Cybersecurity for UAS Systems
System-Aware Cybersecurity
Barry Horowitz
University of Virginia
November 2015
Three Aspects to Cybersec for UAS’s
• Securing the manufacturing of the system
• Securing the final product
• Securing the final product in the context of
the integrated air/ground system
A Systems Engineering View
• Because cybersec for UAS’s:
– Impacts safety (Policy)
– Requires operational doctrine to effectively respond to
attacks (Process)
– Requires solutions that span a broad array of risks
(Technology)
• System-oriented research efforts are needed to
develop solutions that account for the mix of:
– Technology opportunities and limitations
– Policy objectives
– Process Issues (including human factors)
Traditional Cybersecurity for Internet-based
Information Systems
• Standard cybersecurity approaches are
infrastructural in nature: Network
protections/System perimeter protections
• Little emphasis on protecting applications within
specific information systems
• As a result, the cybersecurity community does
not have needed experience in securing
applications, and in particular physical system
control functions
• And physical system designers do not have
needed experience with designing for better
cybersecurity
UVa’s System-Aware Cybersecurity for
Computer-Controlled Physical Systems (1 of 2)
• Added layer of security, in addition to network
and perimeter security, to protect physical system
control functions
• Monitoring the highest risk system functions for
illogical behavior and, upon detection,
reconfiguring for continuous operation
• Build on cybersecurity, fault tolerant and
automatic control technologies
• System monitoring/reconfiguring accomplished
with support from a highly secured Sentinel –
employ many more security features for
protecting the Sentinel than the system being
protected can practically employ
UVa’s System-Aware Cybersecurity for
Computer-Controlled Physical Systems (2 of 2)
• Addresses not only externally generated attacks, but
also insider and supply chain attacks
• Employs reusable design patterns to enable more
economical solution development
• Includes doctrine for operator response to detected
attacks
• Includes integrated methodology and tools developed
to support assessment of both the consequences of
attacks and the impact of potential defenses on the
cyber attacker’s potential selection of attacks
– Use SysMl for sufficiently detailed description of system to
be protected
– Use Attack Trees to support a two-sided assessment
methodology
High Level Architectural Overview
Internal Controls
Reconfiguration Controls
Internal
System to be
Sentinel
Outputs Protected Measurements
Providing
+ Diverse
System-Aware
Redundancy
Security
“Super Secure”
Sample of Reusable Design Patterns
Being Prototyped
• Diverse Redundancy for post-attack restoration
• Diverse Redundancy + Verifiable Voting for trans-attack
attack deflection
• Physical Configuration Hopping for moving target defense
• Data Consistency Checking for data integrity and operator
display protection
• Parameter Assurance for parameter controlled SW
functions
• Conditional Disablement of automation features
• Doctrinal Assurance Checking for critical decisions
UAV Prototype
• Live flight tests in December 2014 at Early County Airport in
Blakely Georgia
• Multiple attacks/detections/responses
–
–
–
–
Waypoint changes
Camera pointing control
GPS navigation errors
Meta data to support video interpretation
• Secure Sentinel, including:
– Triple diverse redundancy – Computer HW/Operating Systems/
Monitoring SW for monitoring
– Configuration hopping
– Monitoring both the airborne and ground-based subsystems for
continuity
• Accomplished within power, cooling and physical footprint
of an Outlaw UAV carrying video cameras and small phased
array radar (currently implemented within a 3”cube
UAV Video
Continuing to Learn through Multiple
Prototype Projects
• DoD
–
–
–
–
–
–
UAV/Surveillance system, including in-flight evaluation
Creech AF Base human factors exercise
Currently employed AF/Army AIMES video exploitation system
Radar system (In early design phase)
Initiating Army tank project related to advanced fire control system
Laboratory-based multi-sensor collection system
• 3d Printers – NIST
• Automobile cybersecurity
– DARPA Urban Challenge autonomous vehicle
– Virginia State Police project
Important Factors Regarding Securing Physical Systems
• Monitoring for and responding to attacks that have gained control
of physical systems is a more contained objective than for
information systems
–
–
–
–
–
More limited access to physical controls
Fewer system functions
Less distributed
Bounded by laws of physics
Less SW
• But
– Successful attacks can do physical harm
– Reconfiguration requires operational procedures for rapid response
– Solutions requires operators who are trained and ready to react to
very infrequent and unprecedented (zero day) cyber attack events
– Physical system operators have no experience or expectations
regarding physical system attacks, and
– When selecting attacks to defend agains, need to be careful when
building on historic safety related analyses - multiple concurrent
failures, considered as independent and acceptably rare from a safety
viewpoint, can be purposefully accomplished as part of a cyber attack
(e.g., Stuxnet)
Scope of System-Aware Research
Activities
• Human Factors – Working with AF Human Factors community at Wright
Pat exploring “suspicion” as a measurable human characteristic, and how
it relates to behavior in cyber attack situations and response to Sentinel
information
• Methodology for selection of physical system functions to protect, based
upon:
–
–
–
–
Operational risk-based prioritization
Dependable SysMl system descriptions
Integrated SysMl descriptions/ Attack Tree tools for red team participation
Penetration testing
• System-of-Systems based, mission-level security considerations governing
widget level security implementation decisions – Currently using a
laboratory environment (emulated base defense system) to address
solution requirements and doctrine
System Aware Cyber Security Publications
JOURNAL ARTICLES:
• B. M. Horowitz, R.A. Jones, Smart security sentinels for providing cybersecurity for
critical system functions: unmanned aerial vehicle case study, Journal of Aerospace
Operations, (Under review)
• R. A. Jones, B. Luckett, P. Beling, B. M. Horowitz, Architectural Scoring Framework
for the Creation and Evaluation of System-Aware Cyber Security Solutions, Journal
of Environmental Systems and Decisions 33, no. 3 (2013): 341-361.
• B. M. Horowtiz and K. M. Pierce, The integration of diversely redundant designs,
dynamic system models, and state estimation technology to the cyber security of
physical systems, Systems Engineering, vol 16, Issue 4 (2013): 401-412
• R. A. Jones and B. M. Horowitz, A system-aware cyber security
architecture, Systems Engineering, Volume 15, No. 2 (2012), 224-240.
• J. L. Bayuk and B. M. Horowitz, An architectural systems engineering methodology
for addressing cyber security, Systems Engineering 14 (2011), 294-304.
REFEREED CONFERENCE ARTICLES
• G. L. Babineau, R. A. Jones, and B. M. Horowitz, A system-aware cyber security
method for shipboard control systems with a method described to evaluate cyber
security solutions, 2012 IEEE International Conference on Technologies for
Homeland Security (HST), 2012.
• R.A. Jones, T.V. Nguyen, and B.M. Horowitz, System-Aware security for nuclear
power systems, 2011 IEEE International Conference on Technologies for Homeland
Security (HST), 2011, pp. 224-229.
Patent Related Activity
• US Patent Application
– US Patent App No. 14/660,278: “Cyber-Physical
System Defense”
• Provisional Patents
– US Prov. No. 61/955,669: “Cloud Based System Aware
Cybersecurity and Related Methods Thereof”
– US Prov. No. 62/075,179: “System Aware
Cybersecurity and Related Methods Thereof”
• In Preparation
– Additive Manufacturing (3D Printer) Cyber Security