INTERNATIONAL CYBER CENTRE, GEORGE MASON UNIVERSITY
Arun K. Sood, PI
Duminda Wijesekera, Co-PI
Bo Yu, Research Assistant
8/1/2014

TABLE OF CONTENTS
LIST OF FIGURES ...................................................................................... 2
1.0
Introduction .................................................................................... 3
1.1 Methodology ....................................................................................................................................... 3
1.2. Rest of the Report ............................................................................................................................. 4
2.0
Transportation ................................................................................ 4
3.0
Medical Devices .............................................................................. 8
4.0
What is Common .......................................................................... 12
5.0. Protege Implementation ................................................................ 12
6.0. How to use the result ..................................................................... 16
6.1. Query 1:............................................................................................................................................ 17
6.2. Query 2 ............................................................................................................................................. 17
6.3. Query 3 ............................................................................................................................................. 18
6.4. Query 4 ............................................................................................................................................. 19
6.5. Query 5 ............................................................................................................................................. 20
7.0 Potential Uses and Relationship with Other Work .......................... 21
8.0. Conclusions .................................................................................... 23
Appendices ........................................................................................... 24
Roots of Trust for Cyber Physical Systems Page 1

Figure 1: Sample Table for Transportation Systems
Figure 2: The Distribution of Backward References and Forward References for Transportation
Figure 3: High-level Structure of the Transportation Domain
Figure 4: Structure of the Air Transportation Systems
Figure 5: Sample Table for Medical Devices
Figure 6: The Distribution of Backward Forward and backward References for Medical Devices
Figure 7: Control System View of Medical Devices
Figure 8: High Level Structure of the Medical Devices Domain
Figure 9: High-Level View of the Cyber System for Medical Devices
Figure 10: Top Level of the Ontology
Figure 11: Expansion of the Attack Class and the Counter measure Class
Figure 12: Vulnerabilities and Attacks that Exploit them – high level
Figure 13: Vulnerabilities and Attacks that Exploit them – Details
Figure 14: Attacks and Countermeasures – high level
Figure 15: Attacks and Countermeasures – Details
Figure 16: Related Vulnerabilities, Attacks and Countermeasures
Figure 17: Query 1
Figure 18: Query 2
Figure 19: Query 3
Figure 20: Query 4
Figure 21: Query 5
Figure 22: Structure and View of Security Ontologies
Roots of Trust for Cyber Physical Systems Page 2

Security of Cyber Physical Systems (CPS) is an area of growing concern. There is special focus on physical systems that are vital for the wellbeing of the population at large. These include Critical Infrastructures and devices for health care. To achieve a high level of security of the CPS devices it is necessary to identify the fundamental elements that ensure the dependability and trustworthiness of CPS. These elements constitute the Roots of Trust of a given CPS. The large variety of CPSs has led to a wide variety of elements defining the Roots of Trust. Further, the inconsistent terminology used in the different spaces, makes it difficult to relate the vulnerabilities and attacks in one domain to those in another domain. The focus of this project was to contribute to the development of a common terminology and to study approaches to find gaps that need to be bridged.
Two teams worked on this project – a team at Drexel University and another one at George Mason
University. This report is based on the work undertaken by the Mason team. At an early stage, it was decided that the Mason team should focus on the transportation and medical device domains.
1.1 Methodology
The Mason team noted that there was a large body of knowledge in the transportation and medical devices domains. To begin the transportation sector was divided into Road, Rail and Air, and restricted the Healthcare domain into medical devices. Team decided to undertake the project in two phases.
First phase involved data collection and organization. In this phase we focused on an understanding of the structures that would be useful in defining the domains and subdomains. We looked for commonality among the subdomains and across the domains. Second phase focus was on using the structures developed in Phase I to build taxonomies and ontology and importing these into Protégé.
Running queries against the partly populated Protégé database shows the usefulness of the whole procedure.
Phase 1 methodology:
1.
Choose key words and find a set of articles in IEEE or ACM in the last 5 years.
2.
Manually scan abstract, if relevant to the root of trust, keep the article and go to 4
3.
Manually scan introduction and conclusion, if relevant to root of trust, go to step 4 else catalog and remove from further processing
4.
Find forward and backward references to the selected set of publications.
5.
Find the relationships between the publications. Identify the reachability of the citations: a.
Are there links to subdomains? b.
Are there links to other domains?
Roots of Trust for Cyber Physical Systems Page 3

Using the criteria noted above, our electronic search yielded 150 publications for the transportation domain. These were down selected to 54 publications based on a careful reading of the indexed terms, the introduction and the conclusions and an understanding of the vulnerabilities, exploits and suggested solutions (if any). Similarly, we found 282 publications for the medical device domain and selected 46 publications.
Phase 2 methodology:
Using the outcome of Phase 1, we created an Ontology that reflects the root of trust relations we were able to ascertain from the literature. The ontologies were created to be cognizant of other modeling
(such as vulnerabilities, exploits and mitigation techniques) commonly used in the area of cyber security and the secure development life cycles.
1.2. Rest of the Report
The rest of this report describes the detailed findings of the two domains we studies. Section 2 describes the transportation domain and Section 3 describes the Healthcare domain.
Phase 1:
Our search was conducted on IEEE and ACM libraries using the following criteria
Key Phrases: root of trust for transportation, cyber physical system
Time Duration: 2009 to 2014
Our search provided 150 papers. Then we manually selected a sample of 54 publications from them and created forward and backward references for them that were published either by IEEE or ACM but within 2009 to 2014 time period. The forward references were obtained using Google Scholar. Then we tabulated the results in a spreadsheet that is provided as Appendix 1 of this report. A sample is shown in
Figure 1.
Roots of Trust for Cyber Physical Systems Page 4

Figure 1: Sample Table for Transportation Systems
RefNo.
Ref1
Ref2
Sybil
Title
Leveraging platoon dispersion for detection in vehicular networks
Unified
Invariants for
Cyber-Physical al. "Unified
Invariants for
Switched
System
Stability
Citation
Paul, Tamal, et
Cyber-Physical
Switched
System
Stability." 1-9.
Root of Trust formalism for invariant interaction and incremental invariant composition
Backward Reference
’10), New York, 2010, pp. 1–11.
[3] S. Bensalem, A. Legay, T.-H Nguyen, J. Sifakis, and R.
Yan, “Incremental invariant generation for compositional design,” in Proc. 4thIEEE Int. Symp. Theoretical Aspects
Software Eng. (TASE), Aug. 2010, pp. 157–167.
Root of Trust
Forward
Reference
Mutaz,
Muhammad Al,
(A Sybil attack is one where an adversary assumes multiple
Levi Malott, and identities to defeat trust of an
Sriram
Chellappan. existing reputation system.);
Sybil detection
"Leveraging platoon dispersion for
Sybil detection
Sybil threat in Intelligent
Transportation Systems (ITS)
[2] A. Studer, E. Shi, F. Bai, and A. Perrig, “Tacking together efficient authentication, revocation, and privacy in vanets,” in Sensor, Mesh and Ad Hoc Communications and Networks, 2009. SECON’09. 6th Annual IEEE
Communications Society Conference on. IEEE, 2009, pp.
1–9..
[4] T. Zhou, R. Choudhury, P. Ning, and K. Chakrabarty,
“P2dapsybil attacks detection in vehicular ad hoc networks,” Selected Areas in Communications, IEEE
Journal on, vol. 29, no. 3, pp. 582–594, 2011.
[8] S. Park, B. Aslam, D. Turgut, and C. C. Zou, “Defense the Sybil threat in
ITS by designing techniques that integrate
[1]
Chellappan,
Sriram.
"Cyber-
Clustering ideas (in Physical the Cyber domain) Approaches with Platoon
Dispersion theory
(in the Physical domain); for Designing
Trustworthy
Intelligent
Transportati on Systems." in vehicular networks." against Sybil attack in vehicular ad hoc network based on roadside unit support,” in IEEE Military Communications
Conference (MILCOM), 2009, pp. 1–7.
2014
Privacy,
Security and
Trust (PST), public key crypto [16] A. Wasef, R. Lu, X. Lin, and X. Shen, “Complementing public key infrastructure to secure vehicular ad hoc networks [security and privacy in emerging wireless 2013 Eleventh
Annual
International
Conference on.
IEEE, 2013.
remote sensing imagery networks],” Wireless Communications, IEEE, vol. 17, no.
5, pp. 22–28, 2010.
[18] Q. Tan, Q. Wei, S. Yang, and J. Wang, “Evaluation of urban road vehicle detection from high resolution remote sensing imagery using object oriented method,” in Urban
Remote Sensing Event, 2009 Joint. IEEE, 2009, pp. 1–6.
bridges the gap between [1] Y. Zhu, E.Westbrook, J. Inoue, A. Chapoutot, analytic models and simulation C.Salama,M.Peralta, T. Martin, W. Taha, M. O’Malley, R. codes Cartwright, A. Ames, and R. Bhattacharya, “Mathematical equations as executable models of mechanical systems,” in Proc. 1st ACM/IEEE Int. Conf. Cyber-Physical Syst.(ICCPS
Figure 2: The Distribution of Backward References and Forward References for Transportation
10
5
0
25
20
15
40
30
20
10
0
0 1 2 3 4 5 6 7 30 0 1 2 3 4 5 6 11 19
Figure 2 shows the distribution of backward references and the distribution of forward references where the horizontal and vertical axes are respectively the number of papers and the number of backward/forward references to papers within our collection. So for example, 20 papers did not have backward references within our collection. The information we found leads to the conclusion that as a group the selected publications has few references to the selected publications .
Roots of Trust for Cyber Physical Systems Page 5

We were also able to conclude the following attribution for root of trust

Sensors (mentioned by 28 selected papers)

Actuators (mentioned by 6 selected papers)

Communications (mentioned by 23 selected papers)

Controller (mentioned by 21 selected papers)

Operator (mentioned by 3 selected papers)
We also looked at the objective of the security mechanisms proposed by these papers and found the characterization as given in Table 2.
Table 2: Categorization of Security Objectives
Component Availability Integrity
Sensor
Actuator
Communication
16/28
3/6
12/23
18/28
6/6
18/23
Controller 17/21 11/21
Operators
Phase 2:
3/3 3/3
We used the information contained in our tables and created an Ontology. The high level structure of the ontology is given in Figure 3.
Roots of Trust for Cyber Physical Systems Page 6

Figure 3: High-level Structure of the Transportation Domain.
Transportation
Physical System
Automobile Rail
Air
(See Sub-figure
“Air”)
Vehicle infrastructural
Component
Personal
Vehicle
Public
Bus
Cargo truck
Road Highway
Communication system Wheel
Control
Engine
Control
Entertainment
Breaking
System
Human I/O
Devices
Navigation
Assistance
Power
Supply
Traffic
Light
Street
Light
Road
Sensor
Information
Display
Toll
Station vehicle
Infrastructural
Component
Passenger
Train
Cargo
Train
Subway
Train
Station
Railroad
Track
Signal
System
Engine
Control
Train
Control
Breaking
System
Communication
System
Power and Fuel
Management
System
Wayside
Device
Communication
System
Power
Supply
Track Control
System
Pilot
Other
Vehicle
Operator Infrastructure
Operator
Transportation
Cyber System
Computation
Component
Driver human Tester
Control
Component
Communication
Component
Software
Developer
Policy Maker
Control
Center
Process Store Network
Access Device
Interface
Performance
Evaluation
Algorithm
Design
In-Network
Base
Station
Central
Storage
Distributed
Storage
DSRC* WiFi
Gateway
Interface
Network Node
Interface
Base Station
Interface
2G/3G/4G WAN
DSRC*:Dedicated short-range communications
As Figure 3 show, we concentrated on automobile, air and rail subsystems. The Automobile sector was further decomposed into vehicles and infrastructural components. Vehicles were further sub divided into personal vehicles, public buses and cargo trucks. Infrastructural components were further subdivided into highway structures and road structures. An equivalent decomposition exists for the air and rail components.
Due to the large number of systems used in air transportations systems, we demonstrate their hierarchical structure in Figure 4. Air transportation sector was modeled using the same structure as the other transportation domains, but have a more complex infrastructure component consisting of a ground system component and an air traffic control system. The ground system consists of a fuel supply system, power supply system and an airport infrastructure. We focused on the airport infrastructure and did not detail the first two components. The Air Traffic system is further decomposed into an air navigation infrastructure and vehicle component. The air navigation system is further decomposed as the RADAR system, sensors, automatic landing system and automatic dependent surveillance infrastructure.
In addition, the bottom left hand side of Figure 3 shows the structural view of human involvement in transportation systems consisting of the roles of pilots, drivers, other vehicle operators, policy makers, software developers and testers.
The right-hand side of Figure 3 shows that abstractly, the transportation systems we analyzed consists of three main components control, computation and communication. The decomposition of each of these systems is also shown in our Ontology.
Roots of Trust for Cyber Physical Systems Page 7

Figure 4: Structure of the Air Transportation Systems
Air
Air
Vehicle
Infrastructural
Component
Fixed Wing Helicopter
Ground
Infrastructural
Air Traffic
Control System
Parts Systems Airport power supply fuel supply
Air Navigation
Infrastructural
Air Control
Infrastructural
Landing
Gear
Empennage Wing
Engine Fuselage
Communication
Radio
Computer Flight
Control System
Electronic System
Hydraulic Flight System
Electric
Generator
VHF
Radio
UHF
Radio
Ground
Sensor
Airport Control
Center
Parking
Facility
Passenger
Check in
Fingers Runway
Airport
Light
Navigation
AIDs
Aerodrome Traffic
Zone (ATZ)
Terminal Control
Area (TCA)
Area Control
Center (ACC)
Ground
Radar Passenger
Security
Customs
Information
Provider
Airport
Beacon
Taxiway
Light
Runway
Light
Airport Transportation
Vehicle
Information
Desk
Flight Information
Board
Threshold
Lights
VASI
Luggage
Transfer Truck
Passenger
Transfer Vehicle
Radar
Beacon
Distance Measuring
Equipment (DME)
Instrument Landing
System (ILS)
VHR
Omnidirectional
Range (VOR)
Automatic Direction
Finder (ADF)
Automatic Dependent
Surveillance
Broadcast (ADS-B)
Phase 1:
Our search was conducted on IEEE and ACM libraries using the following criteria
Key Phrases: root of trust for medical devices, cyber physical system
Time Duration: 2009 to 2014
Our search provided 282 papers. Then we manually selected a sample of 46 publications from them and created forward and backward references for them that were published either by IEEE or ACM between
2009 and 2014. The forward references were obtained using Google Scholar. Then we tabulated the results in a spreadsheet that is provided as Appendix 2 of this report. A sample is shown in Figure 5.
Roots of Trust for Cyber Physical Systems Page 8

Figure 5: Sample Table for Medical Devices
Figure 6 shows the distribution of backward references and the distribution of forward references where the horizontal and vertical axes are respectively the number of papers and the number of backward/forward references to papers within our collection. So for example, 20 papers did not have backward references within our collection. The information we found leads to the conclusion that as a group the selected publications have only a few references within the collection.
Figure 6: The Distribution of Backward Forward and backward References for Medical Devices
5
0
15
10
25
20
0 1 2 3 4 5 6 7 30
20
15
10
5
0
35
30
25
Roots of Trust for Cyber Physical Systems
0 1 2 3 4 5 6 11 19
Page 9

Further analysis of selected papers on the security of medical devices
Phase 2:
We noticed that security objectives realted to Medical Devices and their applications are based on the following factors.
1.
Sensors/Medical Devices
1.
Interoperability
2.
Energy Efficiency
3.
Physical Protection
2.
Data Quality
1.
Data Confidentiality
2.
Data Authentication
3.
Data Integrity
4.
Data Availability
5.
Data Freshness
Figure 7 gives control system’s view of medical devices.
Figure 7: Control System View of Medical Devices
Roots of Trust for Cyber Physical Systems Page 10

Figure 8: High Level Structure of the Medical Devices Domain
Healthcare
Hospital Recovery Home
Pervasive
Healthcare elderly care
Communication infrastructure
Actuation
Server
Web Server
Game Server
Telemedicine
Server
Medical Server
Integration
Server
Database Server
Base Station /
Access Point (AP)
Communication
System
Sensor
Node accelerometers
(ACC)
Heart Rate
(HR) Monitor
Pacemaker
Deep Brain
Stimulator
Endoscope capsule
Endoscope capsule
Glucose
Monitor
pH monitor
Imaging
Sensor Device electroencephalography
(EEG)
Cardiac Arrhythmia
Monitor/Recorder
Pulse oximeter
SpO2
Thermometer
Electrocardiography
(EKG) photoplethysmogram
(PPG)
Blood pressure monitor
Brain liquid pressure sensor
Fall Detection
Motorized
Artificial Leg
Motorized
Artificial Arm
Position/Movement
Detection
Bluetooth-enabled defibrillator
drug infusion pump surgery robot insulin pump
GUI Smart Devices Caregiver Alarm
Gateway
pump Artificial Limb Robot defibrillator Pacemaker
PDA
Smart
Phone
Sensor A/D converter Microcontroller Transceiver
Figure 8 describes the high-level view of medical devices. We focused on the home health care related medical devices for this study. As Figure 8 shows, home health care devices have a communication subcomponent and an actuation sub component. The communication structure is further decomposed into Servers, consisting of web servers, telemedicine servers and other specialized medical servers. The communication substructure consists of base stations, sensor nodes and gateways to servers. There are many kinds of sensor nodes such as accelerometers, heart rate monitors, pacemakers, deep brain simulators endoscope capsules etc. Actuation consists of having a caregiver using a GUI using a smart device mostly equipped with an alarm.
Figure 9: High-Level View of the Cyber System for Medical Devices
Cyber System
Patient caregiver observer
Application designer
Software developers human
Pervasive people
Hardware engineer
Control/Actuation component
Computation component
Communication componet
Performance evaluation
Algorithm design process store Network
Access device
In-network
Base station cloud
Central
Storage
Distributed
Storage
System
BAN/PAN WAN
Base station
Network node
Gateway
IEEE 802.11g/
WiFi
IEEE 802.11n/
WiFi
IEEE 802.16e/
WiMAX
IEEE 802.20
IEEE 802.15.4
IEEE 802.22
WiBro
Roots of Trust for Cyber Physical Systems Page 11

Figure 9 show the high level view of the cyber physical system involved in medical devices consisting of control/actuation, computation and communication. The control and actuation system has algorithms and protocols that need to meet a minimum performance standard for the device to provide the required services. The computation system consists of processes and data stores. The computation component consists of a network and accessing devices. The network consists of multiple protocols. The access system consists of base stations, networked nodes and network gateways.
In addition, the left hand side of Figure 9 shows the structural view of human involvement in home healthcare related medical device systems consisting of the roles of patients, caregivers, observers
(those that are around the patient such as family and visitors), hardware engineers, software developers, applications designers and pervasive system designers.
One of the goals of this research was to identify the commonality in Roots of Trust between the different domains studied. The Roots of Trusts used in the two domains studied did not have much in common. The publications reviewed did not explicitly indicate the trust basis – the implied Roots of
Trust were derived by a review of the publication. We discovered commonality at the level of the underlying technical basis used. Some of the publications use the classical control loop as the basis of the analysis. For security of CPS systems the Roots of Trust for each component of the control should be included.
The Mason team found that a few papers implied that the human operator was part of the trust framework. Because we were driven by the trusted computing (TPM) model, we expected that most of the trust basis would be based on hardware. Thus the discovery of human as part of the trust chain was unexpected. Having human as part of trust formulation explicitly justifies policies related to training, retraining, certification, use of two person decision systems, enforced leaves of specific duration etc.
We modeled the Ontology using Protégé, which we provide as an accompaniment to this document. We now describe the motivations for our class structure. Our design has two top-level subclasses, CPS and
Human. These model Cyber Physical Systems and Humans interactions with them. CPS systems were
Roots of Trust for Cyber Physical Systems Page 12

modeled into Physical Systems (components) Cyber Components, Attacks and Countermeasures. Figure
10 shows the top four levels taken as a screen scrape from the Protégé editor.
Figure 10: Top Level of the Ontology
A reason for having this four-level division is partly influenced by the desire to be consistent with modeling the operational environment (akin to Physical Components) Cyber Component (the software)
Attacks and their countermeasures. This is closer to the standard modeling of Configurations (including hardware and software), known vulnerabilities (for example given by NISTs CVSS) Exploits (akin to
Attacks) and Countermeasure. This modeling also enables attack graph or attack surface based analysis of cyber physical systems.
The next level expands upon the top-level classes. Figure 11 show one more level of expansions of the
Attack class and Countermeasure class. These classes were chosen due to our analysis of the selected publications in the transportation and medical devices domains.
Roots of Trust for Cyber Physical Systems Page 13

Figure 11: Expansion of the Attack Class and the Counter measure Class
Figure 12 shows how we linked Attacks to Vulnerabilities. Similarly, Figure 13 shows the relationship between attacks and their countermeasures. Figure 14 further shows the relationship between vulnerabilities, attacks and their countermeasures are related (shown in Green in the figure)
Figure 12: Vulnerabilities and Attacks that Exploit them – high level
Roots of Trust for Cyber Physical Systems Page 14

Figure 13: Vulnerabilities and Attacks that Exploit them – Details
Figure 14: Attacks and Countermeasures – high level
Roots of Trust for Cyber Physical Systems Page 15

Figure 15: Attacks and Countermeasures – Details
Figure 16: Related Vulnerabilities, Attacks and Countermeasures
This section shows how our Ontology answers some relevant questions by showing screen shots from our query results. In order to do so, we selected the following two papers from medical devices CPS reference into Ontology
Roots of Trust for Cyber Physical Systems Page 16


Reference 20: Towards a secure patient information access control in ubiquitous healthcare systems using identity-based signing and encryption

Reference 25 - Assurance of Energy Efficiency and Data Security for ECG Transmission in BASNs
6.1. Query 1:
Query in English: “What component(s) of CPS are vulnerable to message corruption attack ?”
Explanation: The ontology has some “object properties” showing the relationships between different attacks and CPS components. For any CPS, the query retrieves all (CPS) components vulnerable to any kind of message corruption attacks (i.e. those components that will be affected by an integrity attack).
Figure 17: Query 1
6.2. Query 2
Query in English: “Which attack(s) can be prevented by using strong encryption and authentication techniques and which sub-class(es) in CPS support them?”
Explanation: The ontology uses “object properties” to model the relationships between different attacks and countermeasures that are offered as built in mitigating techniques by those components. The query retrieves those attacks of a CPS system where a strong encryption is offered as a mitigating solution.
Roots of Trust for Cyber Physical Systems Page 17

Figure 18: Query 2
6.3. Query 3
Query in English: “Which paper(s) proposed techniques against privacy attack ?”
Explanation: Every referenced paper proposes one or more techniques to prevent one or more attacks.
The query retrieves all papers that provide a solution technique against privacy attacks.
Roots of Trust for Cyber Physical Systems Page 18

Figure 19: Query 3
6.4. Query 4
Query in English: “Which paper(s) proposed techniques related against link layer attack ?”
Explanation: This query is similar to the previous one. It retrieves papers that propose solutions against link-layer attacks.
Note: Reference 25 “selected encryption mechanism” provides a solution that can prevent privacy attack and attacks against link layers.
Roots of Trust for Cyber Physical Systems Page 19

Figure 20: Query 4
6.5. Query 5
Query in English: “Which paper(s) proposed techniques related against physical attack ?”
Explanation: Similar to the previous query, but there is no paper satisfying the selection criteria of the query
Roots of Trust for Cyber Physical Systems Page 20

Figure 21: Query 5
Functional
Requirements
Security
Objective
Infrastructure
Use Cases
Misuse
Cases
Vulnerability
Environment
CVSS
Trust
Trust Roots
Establishment
Maintenance
Tear Down
Figure 22: Structure and View of Security Ontologies
Roots of Trust for Cyber Physical Systems
Mitigation
Techniques
Exploitation
Attacks
Attack
Graphs
Attack
Surfaces
Page 21

Figure 22 shows the high-level landscape of a security landscape. The figure uses the convention that an entity / concept is a darker shade of the same color and an instance, a representation or an aspect is shown in lighter color. The figure is drawn to show an Ontology for enterprise level engineering that is present in CPS systems, consisting of functional requirements (specified as Use Cases in the SDLC jargon), Security requirements (specified as Misuse Cases that are to be avoided by design and in implementations), physical and software infrastructure, and the operational environment. Security vulnerabilities (reported in CVSS and other public repositories are exploited to create attacks (these can be modeled as attack graphs or attack surfaces) and if exploited would result in either a loss of Use
Cases or the enablement of Misuse Cases. Given the plethora of attacks and the vulnerabilities that they exploit, many mitigation techniques have been designed over the years. Trust is one such class of mitigation techniques that have been used over the last 25 years of security practice. Trust is used to ensure the authenticity and consequently advertised functionality of a component (either software, hardware or a combination thereof). Given this view of security engineering, our Ontology covers security and functional objectives (such as continuous operations and privacy), infrastructure in both transportation and home based medical devices, their vulnerabilities, mitigation techniques and the role played by trust and roots of trust in the latter.
A logical extension of our work and an immediate application is to extend our Ontology to include measurable aspects of security. Given that securing any system has a cost, and any enterprise weights the cost vs. benefits, having an industry standard nomenclature specialized to the CPS domain would benefit current and future enterprises. An introduction to this aspect and the languages available to start such as an effort have been collected by MITRE at their Making Security Measurable web site 1 [1].
They recommend the following minimum standards:
Measurable Entity Extension of Our Ontology
Software Assurance
Application Security
Vulnerability, Exploitation
Vulnerability, Exploitation, Functional Requirements, Security
Objective
Assert Management
Malware Protection
Vulnerability Management
Environment, Infrastructure
Security Objective, Vulnerability, Exploitation
Patch Management
Configuration Management
Vulnerability, Exploitation, Trust Root
Environment, Infrastructure, Trust Root
Cyber Intelligence Threat Management Vulnerability, Exploitation
Supply Chain Risk Management
Malware Protection
Vulnerability, Exploitation,
Trust Root, Infrastructure, Environment
Vulnerability, Exploitation, Mitigation Techniques
Intrusion Detection
Cyber Threat Information Sharing
System Assessment
Vulnerability, Exploitation, Mitigation Techniques
Trust Root
Vulnerability, Exploitation, Functional Requirements, Security
Objective, Mitigating Techniques
Incident Coordination
Enterprise Reporting
Remediation
Vulnerability, Exploitation, Mitigating Techniques
Vulnerability, Exploitation, Mitigating Techniques
Vulnerability, Exploitation, Mitigating Techniques
1 http://measurablesecurity.mitre.org/index.html
Roots of Trust for Cyber Physical Systems Page 22

Although not addressed by the high level, risk management is an important aspect of asset management, that is beneficial to the CPS community. Consequently, the Ontology we have developed can be elaborated with security metrics, eventually leading to a quantifiable risk profile for industry to use by instantiating with the parameters of their specific system.
We setout with the objective of determining a taxonomy to describe root of trust in CPS systems. In order to do so, we looked at two specific domains of CPS systems – transportation and medical devices.
Our process involved searching for IEEE and ACM libraries for publications based on keywords that represent roots of trust in the respective CPS subdomains. This search resulted in 156 and 282 papers.
This was followed on by manually reading the papers and selecting a sample that would reveal the root of trust in subdomains. We then created hierarchies that represented the subdomains with potential roots of trust. We found that the primary purpose of having a root of trust was to ensure the security of the applications in environments that had vulnerabilities that could be exploited to attacks that enabled particular mal-intents.
Consequently, our hierarchical representation of roots of trust embodied the security objective environment, vulnerabilities, the attacks that exploited them, security objectives that that could have been violated by the attacks and the solutions that prevented such exploitations. The roots of trust were a corner stone of these security objectives.
We found that the two CPS subdomains had differing security objectives and vulnerabilities and attacks and consequently different mitigating solutions that were anchored on roots of trust. As stated in
Section 3, mitigating solutions anchored their roots of trust on sensors, actuators, communication infrastructure, control systems and human operators. Similarly, as shown in Section 4, the medical devices domain has communication, controls system, actuation, computation and the human elements consisting of hardware engineers, software/firmware engineers, application designers, caregivers, patients and observers such as friends and family of the patient.
Then we took this information and created an Ontology using Protégé, a popular ontology editor. The output of the process is available in the form of an RDF file. We then ran some sample queries to show the utility of our work. Lastly we show how our work fits in with and can be used by other areas of securing infrastructure.
Roots of Trust for Cyber Physical Systems Page 23

(Submitted separately)
Appendix 1: Transportation Data Set
Appendix 2: Medical Devices Data Set
Appendix 3: Protégé Data Set
Roots of Trust for Cyber Physical Systems Page 24