Most Cyber Physical Systems (CPS) are not monolithic control applications – but rather distributed computing systems with hundreds to thousands of devices (such as PLCs, RTUs, IIOTs, SCADA workstation etc., in case of critical infrastructure, processing elements over multiple communication buses in automotive and avionics). As a result, an attack on a single device in the distributed system can cascade to others. For example, in case of a worm – it can traverse the network from device to device and create a macro-level attack. Example of that was STUXNET, but also recent ransomware attacks – for example, NotPetya worked in similar fashion. The NotPetya entered the Maresk shipping system’s network by virtue of an automated patch for a popular desktop accounting application in Ukraine. Since there Maresk network spans over 130 countries, from that single attack point, it encrypted and bricked thousands of machines belonging to their network all over the world, including the Microsoft active server files – which disabled their entire authentication system worldwide. Another growing trend for CI-CPS utilities is to collect industrial control network data into cloud in order to obtain analytics for further optimization of processes, and for business information, inventory management etc. This opens a very ripe attack surface from the cloud environment to the infrastructure – because if the cloud is not on a secure server with patched operating system, hypervisor, and network interfaces, one could be infiltrated from the cloud environment and then run havoc on the entire network including the field network. The attack on Target supermarket chain happened through a cloud-based service for their HVAC system which provided remote access to HVAC vendor – while the attack in that HVAC monitoring and analytics system eventually infiltrated the point-of-sales devices network – and stealing customer information of 13 million customers. Therefore, authentication, and authorization architecture, secure remote access into devices of the CPS system, securing the Industry automation architecture of the distributed multi-layer networked system, securing the cloud to infrastructure network interface (e.g. implementing data diodes) – are some of the major areas of research in this layer.
The major research topics at this layer are:
i. Securing the authentication and authorization architecture in the distributed system
ii. Threat modeling and threat analysis framework for large scale distributed CPS
iii. Secure virtualization in Public as well as Private Cloud
iv. Multi-party computation-based sharing of secret keys
v. Cloud Security – especially securing the interface between cloud collecting data and the critical devices and network – i.e. developing data-diodes
vi. Secure virtualization etc.
vii. Use of block-chain for tamper proof logging system wide events with time stamping
viii. System Level intrusion detection by correlating events from various components of the system