote type of, of lack of management or management by somebody else. And the power can be locally sourced. It doesn’t have to be brought from somewhere else. You mean by locally sourced power? Well, you can have your own turf on top of your house. You can have your own solar cells on top of your house and you can buy and sell power from your neighbors. So it’s a very, very different type of concept. And to be able to do this requires that you have locally embedded computation working with the underlying electric power system.

We also have to talk a little bit about security at this exact point. This is definitely going to be a security talk and information flow within security. Let’s think about security domains. What does it mean for such a system to be secure? We usually think about security in terms of cryptography. That’s what first comes to mind or high security, low security protection domain, such a concept it’s very difficult to do in such an environment. And we also have to preserve privacy because think about a leaderboard system. Do you really want your neighbor looking inside your house? Well, no, but what you’d like to participate in maybe a shared type of energy map system. So these are challenges now that you have when you have a cyber physical system, when you put people at it. So this is a, probably a traditional picture, but we tried here.

Let me think about what it should look like. It’s the same houses, but now I’ve got security domains, which reflect a lot more of how the physical system really operates. Those three houses, a B, and C, think of the old adage. A once home is their castle. So it’s okay to see the outside of the house, but you not because you want to see what’s inside the house, that’s privacy, but you still wouldn’t be able to interact with the outside world. So that’s this other label called support, the grayish, interaction here, essentially the power lines that run between the house or perhaps, will, will even fat the power lines that run between the house. But then how is the whole thing managed? Well, this governance here has to be able to manage the system to be able to direct power back and forth, but yet the governance system should not be able to see inside the house, but it can see how the houses interact.

So they have a very, very different kind of novel, a way of looking at security here. So let that sink in for just a bit, and I’m going to show you something odd. So here’s a graph in the middle of the first part of a presentation, which is a very peculiar thing to see. But what you’re seeing is on the, the lower access, there is time of day. So we have midnight, we’re running along to the right, and all of a sudden we get these spikes and then what’s on the left axis is the amount of power usage. And you can see the colors here are appliances. The toaster comes off, he use the bathroom, a light fixture, but water heater comes on. So these spikes show that essentially the, the usage inside the house. Now, the reason that I’m showing this is remembering the previous slide.

We have the governance, he could simply see the outside of the house. Where did this graph come from? This graph was obtained by simply sitting outside of the house, monitoring the power fluctuations in the usage, no internal instrumentation. We call this data exhaust simply by the activity of the electric power system. All of a sudden we begin to generate data and we begin to generate information that flows out of the system. And we do not anticipate that at all. So I’m setting up a problem here, which talks about really, really the complexity of how one deals with security and privacy and a cyber physical system. So let’s return back to our picture here. What do we do? Management and governance, what to a standards organization say about this? That picture that I just showed was from a NIST report that I was involved with 76, 28, a number of years ago.

And this really took the view at that time. That privacy was something that we might worry about with smart meters, but, but in reality, really worried about maybe people selling, buying, and selling somebody information to do advertising kind of, kind of not really looking at the privacy issue directly off. Well, what I’ll tell me, mash that cloud, everybody talks about cloud. Well, one, one aspect of cloud is kind of interesting. NERC is an acronym for North American electric liability corporation. And sip is critical infrastructure protection and NERC CIP standards say you really should not divulge what kind of control settings you’re doing, in electric power system. But wait, that graph, I just showed that’s exactly what it was doing. It’s not. So also the problem with cloud might be that you have some sort of remote management system, but if you look at that picture, there are things happening locally.

So I’ll turn next to another concept called fall. I don’t know if you’ve heard of fog computing or not. There’s a bit of a joke which I’ll talk about in the next slide before the term comes from. But in reality, it’s an internet of things and cyber physical systems or internet of things. In this case for energy management, it’s locally managed and locally produced and locally protected. And this is what we want to try to go to. Now, I’m going to diverge for just a second here and do some definitions. Okay. Cloud, we’ve all heard about the cloud, put it in the cloud. What’s the cloud, that’s the cloud. There is no cloud. It’s just somebody else’s computer. This is the cloud. So, so let’s get the notice in the cloud is some sort of magical thing, our head, all right, so it’s computer somewhere else.

Fine. I can accept that. So once a fall now comes the funny part. What’s the meaning of follower? Well, what does it fall off? What is fog? Fog is a cloud. It’s a cloud on the ground. It, so it’s you putting the computational intelligence from the cloud right next to the activities that are occurring in the example that I have here is power usage. So I’ve got some extra spaces here, nest this to the edge of a fall, right? You really get carried away with this. Well, what’s missed in terms of computation it’s edge devices. It is a handheld is maybe medical devices. And how else can we complete our picture? And one more to do as droplets of fog, you can kind of get the idea here. You can get too carried away with this. We’re going to focus mostly on fog computing or internet of things, computing. When we talk about cyber physical systems here.

Okay. So the thing that I’ve been talking about with power management, I haven’t really clarified it until now. And we’re talking about buying and selling power. We’re talking about something called transactive energy management. And this picture is actually extracted from a system that we constructed in a research project. And the way to read it is that you have individual computers called DGI is here. If you can see them, they control individual power conch devices, which then control energy resources, such as wind, such as solar energy storage, such as batteries, and then loads, which are whites and, and, stoves and furnaces and things like that. So the way transactive managing works is you embed it into a series of houses. This is a picture on campus here of our solar village. So these are solar houses that were built by students and their inner networks into micro grid, which can do transactive energy management. So think about one house here has a rep says, Hey, I’ve been generating power all day. I’ve storing it. I have a lot of it. I don’t need stuff.

Well, how does that occur? That is a message that gets sent between the computational elements of the system. They then respond. So this is a distributed protocol. I have some need the red one here has even more critical need. How does the system respond? Excuse me, it discharges one device. And then tell us another device or another house. This is okay. You can start drawing power on migrate or transfer power. If you’re familiar with electric power, the notion of commanding a power system to transfer power is significant because it would, it does. It allows you to not have pinpoint control of the underlying power system, much the way that we do in computer operating systems, we can control process scheduling. We’re now controlling physical power scheduling to construct such a system. You actually have to dynamically manage it. So you start up one device thinks, Hey, I’m all by myself.

I’m all by myself. Wait a minute. Let’s get together and form a group. And these groups form dynamically, likewise, with the computational elements, Hey, I’m by myself. I’m by myself. Oh, wait, we can form a group. And we’re managing the power systems as a group. So this is how neighborhoods are dynamically formed in such a system. So this is an example of a cyber physical system that I really want to continue to use as a running example here. So hopefully this, this is a game that makes some sense. I now want to turn towards security more specifically and threats. So let’s do a taxonomy here of threats, physical threats. What’s a physical threat. It’s things like that. You know, I think we know how to deal with physical threats, at least to the aluminum, with the cam things, blowing up things, being attacked from perimeter.

We’re not talking about physical threats. Alright, well cyber, well typically when someone says we have a cyber threat, what’s the first thing that comes to your mind and it’s this exfiltration of data releasing passwords, releasing account numbers. Okay. We’re not really talking about that either. What we’re talking about of these last two cyber enabled physical, and there was one of the first ones of those. This happened a few years ago with the, attack on Ukraine, which then got into their control systems and opened a bunch of circuits and actually cause a nationwide, power failure that is cyber attacking the physical and just for completeness now, let’s that? What could that possibly mean? Hmm. Why am I showing a chemical plant? Because think about it this way. I can steal stuff just by watching the power fluctuations or the amount of material that comes into a plant for the amount of product that leaves a plant.

So now the physical presence causes this data exfiltration, and now I’ve turned physical observations into a cyber attack on privacy. It’s clever. Doesn’t that monitor different variables. Okay. Obviously we’ll solve it. All the firewalls clearly could encryption. Everything will be great. Yeah. Right? No, I don’t know how many of you recognize this care piece from the fifties, new Marie. So what could go wrong with all this? Well, let’s take another look at this. This is attributed to a PhD student in mind for their Jerry Hauser who came up with this idea. This is a, this is actually a castle. And I think it’s Lithuania. and, the drawing is, but think about tassel security. If you’ve been in any place in Europe or any place around the world where you see a medieval type castle, they kind of look like this. And you’re worried about the threats.

So how do you guard your castle? Well, you build a good wall. See that wall around there. That will keep the bad people out. No problem. But wait, what’s that? Well, if you go inside that that’s a castle with thicker walls. Well, why do you need that? Well, it’s because these outer walls might be breached by an attacker. Oh, so your firewall or your wall there. Wasn’t so great, but that’s okay. You can say inside the inner castle and those walls are even thicker. Well, it’s not very big. And after a while, you know that water outside looks pretty darn good. And you start getting pretty thirsty. So what does he attack her? Do they just poison your well? Huh? Saw the meaning behind showing this is that our notion of security and security domains and high and most security is pretty primitive. It’s about as advanced this a 12th century technology for building a castle walls only do so much.

Our firewalls in cyber only do so much. We have to go farther beyond. Now, let me take this out of the 12th century and go back into something more modern. This is from national Academy report a few years ago, and it talks about a SCADA system. You can see what the acronym spells out down here towards the bottom of this slide and the national Academy’s views, a SCADA system or control system was used in Ukraine. The following way, we’ve got a control center and we have information that is passed around the control center. Those are the orange up or down. And so the control center sends data to, or receives data from patrol units who then either read data from sensors, such as a power flow sensor, or they open a switch, which is an way then we have a different entity down at the bottom of the screen, which is the business office, the people that do billing.

And then we also have partners because if you’re familiar with the utility industry, you tend to buy and sell power from partners, independent service operators. And so we have communication with them. And then we have communication to the business center and we have communication from the business center to, the SCADA system. Now that’s a generic picture of here. There is a problem with this picture, the way it’s drawn. It has been known for quite a number of years. There’s exactly one of these arrows in here that should not occur. If you have a little quiz here, which arrow should not occur, the hint is it’s the connection between the SCADA system, the actual process control system and the business office.

Should we be able to read from the SCADA system, the business office, while we might think that a privacy or confidentiality issue, but what’s happening in the skater system may be, what about being able to write from the business office to the SCADA system? That’s the bad one and think about why what’s the business office connected to it’s connected to the outside world. People plug their own USB drives into it. That goes search cat videos who knows what’s happening. Anything that infects the business office then can infect the skater system. That’s exactly how attacks come in, in such an environment. So this is well understood by the department of energy. It’s one of the original best practices for designing such a system. Don’t allow writing from the business office, into the actual process control system. What’s really nice is, you know, I’m an academic and when you can relate something to a textbook, it seems a nicer.

This is an example of something called the VBA model and Biba was invented in 1975 and talk about integrity levels. And it talks about higher integrity to lower integrity. And the way that the people, our model works is that if you access something that’s of a lower integrity level from a higher integrity level, your integrity level drops to put more into popular context, think about this. Everybody’s familiar with this ridiculous program. So if you watch it, your IQ drops. That’s the joke. So don’t do that. Don’t look for something of less integrity than you are. Let’s bring that back to system, our SCADA system here. So how does the behavioral model tell us? We already know that we can’t right from into the scanning system. So it tells us that the, the, the business office here is of lower integrity. Well, that also tells us then that we really need to talk about security.

And then we’ll come back to integrity in just a second. So security. This is the classic model that we deal with in terms of security. And it’s called Bella patch, laughter the original authors and some military model. And we’ve all heard from the movies top secret, secret confidential. Well, it’s predicated on the following. Don’t read up. In other words, unclassified should not be able to read top secret. Do all of that is from top secret, should not be able to write down to the unclassified level. Makes sense. Right? Well, let’s run forward with this. So it’s a military model. So let’s say we have a military commander at the secret level and they need to communicate to their troops. How did they do that? Because remember you can’t write that you can’t write from confidential or higher, higher a secrecy to lower secrets. What do they do?

They downgrade their security. They’re trusted. Trust is actually one of the bane of existence of security, but let’s keep this model, this strict model in mind for just a second. Remember, don’t read up, don’t write down. Now it’s a part of this back to our system. So here the Bella patch view of the system and we still have as well. You can’t write for the business office down into the SCADA system, which means that the business office has higher security than the SCADA system. Then the control system, likewise, the system patrol centers, higher security than if terminal units, which is higher security stuff. That’s outside. I guess that makes sense. But I can read. And then the question is, what do I do with my partners? Are they higher security than me or lower security than me? Well, if they’re higher security going, gonna write to them, but I can’t read from them.

If they’re low on security, I can’t write to them, but I can read from them. So we’re all one big happy family. The result of all this is it of all the security analysis we do. The best we can do out of a modern system is that we have two security domains. One is the entire physical system. The other is the business office. Little frustrating. Let’s apply that to this. Oh, why it’s hopeless. There’s no way within a peer to peer architecture for apply a strict higher security model. So what do we do? How do we get on top of this? We need to go back to that earlier picture about a person’s home is their castle and let’s see what that looks like. So this is my artwork, as opposed to professional artist. I apologize for that. If it’s really the same picture and let’s take a look at, you’re sitting inside of a house, let’s say house number, see you there on the right.

How do you view the world? You could see the power’s flowing, but you can’t really explain where it comes from. So you powerful is non deducible. Likewise, you’re right here in the house. A, you see power flowing, but it’s not deducible. Whether it’s house be your house, see what’s happening, things change, but you really have no clue as to why they change. But governance here can see all the aspects of the houses and all the powerful are coming in and out. So the powerful it becomes deducible to them. So now I have the same sort of environment that we talked about earlier with the neighborhood. Let’s look at this a little more theoretically. I realize it’s kind of hard to visualize powerful. So I’m going to flip this around here to waterflow. This is a system common in the United States. It’s a gravity feed water system, the tower left there. Water’s pumped up into it. And then it drains out during the day for people to use well, let’s look at the information that’s present in this physical and in this waterflow, may I sit here and house, see, and I’m trying to figure out what’s going on.

Well, a couple of things can happen. One is the water company can start messing with the water supply. They may shut about that, which means your water pressure crops or your neighbor turns on their sprinkler. In either case your water pressure drops. The question is how do we develop a security model that describes this all the very basic one. And it’s called non-interference like organic massacre from the eighties. And it says that high, low events don’t interfere with local outputs. Let’s interpret that. So the utility is in the high level. The houses are in the bottle up and the utility does a command. Let’s try to apply the strict non-interference model to this sample festival system. So if the utility changes the water flow at all, I’m going to notice it down on house number C, but wait, that’s not possible. It’s a system is not very finished secure.

I can’t do anything that was observable by how C, which means I can’t issue commands to the water system. This is a ridiculous cyber physical system. It’s not possible. So Tara will model it. This is the most common security model, but is out there. In fact, if you look, we’re a cyber physical systems, people talk about non-interference as a potential model, but it’s, it’s absurd because you can’t do anything. So let’s see what else is out there. Not 1990, or how long Carmel Howard came up with the following model, non inference. I didn’t pick up these terms, but interference and inference are different. And the idea is if you take a trace of the system or move high level events, you still get a valid trace. Let’s see how that works on our power and our water system. So again, I got the command, I got the observer and I see over at the observer there that the water pressure dropped either from the utility or a drop and the neighbor turning off their faucet.

Huh? I don’t know. I really don’t know why that change occurred. All of a sudden I see that the information has changed in my water, but I don’t know what source. Now I’m beginning to get away of securing the system operation from let’s say house number, see here, potential outsider. Well, let’s just give me this a little bit farther. Non-dues to build. I used that term earlier without defining it. And this is a low level observations compatible with anything. So let’s not go back, same picture, but now houses a B and C and utility are all different security. See sensor and wonders. What’s going on. The utility changes the water flow, okay. Or the house speed changes. The water flow, the water flow, changing. Both those events are indistinguishable to me. I still left them down. Same thing of house aid does it. This is really cool because now all of a sudden I can completely block information flow of what’s happening to house C, but still allows how to see that something is happening.

Think about how valuable that would be back with that earlier graph I had about the appliances in the morning inside the house. If you could see the something was happening, but I had no idea what it was. You’d have some pretty good security. This is the kind of fundamental way that we right now, information flow to a physical entity and a cyber physical system. So back to our picture here, the overlapping security domains we have non to disability, not to disability and governance now can deduce, but it can only do so much. It can only do this. What’s happened to the founders of the house, but it still maintains the privacy and confidentiality of what’s happening within the house.

So it’s not to do stability. Good. Well, yeah, it keeps stuff from leaking from the security domain out to the unsecure domain, but there’s a flip side of this. It’s really intriguing. It’s bad in the sense that if the outside domain can fool the inside and to not understanding what’s happening. In other words, a lack of situational awareness, then that’s really bad because an attacker can now destroy the integrity of your system. You won’t know it. So not a disability, a bi-directional model. This has been known since the eighties. This is not brand new stuff, but, but how it applies to cyber fiscal system is really fascinating. So the challenge is to simultaneously make sure the bad guys don’t see confidential information, but make sure that the good guys, the defenders can tell what’s going on in cyber physical system with the same model while st.

PhD student that drew the artwork earlier, came up with this, you know, there had to be equations and this is a modal logical expression called multiple security domain. Non-disability and the way to read it, if you look at that formula down there is it defines over a series of the worlds, which are essentially collections of States of the system. It’s always true that for two disjoint States, such as waterflow is on waterflow is off. If I can maintain that, I don’t have, what’s called an valuation function from a particular domain for either one of those States. I have a non deducible simply secure system. So from the point of view or of our houses, inside the house, I do not have a valuation of whether or not a particular faucet is on or is off. We can use this to actually analyze the system and quantify, it’s is security.

And the example we first did was such that you may remember Stuxnet from the news. It was an attack on a nuclear processing facility in the country of Iran. And it worked as follows. If you look at the left hand, part of the picture with security domain zero here, it was a series of centrifuges processing fuel. The program we’ll watch patroller here was infected with the virus called Stuxnet. And so what happened is that the PLC would read from the actual fiscal system and these metrics over here, I’ll explain in a minute, but I means information flow Stuxnet would receive that it would modify the information flow and then send up with PLC. The PLC has no reason to disbelieve that it wasn’t seeing the actual ratings from the centrifuges, but stop sending manipulative. I’m saying, look realistic. It then fires the mom up the line and to the operator and says, Hey, everything looks good. Everything looks fine. What Stuxnet did is it made in security domain for their, the system non to do simply secure to the opera.

I’m going to repeat that Stuxnet made the system non simply secure to the awkward, and that’s a bad thing. So it depends on which direction the information is flowing and who is the defender? Who’s the attacker, whether security is even good or bad. Now the question is, what does the human do? What does the operator do in such a situation? The I’m going to become suspicious of this and says, I wonder if this is really true, I’m getting information for a little bit. Do I believe that’s the not belief and the not trust that’s there on the right? So the opera gets up out of their chair, goes downstairs, takes a look at centrifuge. It takes a reading comparison, what the trace of the readings and realizes those aren’t match. What the system is telling me from the physical system is doing are very different.

So by doing that, I add a valuation function that allows me to break the non deduce ability of the system. So by breaking security, I make the system more resilient to attack. I realized it’s a bit of a challenge to wrap your head around that particular thing. But again, it depends upon the, the direction of information flow that you’re trying to secure. So that’s all well and good in the abstract and stuff. Scentless one attack. Does this scale to anything? Well, it does. And so we work with our friends in Singapore a few years ago, and they have a scale model. This thing is the size of an entire factory floor of scale model of the Singapore water treatment system. So it was a fascinating approach to work on because you can destroy things, without doing any real harm. So it’s there, there’s another picture of the fiscal system.

It’s located at the Singapore university of technology and design. It’s got six processors in it, sensors and actuators. And so we applied this MST model to that. I’m going to pick out just one part of this really complicated diagram, but as you can see, water comes in from the left, it was off to the right. It goes through some prompts, it comes back around immersive, some filters, ultraviolet filters. It has a backflow scape of your B and then potable water comes out the other end. So it’s a, it’s a water treatment sister system of raw water into drinkable water, which is fundamentally what it’s doing. I’m going to zero in on the upper left hand corner of it. And just the first stage of this process, we’re all water comes in there, bunch of PLCs. And so here’s process one, I’ve got a tank roller comes in, it’s got a pump that pumps it out.

It’s got a foul, the controls, whether I’m accepting more water or not, it’s got flow sensors, which can tell me what’s actually happening in the system. And the program will watch controller. Then as a fairly simple point at this point of view, it fills the tank until the tanks full and going tanks for SOPs, for tank, pretty simple idea, but each one of these in the MSDN, the model is its own security domain. And they’re interacting with each other as is the PLC. So the PLC, if it’s infected, sees the fall, the level indicator here as a float in the tank, which is measuring the amount of water. And so it’s getting information from the tank, you’ll have indicator, which is correct. Like it wasn’t such that it tells the virus what’s happening. The virus law is fires, tells the PLC something different is happening.

And then that goes to the opera, the effect of this. And we did this actually a video of it is we overfilled the tank by fooling this thing and pumped, just get pumping in their water floor. They put a damper on the tank after we started doing that. So how do we analyze this? This is the mathematical analysis behind this, and I’ll be happy to discuss this independently for someone who wants to work through it. But the key is that middle expression, we lose a valuation function from the security domain of the operator. What’s actually happening down in system. That’s how do I break it?

Well, this is the part that becomes more difficult. How do you fix this by breaking the inherent non-disability security? You have to add more information. And the information that we had today is a very simple relationship. It’s a flow of variant. Variant is something that’s always true, no matter what the configurations are. It’s always true in this case, it’s just the water view of the power system per cross laws, water for inflow minus water. Outflow is constant. The water comes in. It has to leave. It saves in the tank if too much water gets in the tanks, then, then this one overflow. So there’s a balance that has to be maintained. So let’s redraw the attack here, same sort of same serve wine, same sort of bad reports to the operator. But now the operator has an additional source of information, which is this invariant.

And by looking at the flow indicator on the left and the flow indicator, right, to make the deduction that what I’m hearing from the PLC and what should be happening from the system are not the same. I have a problem that for mathematical analysis as well, and you feel good at the bottom, the key part is there. One of them not exists, it’s changed into an exist. And now I have a valuation function on the system, which allows me to break the non producibility security and preserve the integrity. We implemented this as part of the, a Sudd project. there’s a flag and monitor here. In fact, this is a really, excellent thing. They run red teaming exercises every year, where they invite teams and to come and try to break the system with these defenses in place. To my knowledge, they’ve never gotten past the first level of defenses or second public defenses.

These are still waiting for them, but we know how to attack the system. So some of it can break through that and finally get to the final point where now you actually can’t get past. These are just some various, snapshots of some of the details. I’m not going to go these in a detail at all, other than just to say, I’m going to do this. So this is another typical result. And this is the same thing we did with the two previous pictures that you showed is what can you do with this? If I look at the number of information, full paths that are in any system, this is another result from our power system, as opposed to a water system. I get a count here of the amount of information folk has. There are, I can then use MST and D analysis to tell you the honesty and the secure paths that are found, which tells you the number of vulnerable paths are on the system.

In this case are 89. I can break the museum in variants so I can break 73 paths. And let’s just 24 and Berry and slept in the system. What have I done? I’ve established a measure of resiliency for the system, for the security of the system, which is, which is really hard to do, but I’ve done it in terms of this common cyber physical information flop. I’ve given the fact that it’s this moldable, I’ve mitigated those vulnerabilities, but if you scrap those, your numbers, I’ve still got 16 Volvo paths, but I’ve improved the resiliency of the system by at least that,

Wow. Now the question is, what do you do with that information? You can sit there and say, okay, well, my system still has resiliency. Then you have to go through the analysis. How likely are these, or what you do is you redesigned the system to get rid of those remaining secure paths. Because every time you have these secure paths, you have the potential for an attack on your system. So again, what do you do with this information? Well, we’ve been working on this for a while. the MSDN D work came about about eight years ago. We can work on power systems for about 22 years and we then decided, okay, what do we do next? We’ve we’ve done this analysis on a lot of different systems, manual analysis. So we do and measure the system security resilience. Using this uniform information full model allows you to quantify the vulnerability of the system.

We improve the design. How do you improve the design? You mitigate the MSD MP paths. Then how do you do that? You use engineered knowledge to use the knowledge of water forms. Look like this. Powerful must look like this system. Stability must look like this. A traffic flow in this look like a flow and variance must look like maximum flow. And this provides an actor’s offense against both these kinds of attacks that I talked about, the cyber April physical, and you can make a very easy argument. Now it protects against physically and people’s cyber because of their dual nature of information flow. The conclusion we’ve come up with though, after 22 years in the field here is using this technique.

It’s hard. It can take a couple of years to actually break down the system. Aren’t terribly practical for an industrial application. We recognize this. So we’re currently funded by the U S national science foundation to do the following. Let’s automate this. Let’s abstract. The notion of the invariant into this owl icon in us culture. There’s something called the wise old owl. I know it doesn’t extend around the world, but the owl come spine parts of the system, but I can only probably the up parts of the system. That’s the Spyglass and the Spyglass gives you the valuation function. So let’s automatically construct these security domains that the owl symbol gap Optum, then let’s instead of struggling with each single, infrastructure, what is it? A very water? What is it? A variant of power? What is an invariant aviation, chemical plants? What some strapped this, and there’s something called a port Hamiltonian system.

These have been around for a while. again, trying to do the same thing, trying to provide abstractions with a slightly different take on it, trying to extract the control systems along with the physical systems, such that once you solve it for this abstract nature, you can go back to the actual physical system and don’t have to rethink it every single time. Likewise, state estimation. How do I know that those sensors, that I’m reading from the water system are actually giving me the correct information? That’s one problem. The other one is that real time, since we don’t sensor readings are rarely precise, there is some noise. So how do we distinguish between noise and between an attack or how you think of the last one is instead of asking the engineers to come up with all these variance, let’s monitor the behavior of the system.

Let’s use data science now, data mining, to learn the behavior system and learn. What’s known as ground truth, how the system should really behave. So this is what we’re working on right now. Some initial discoveries are, or some are frustrating. And the goal is follows in the top picture. Here is we have our same water system. We ran the design centric defenses against this, the ones that I mentioned earlier about the invariants and then our data science expert did huge amount of data analysis of the same system. And we came and prepared the two at the end and they diverge from other.

So there were two reasons for that. One is what the engineers thought the system was doing. Wasn’t actually what the system was doing through the various implementation constraints. The data century learned the system perfectly. Unfortunately it didn’t burn that system. It learned another system because if you think about it, no matter how much data you collect, you’re not going to be able to exercise every possible operational mode of the system. So you’re gonna want a sub set up. And as soon as the system behaves tended to do, but not the way that you’ve measured it, you’re going to flag errors. Now you can see exactly what’s going to happen. Next is an attacker. A Wiley attacker will poison your data, data, poisonings real term, and cause you to learn the wrong rules. So we have to have a coupling here between the design centric and the data centric aspects.

The bottom graph here is another problem. And one, an attacker is attempting to steal power and they do so by hiding in the noise while the instantaneous, you can’t detect it. But over time you can see them out of power stolen, continues to increase. So there’s a lot of work that still continues to be done, officer. All right, so I’m nearing the end of my presentation. I just wanted to wrap up a little bit on the left. I would say that most of our security work these days still looks like the 12th century. It’s a castle with walls. It’s imagine a line from world war two fence fortifications are good start, but it doesn’t address cyber physical aspects. It doesn’t address insider attacks. The modern environment is overlapping security domains of the flow between the security. So this is, I think my major takeaway here is it. We need to rethink how we draw security and secure interactions in our modern cyber physical system.

I’m pausing for a second. Cause I’m going to transition to a couple more slides. We’ve all seen this trolley problem. The set up, if you haven’t seen it before, this is a runaway trolley and there are five people stuck on the tracks on one track. There’s one person stuck on the track on the other track. And you’re standing there with a switch. What do you do? No, of course it’s a philosophical argument. There’s no correct. Answer to this. You have three options. One is you can leave the switch to go straight ahead and kill five people can throw the switch, kill one person. Then the third option is to walk away. I do not. It’s not your fault. You wonder why did I put this in here? Well, think about the modern cyber physical system aspect of this. This is a self driving car that trolley has a runaway car. You have to make a decision. What do you do? Except it’s not using human. It’s the computer system that you build. So it’s, it’s really fascinating as we go down this path of cyber physical systems, embedding humanity into it and embedding society into it. How do we drive ethical thought into a cyber-physical?

So if we were alive, we would have a really nice interaction at this point. I’ll just give me a very quick summary of it. I did a sabbatical in Norway and I gave the same talk. And usually when I give this talk, you know, people kind of not a lot. Okay. I could see it. It was, the focus was on privacy and I finished the talk to a completely siloed audience. I’m thinking if I do wrong, I later learned from a German colleague that, Oh, well, the perception of privacy in Norway is very different than the U S and it dawned on me at that point that this whole notion of privacy security, confidentiality is very cultural. So feeling think about, well, people use this idea. Well, if you can improve your resilience, cyber threats. Yeah, probably it seems reasonable, but there’s a long path to get to get here.

And I think we do not need to underestimate the difficulty in trying to secure these systems. And finally, I see that as a question that came from, mr. Sharp, I was fog different from cloud. Yeah. Fog is something that is much more invasive, much more localized. And then the ethical issues, a spine on your neighbor. Interesting. It’s a lot of fascinating thought here. This is why I love doing these visits. So I’m giving one more plug here for, the computer society. I’ve done. A number of these visits have been around the world, met a lot of great people. I love the fact that local seminars brings people out to get together. and what the computer say provides in addition to this outreach is, is ensuring quality of the discipline. This is kind of the wild West out there sometimes to play what data science, cyber security, cyber security certifications, the computer society supports accreditation programs, peer review of programs, peer review of publications to ensure quality and then provide standards. There is a lot of work for standards. So anyway, I thank you for your time. It’s been enjoyable to talk and I believe we have some time for questions.

One of the questions that a secure IOT we’d like to make it. So in fact, if I were gonna write a proposal that I wrote 15 years ago, but right now I entitle it, fallen computing and secure fog computing. And because of the issues that I talked about today, the notion that we have individual subdomains of a cyber physical system must interact with each other in almost completely unpredictable way. Think about a platoon of vehicles. Platoon is essentially a grouping of cars going down the highway and each car has obviously security, but they must interact with each other. How do you secure that internet of things, environment, which is, which is really running in a fog, cause the car, the cars have to interact with each other and don’t allow miscreants to come in and fool your evaluation function of the other cars.

Cause if you do that, let’s say the lead car you’re watching it. All of a sudden, it fools you into thinking that it’s going, but it’s actually stopped. You’re going to run into it. You’re going to have a chain reaction, but there’s no one oversight that can monitor this. So we really have to work hard to understand how from a peer to peer level, from the internet of things that we can manage this information flow and ensure that we always have some sort of solid valuation function of what’s happening. I hope that answered your question. Thanks.

We have another, it’s interesting. Your approach seems to be, seems like an abstraction of the Purdue model on the OT world and integration with the it world. In the context of applying security on the complex environment, that is a factory with the challenge on trying to bring components that allow us to track the information flow and prevent threats and information breaches. I guess this person is looking to see if that’s what your, your thinking on this is. There’s a lot of common approaches out there and I really, you know, inspired every time I hear about another one trying to use multiple observers. Now, as soon as I say that, you begin to realize that when you start to turn securing a system and the integration of multiple sorts of information, you began to talk about aspects that look like false tarns treble, modular redundancies been around for a really long time.

Those of you who aren’t familiar with the concept of the Apollo command module from the missions, use three separate computers, all competing for the same thing, and it would build on the results. Well, that’s hard. One failure, isn’t it. One of the computers can fail and you’re still going to get the right answers. Two computers fail, you’re suck. And so you do a calculation on those lines. This notion of synthesizing information with multiple observers, multiple different devices is really the same idea. The key here is to understand that information is not just the data that’s being transferred, data in transit. It’s not the data at rest, but it’s also the information present in the physical system. And the physical relationships is provide you a ground truth to be able to secure the system. In that aspect, it’s probably easier to secure a cyber physical system than it is to secure an abstraction like the inner,

Another question we have is do entities know where they are in the topology? So AE observes, flow disturbance and knows no, the utility. In the water system. It’s pretty simple. You know, it’s a fixed apology and the system cannot reconfigure itself, go to the other extreme, such as the HTSP airspace management system with aircraft flying around 200 miles an hour and they move constantly. So you’re talking about mobile ad hoc networks in vehicles. You’re talking about finance. And so how much specific information do they need to know about their actual GPS position or is it enough to know the relative position? I don’t have a super solid answer to that right now. We’re working on that at this point. It’s turning out. You can do a lot with just relative positions and realtor relationships. Think about a car surrounded by other cars. I have to know who’s ahead of me. Who’s behind me. Who was in my right court, my left quarter from Joe. Do any maneuvers? Do I need to know is three miles down the road? No, probably not. So there’s, there’s a continuum here.

Thanks. This next person is asking if it’s possible for us to show the different types of information flow models, slide again.

It’s possible. Let me see if I can do this quickly. I’m getting back there almost there is this the one that you were entered and I guess what’s the follow on question or I’ll just run through them again. So these are, these are the three principle models. The non-interference again is which we’re really, really familiar with. It’s like the crypto don’t let any information or don’t let anything that’s happening in the security domain appear at the outside. And that’s ideal. It’s just not feasible in a cyber physical system because you can’t control anything. So the non inference Polacks that a bit, they allow you to see that something is happening, but the goal is to leave you permanently confused about what you’re seeing. If you want a historical perspective on that, think about the DBA overlord it’s anniversary coming up, where the British built a plywood army across the English channel to confuse the Germans about what the invasion was actually going to happen. That’s a informants it borders on deception and deception against you as a bad thing. The section from you against the attacker is a good thing. That dual model, again, I hope I got to the right slide there. The thoughts, Jerry, do we have other questions?

Yes. Sorry. The I was on mute. I didn’t notice that. the next question is how does one detect a physically enabled cyber

Detect that’s that’s? Hmm. Yeah, that’s a really difficult problem. Let’s set up a particular physical enabled cyber scenario to talk about. So you’re sitting outside of a factory and they’re making plastic water meters. I worked for a company that did that at one time back in a previous life. So raw material comes in, which is plastic shavings, and then meters go out and by looking at the amount of plastic coming in and the amount of meters that going out, what can I observe? Just that physical observation has told me the productivity of that plant. Now, can I detect that, that observer actually saw that? No, I can detect, but I can tell you from an MSD and D analysis, that that potential information path is there. Now, if I go back to the formal model that I talked about, how do I ensure that that information path does not exist? How do I make this observation multiple security domain not to do so I create fake stuff. So the water meters, you have fake water meters coming out. Someone made our cardboard, some are made out of plastic. I mean, it’s an absurd example, but what you’re trying to do is you’re trying to break the valuation function that an observer anywhere, but few, and actually observe that as can you detect it as that has happened. There are some proofs of that that showed that that’s actually not awesome.

Okay, great., this person’s asking about the something you brought up earlier, they ask who is the PI in the, NSF award, your reference

That’s Oh, there’s macro there. It was from 2018. It’s the medium, program. And, if I can remember the exact title at this point, I would tell you, but anyway, the PIs McNeil on a 2018 award of the NSF CPS, you can see the abstract there. Don’t hesitate to write if you want to interact correctly.

Okay. The next question is in addition to restricting flows in certain directions, what else can you do to protect the CPS?

Hmm, that’s an interesting question. We’ve we’ve got ourselves so deeply into the notion of protecting the information contained within the CPS. Now the starting point, I’m just kind of pontificating at this point. Firewalls are a good starting point. I know dismissing firewalls, but firewalls, or is going to catch a whole lot of stuff. People trying to come into the system, scripts coming at you. Like one of our corporate partners had some quote about several million attacks a day coming out and firewalls to feed off of that encryption of control signals is important as well, because again, it breaks the notion of the valuation function, but when you get really inside of it, the problem you’re trying to address is there’s like, come to me in the following way. Suppose you’re defending a castle back to that, and you have somebody that’s gotten inside the Trojan horse.

And now you see somebody coming at you that you don’t recognize, are they a good person, or are they a bad person? Somehow we have to be able to figure out the difference. And that I think is the crux of the matter. So this is not just a prescription talk to say, this is the way to do it, but it’s really phrase, I think that problem in your mind, because there’s, we’re just scratching the surface of this. I know that’s kind of a non answer, but I turned it around in the sense that that’s the fundamental problem.
Okay, great. The next question is how feasible is realizing autonomy in securing CPS,

How feasible is realizing. We were part of a national science foundation sponsored project called an engineering research center, which is a 10 year, a literally 10 year project. And so it has heavy industrial partnership and it was with the electric utility industry. The electric utility industry has been around for over a hundred years and they’ve done things in a very centralized controlled way. And we came in and we started to talk about this internet of things model, or the year we’re talking about here is 2006 to 2008, both of us. And even after 10 years of working together with the utilities with electric power engineers, the concept that you don’t need, an overlord was still very uncomfortable to people. You know, let’s look at model modern vomit architectures where virtually every paper that you see requires that you have some sort of roadside unit and the roadside units, and go back to some sort of centralized controller.

And the roadside units are monitoring every car that goes by. So we have a centralized overboard, but if you start to think about scale that think about millions of cars on the road, how am I going to maintain all this information? Is it even feasible? You begin to realize the probably taken me an example from the physical world of how things really operate, maybe the way to go, you get into a car, you drive the car, do you need to have centralized information about anything? The only thing you need to do and driving a car is to stay between your lines. Don’t run over the car in front of you. Don’t to drive too slowly and just be aware of your local neighborhood. Huh? That’s interesting because that system works only on autonomous localized information. So maybe we could take a little bit that way. It’s just, it’s it’s a thought.

Thanks., so the next question is what is the application for it? Industry is real life. And what are the current workings regarding this at your university now? So I mentioned that the, at the outset, we are a STEM engineering focused university. Some of the specific projects that we’re working on with our engineering colleagues, obviously power, we’ve been talking to electric power, aviation management, chemical engineering management, because you think about a chemical plant with its sensors, being corrupted will explode and refineries have actually exploded because of this very issue. Not, not because of cyber attacks, but because of just loss of the ability to do valuations, the bridge between classical it amiss., that’s a little harder to see. And what is the difference between, let’s say classical IP, such as security database or on our payroll system and the cyber fiscal system are those really different types of models.

And it can, I think that the, the cyber physical system work is actually easier because you do have this ground truth. Now let’s think about a banking system. Do you have ground truth in a banking system? See, yeah, I guess you do actually have some variance. You have the deposits of withdrawal. She really balanced with the bank balance. That seems reasonable., securing Pokemon go. That’s an older example. That’s a little more difficult to come up with. And then we can get into things like blockchain. I haven’t mentioned blockchain at all. Blockchain is use and transactive energy management blockchain for bit calling makes sense because it is a way of security inherently in a completely closed system that the operations from Bitcoin are valid and auditable. But as soon as you take it out of the block, out of the Bitcoin world, and you’re trying to use blockchain to secure a cyber physical system, you run into all sorts of problems because all the fluidity checks that you can do or off chain. So now you have to go back to ground truth. So hopefully I kind of addressed your question there, but I’m almost thinking that the general it problems harder, this next person asks, they say that they assume a telecom system is cyber-physical. Is there anything in the five G standard that helps the problem that this issue I’m going to have to just say are calling that one? I haven’t really thought about it. It’s a great question.

The next person asks if data into integrity is the key to a successful cyber security model. Wouldn’t blockchain implementation be beneficial. And then also maintaining the integrity of each transaction would be achieved this way. Yeah. And I think that’s, that’s really the key. If you’re going to apply blockchain to such a system, you have to be able to secure or show the integrity of the off chain computation. My electric power management example, the blockchain can record the requests that were gone for the energy management transactions, but it has no way of validating that the transactions actually occur for that. You need some sort of physical or cyber-physical attestation to augment the blockchain. I think that’s really, really important to keep that in mind, the blockchain secures the requests for decisions. but, but it doesn’t actually allow you to, to ensure that they occurred and that’s, that’s kind of a warning.

Okay. The next person says I work for a smart meter company. I know that a smart meter can deduce loads, by looking at signatures, I’m not aware of methods to deduce loads outside of the home. How has that done? So the specific example that I showed you was done using hidden Markov models, we trained the system on appliance behavior. And then because of those changes, you’re able to coalesce which specific types of signatures mapped to which specific types of devices that sounds really wonderful in practice. And it works well in the lab, but it’s not terribly scalable because of the complexity of doing that still that trace actually came from another group, not from our group. so there, there is a feasibility with enough computation power to be able to do that. But again, that was a hidden Mark off model technique that I showed you.

It seems like an interesting question. Since people are fallible designs and their implementation, or are fallible, should we built the suspenders? I think maybe that’s what we’re doing here. Think about you design the system or working with a company, which for obvious reasons if nameless, where they have designs and they have done a lot of red teaming exercises, red teaming, Dan is the concept for you. You pretend that you invite the attackers and to try to, to break your system. But when we came in with this information flow analysis, it began to realize that this allows you to look at it in a completely different place because you’re, you’re melding the, the data flow with the physical flow. And you’re looking at ways that an attacker can disrupt that combination. And so in a way of belt and suspenders, I like, I like that analogy. That’s really good because the more things that you can add in the more resiliency building now, if you really want to get into a philosophical argument, of course, as soon as you begin to add more cyber components into a system resilience, that seems backwards. But the amount of damage that a cyber system caused to a physical system is truly impressive. If it really wants to be in relations.

Great., the next person asks, how do you define CPS and IOT concepts? And do you consider them as distinct concepts are the same? That that is a philosophical argument. What is the difference between an embedded system, an IOT system, a fog system, and a cyber physical system marketing, maybe cause think about the commonalities of all those different components. We’ll just pick up IOT. And so it’s got some sort of thing. That’s what the T is an internet of things. You’ve got interactions between the things, internet connection as well. What is the IOT thing doing? Well, maybe that’s a cyber physical system, but the cyber has to be doing something as well, a fog. How does that relate? Or that’s the intelligence telling the system what to do, but that’s the cyber portion, which is also the internet of things. I might just say, what makes you happy? Because it’s really kind of all the same comments, common concepts, even embedded systems, the CPS community, through all of the embedded systems and real time systems. The only difference might be that CPS are more distributed or they have different scales. But in reality, I think it’s these principle components promise you have to keep in mind, whatever you call it.

Great., the next person asks, can there be more security applied on hardware devices when talking about cyber cyber, physical threats, you know, there, there there’s a dual aspect of that just kind of pick them apart. One is the question is the hardware device that you have a hardware device you think you have. And one way of measuring that is to be able to measure their radio emanations that come out of the device. So, you know, what the device was supposed to do at the factory. Now you have the device in the field and he monitored the device to see if it’s actually behaving the way by, by it’s a reading them nation signals or bias it’s electric power usage. So it’s more than way of diagnosing the integrity of the underlying hardware. Well, let’s flip it around another way you buy a piece of hardware from vendor, you put into your system and you have a certain functionality that you specked out is that all the functionality that’s in there, because if he ever tried to pick apart a very dense circuit, you can hide lots of stuff in there.

So how do you ensure that there isn’t malware embedded in the hardware device and that’s a different problem. Maybe the nominations can help there, or maybe needs different form of attestation to say that again, I feed it this input and it should only produce this output and the security domain should be constructed that it can’t do anything else or more succinctly does it do what it’s supposed to do and does it not do what it’s not supposed to do this next person notes that the water tank examples also illustrated in hybrid specifications with the purpose to verify the behavior of the system. How can your model be integrated with hybrid specifications? I mean like embedded hybrid systems, I’m assuming that’s what the question is going. So the, the challenge of admitted hybrid systems of course, is on a, on a uniform model to be able to express the control system.

My control system, the water is really simple. and the physics of the underlying system, that’s been a challenge of a bit of hybrid systems for quite some time. And again, this the space complex or the, the, the complexity of the combined model that becomes a channel option. This was one of the reasons for our forays into Fort Hamiltonian systems, but not getting too deeply into it for Hamiltonian systems and the distraction that translates potential and flow and most systems actually have these same concepts. The water was a particularly complex example of that because the potential is the height of the water in the tank. And the flow is the movement of the water through the system. If you can stretch it enough, maybe don’t need a tremendously detailed analysis and you can, you can try to get away from the complexity problem, but this work is still somewhat embryonic. we have been noting it for the last, probably get the timeline, at least 15 years of people attempting to foray into this and, and their constant frustrations with attempting to do this. But if you could do this, you would really have something and you would be able to describe the correct behavior of the overarching system, but getting bogged down his details.
This next question had jumped into my head. As you were giving your presentation earlier, also does automation increase or decrease security on the outside? If you’re not careful, it probably decreases the resilience. And then you can tie the two of those together case. In point, this was a much earlier project we were doing with department of energy and we in developed an abstract model of what it would take to prevent it. The 2003 Northeast blackout call us back 17 years ago. it was a system where an over highly stressed, transmission system was knocked down by the failure of inferior consequential or seemingly inconsequential, link, which just started initiated a cascading through there. And I realized the smell for simplification, but imagine a cyber system controlling the power distribution of such a system, and it is now malicious. Just the slight change can actually take what is a pretty reliable system and decrease its reliability significantly. Unless the cyber system itself has an almost perfect type of resilience to it.

The same sort of model is used in aviation, where the amount of failures per year is fantastically small number. You can look it up, you know, 10 to the minus 99th, how you validate that. I have no idea, but that’s, what’s actually required to keep the cyber system from below lowering the resilience of it. So many of the cyber systems, and it has to add some sort of benefit. Hopefully I at least made partial case today that having the cyber system smart and understand what’s supposed to happen, you can not only compensate for that, but also improve the resilience This next person asks. Can we ensure logical integrity in transition from cyber to physical and back? Let me think about that one.

Try to answer that the, the physical system understands it’s being acted on by the cyber system. The question is can the physical system, protect itself based on bad cyber command. And, there is, there’s some aspect of that, you know, think about a crazy cyber command in a car vehicle, and it’s on the vehicle to run off the road. Well, I have some protections against that, but all the vibrate strips, do you have some of the cars I’ve rented vibrate the seat. If I start to run off the lanes, so there can be some physical protections from the cyber system, improperly sending information flow the reverse, as well as what I’ve been focusing on today, which is the cyber system picking up readings from the physical system, the physical system is doing the right thing, but it’s the way that you can observe it, that can get corrupted. And that’s a breakup of information flow. So I think they can partner with each other, but again, that that’s also a risk and that boundary

Let’s go ahead and make this one. The last question here. I know we’ve got lots of questions to get to, but we are quite a bit over, this person asks, can physics for each particular CPS being used to detect attacks. And I think that is, that is just the perfect answer. You know, physics of the system, you can’t violate, Kirchhoff’s laws, you have, the cyber system can try to buy, like for cost laws, but the physics provide a ground truth that I think that’s the thing that if we can rely on that’s what makes the cyber physical system easier to secure the purely abstract system? So, yeah. Great observation. Great question. So, dr. McMillan, I’d like to really thank you for talking to us today, giving this presentation., I have to say that I really enjoyed the fact that you used the, of analogies

And that it helped me understand quite a bit. I felt a little bad though, that I did
No who for the news. And I was interested in the cultural elements of privacy. I thought that was quite quite an interesting thing. So I do very much for presenting to us today.

Okay. Take a moment to thank all of the people attended. Have you. So, in addition to the distinguished lecture webinars series, we also offer build your career webinars series that focuses on business soft skills, such as communication and presentation skills, career transition, interviewing tips among others. The next webinar will be the four languages of influence on May 14th at 11:00 AM. Eastern time by Roger grandmas. That’s the principle of the grant group., the next webinar in the distinguished lecturer webinar series will be on May 26th at 6:00 PM. Us Eastern time, dr. San some director of bright professional services and adjunct professor professor in the school of computing and mathematics and mathematics at Western Sydney university in Australia will present on it in the fight against COVID-19. This webinar is going to be co-hosted by the special technical community it and practice. And the last one on May 28th, at 10:30 AM us Eastern time. We will be hosting the webinar machine learning for medical imaging analysis, demystified presented by dr. Oman Chakrabarti professor at the university of Calcutta. The registration is now open, and we will be sending you a link for these future events, along with the slides and the recording of this webinar. So again, I’d like to thank all of you for coming, and I’d like to thank all of our members for, supporting our organization and Dr. McMillan, thank you again for your presentation. Everybody have a great day.

This transcript was automatically generated. To suggest improvements in the text, please contact content@computer.org.

 

Related:

Does Insurance Have a Future in Governing Cybersecurity?

Human Behavior Aware Energy Management in Residential Cyber-Physical Systems

Machine Learning Systems and Intelligent Applications

Developing Children’s Regulation of Learning in Problem-Solving With a Serious Game