Security and Privacy in Cyber-Physical Systems
eBook - ePub

Security and Privacy in Cyber-Physical Systems

Foundations, Principles, and Applications

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Security and Privacy in Cyber-Physical Systems

Foundations, Principles, and Applications

About this book

Written by a team of experts at the forefront of the cyber-physical systems (CPS) revolution, this book provides an in-depth look at security and privacy, two of the most critical challenges facing both the CPS research and development community and ICT professionals. It explores, in depth, the key technical, social, and legal issues at stake, and it provides readers with the information they need to advance research and development in this exciting area.

Cyber-physical systems (CPS) are engineered systems that are built from, and depend upon the seamless integration of computational algorithms and physical components. Advances in CPS will enable capability, adaptability, scalability, resiliency, safety, security, and usability far in excess of what today's simple embedded systems can provide. Just as the Internet revolutionized the way we interact with information, CPS technology has already begun to transform the way people interact with engineered systems. In the years ahead, smart CPS will drive innovation and competition across industry sectors, from agriculture, energy, and transportation, to architecture, healthcare, and manufacturing. A priceless source of practical information and inspiration, Security and Privacy in Cyber-Physical Systems: Foundations, Principles and Applications is certain to have a profound impact on ongoing R&D and education at the confluence of security, privacy, and CPS.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Security and Privacy in Cyber-Physical Systems by Houbing Song, Glenn A. Fink, Sabina Jeschke, Houbing Song,Glenn A. Fink,Sabina Jeschke in PDF and/or ePUB format, as well as other popular books in Informatica & Crittografia. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley-IEEE Press
Year
2017
Print ISBN
9781119226048
eBook ISBN
9781119226062
Edition
1
Topic
Informatica
Subtopic
Crittografia

Chapter 1
Overview of Security and Privacy in Cyber-Physical Systems

Glenn A. Fink1, Thomas W. Edgar1, Theora R. Rice1, Douglas G. MacDonald1 and Cary E. Crawford2
1Pacific Northwest National Laboratory, National Security Directorate, USA
2Oak Ridge National Laboratory, Nuclear Science and Engineering Directorate, USA

1.1 Introduction

Cyber-physical systems (CPSs) are broadly used across technology and industrial domains to enable process optimization and previously unachievable functionality. However, CPSs have been key targets in some of the most highly publicized security breaches over the last decade. Neither cyber- nor physical-security concepts alone can protect CPSs because the complex interdependencies and crossover effects can introduce unexpected vulnerabilities: Physical attacks may damage or compromise the information system on the device, and cyber-attacks can cause physical malfunctions. Because of the many critical applications where CPSs are employed, either kind of attack can result in dire real-world consequences. As a result, security and privacy must be key concerns for CPS design, development, and operation.
In this chapter, we discuss CPSs from a security perspective. We explain classical information and physical-security fundamentals in the context of CPSs deployed across application domains. We give examples where the interplay of functionality and diverse communication can introduce unexpected vulnerabilities and produce larger impacts. We discuss how CPS security and privacy are inherently different from pure cyber or physical systems and what may be done to secure these systems, considering their emergent cyber-physical properties. Finally, we discuss security and privacy implications when infrastructural and personal CPSs merge. While helping the general users cope with the risks inherent in existing products is important, our goal is to help designers of emerging CPSs to build more secure, privacy-enhanced products in the future by incorporating lessons learned from the recent past and present.

1.2 Defining Security and Privacy

Before we can discuss security and privacy of CPSs, it is crucial to understand the definitions and intricacies of the terms. Security is a set of measures to ensure that a system will be able to accomplish its goal as intended, while mitigating unintended negative consequences. When features are added to a system, security is applied to ensure that the additions neither compromise intended functionality nor introduce new attack vectors.
The National Institute of Standards and Technology (NIST) defines privacy as “Assurance that the confidentiality of, and access to, certain information about an entity is protected” (Barker et al., 2013, p. 94). “Entity,” in this case, can be a corporation or facility as well as an individual person. “Certain information” may refer to any sensitive information such as personally identifiable information (PII).
Security and privacy have in common the concepts of appropriate use and protection of information. Privacy is often thought of as freedom from observation, disturbance, or unwanted public attention and the ability of an individual or group to limit its self-expression. Privacy is often seen as an aspect of security, an affordance of confidentiality, because a secure system should protect the privacy of its users. Confidentiality usually means that information is not released to unauthorized parties, but privacy has a more dynamic dimension of allowing owners to control the dissemination of their information themselves. At the same time, security may be considered contrary to privacy. For instance, politicians and industry leaders endure reduced privacy to protect the public trust they hold.

1.2.1 Cybersecurity and Privacy

The concepts of security and privacy can be applied to both the cyber and physical sides of CPSs. There are many overlapping terms for these concepts including cybersecurity, information security, information assurance, and others. For our purposes, we are concerned in this section with the nonphysical, informational side of CPSs. Thus, the term information security as defined by NIST will suffice:
A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems. Protective measures may involve a combination of deterrence, avoidance, prevention, detection, recovery, and correction that should form part of the enterprise's risk management approach.
(Kissel, 2013, p. 94).
Information security is generally characterized by three core principles, which Pfleeger and Pfleeger (2007) and Cherdantseva and Hilton (2013) defined as follows:
  • Confidentiality – Only authorized parties can access computer-related assets.
  • Integrity – Assets can be modified only by authorized parties or only in authorized ways.
  • Availability – Assets are accessible to authorized parties at appropriate times.
Together these are known as the “CIA triad,” and they ensure reliable access to correct information for the right people/programs/machines. The CIA triad is the heart of information security but is widely thought to be incomplete. Cherdantseva and Hilton (2013) discuss attempts to amend the triad and propose an information assurance and security octet that starts with CIA but also includes accountability, authentication and trustworthiness, auditability, nonrepudiation, and privacy. The complete list of security goals has not been definitively agreed upon, but we elect to add to the triad two additional elements that are most germane to the physical side of our discussion of CPSs. The last two principles are often bundled into the principle of integrity, but they are important enough to deserve separate attention:
  • Authentication – Verifies the identity, often as a prerequisite to access (Committee on National Security Systems, 2010).
  • Nonrepudiation – Protects against an individual's false denial of having performed a particular action and captures whether a user performed particular actions (i.e., sending or receiving a message) (NIST, 2013).
There are a number of means of implementing each of these cybersecurity principles. For example, encryption provides confidentiality, protecting data and system functions from unauthorized use. Digital signatures and secure hashes provide integrity, ensuring data or software updates are not modified. Redundancy of resources keeps the system available for the intended users for proper use at any time even under stress. Identities, certificates, and passwords are examples of authentication mechanisms that guarantee only authorized users may access resources protected by confidentiality measures. Authentication ensures integrity by verifying the authority of actors who would change an asset. Automatically collected records and logs of these changes may show which user accessed or modified specific parts of the system. When these logs are protected by some integrity mechanism, the result is a system with nonrepudiation. Nonrepudiation makes violations of integrity clear and provides forensically useful information when security fails.
Privacy in the information sense of the word usually refers to the principle of confidentiality, but it is also related to controlled disclosure of information. People want to be able to disclose information to some and not to others and they want to be able to control what is done with the information disclosed. Thus, privacy is a facet of personal information integrity because although data about a person may be transmitted, the information it bears is always the property of the person identified by it.

1.2.2 Physical Security and Privacy

Physical protection aims to defend an area in space according to the following principles adapted from the U.S. Department of Defense (2016) and U.S. Department of Energy (2005):
  • Deterrence – A credible threat of countermeasures that prevents actions against the system by making the perceived cost of an attack outweigh the perceived benefits.
  • Detection – The positive assessment that a specific object caused the alarm and/or the announcement of a potential malevolent act through alarms.
  • Delay – Impediments that slow or prevent an adversary from accessing a protected asset or from completing a malevolent act.
  • Response – Actions taken with appropriate force and at locations and times designed to stop the advancement of the adversary.
  • Neutralization – Rendering enemy forces incapable of interfering with a particular operation.
Deterrence can be as innocuous as a sign indicating the presence of physical-security components or a guard posted in a visible location to warn the potential adversary of the consequences of an attack. Beyond this, detection is usually accomplished with surveillance technologies, human watchers, or operational processes. Alarms may be coupled with detection to alert those protecting the asset (the trusted agents) or to scare off the attacker. Barriers such as protective forces, walls, deployed obstacles, storage containers, locks, and tamper-resistant devices take time for an adversary to penetrate, providing delay (and some deterrence if the measures are visible). The response to intrusion events must be immediate and effective and may include summoning authorities with sufficient force to halt the attack. Without a timely response, no threat can be completely neutralized. The responders neutralize all of the attackers by arresting them or in some other way making it impossible for them to attack the system in that way again. If these physical-security elements are not properly utilized, even the most impenetrable defenses will eventually be defeated.
Privacy in the realm of physical security often entails trade-offs with security. Access controls, surveillance, detection and assessment, and response are all principles of physical protection that require individuals to be positively identified, tracked, and monitored while in the secured area. Allowing these physical protection systems to track a person's every move must be coupled with the assumption that this information will be utilized for the intended purpose only and protected against any malicious usage or unauthorized access. However, the agreement to provide this information to other trusted agents to further enhance security is usually made explicit.

1.3 Defining Cyber-Physical Systems

Cyber-physical systems, or CPSs, is an umb...

Table of contents

  1. Cover
  2. Title Page
  3. Copyright
  4. Table of Contents
  5. List of Contributors
  6. Foreword
  7. Preface
  8. Acknowledgments
  9. Chapter 1: Overview of Security and Privacy in Cyber-Physical Systems
  10. Chapter 2: Network Security and Privacy for Cyber-Physical Systems
  11. Chapter 3: Tutorial on Information Theoretic Metrics Quantifying Privacy in Cyber-Physical Systems
  12. Chapter 4: Cyber-Physical Systems and National Security Concerns
  13. Chapter 5: Legal Considerations of Cyber-Physical Systems and the Internet of Things
  14. Chapter 6: Key Management in CPSs
  15. Chapter 7: Secure Registration and Remote Attestation of IoT Devices Joining the Cloud: The Stack4Things Case of Study
  16. Chapter 8: Context Awareness for Adaptive Access Control Management in IoT Environments
  17. Chapter 9: Data Privacy Issues in Distributed Security Monitoring Systems
  18. Chapter 10: Privacy Protection for Cloud-Based Robotic Networks
  19. Chapter 11: Toward Network Coding for Cyber-Physical Systems: Security Challenges and Applications
  20. Chapter 12: Lightweight Crypto and Security
  21. Chapter 13: Cyber-Physical Vulnerabilities of Wireless Sensor Networks in Smart Cities
  22. Chapter 14: Detecting Data Integrity Attacks in Smart Grid
  23. Chapter 15: Data Security and Privacy in Cyber-Physical Systems for Healthcare
  24. Chapter 16: Cyber Security of Smart Buildings
  25. Chapter 17: The Internet of Postal Things: Making the Postal Infrastructure Smarter
  26. Chapter 18: Security and Privacy Issues in the Internet of Cows
  27. Chapter 19: Admission Control-Based Load Protection in the Smart Grid
  28. Editor Biographies
  29. Index
  30. End User License Agreement