Risk & Compliance Exchange 2024: NIST’s Ron Ross on engineering protections into cyber-physical systems

The massive convergence of cyber and physical systems has prompted the need for a framework based on engineering principles, the NIST fellow says.

Discussions of cybersecurity often circle back to coding.

After all, building in cybersecurity instead of cobbling it on later makes sense. That practice typically refers to the development and testing of software as it’s produced. The National Institute of Standards and Technology has created a library of publications with detailed frameworks to help organizations ensure safe software and IT systems.

Equally important but not always at the center of cybersecurity thinking lies secure, trustworthy engineering. NIST has published guidance here too, Special Publication 800-160 on Systems Security Engineering.

Its subtitle, “Considerations for a multidisciplinary approach in the engineering of trustworthy secure systems,” might sound wordy but indicates a crucial component of cybersecurity, said Ron Ross, NIST fellow and co-creator of 800-160.

“This publication is extremely important, and it’s not that well known,” Ross said during Federal News Network’s Risk & Compliance Exchange 2024. He noted that NIST’s library of cybersecurity publications has its roots in the enterprise IT world of a couple of decades ago.

“Since that time, there’s been a massive innovation revolution. You’ve seen it. We’ve all lived through it,” Ross said. But there’s a big change that requires an engineering approach to security, he added, and that’s the “massive convergence of cyber and physical systems.”

That convergence brings a need “to get down to the place where industry is building,” Ross said, including “the hardware, the software and the firmware — to see what kind of components are being built. How do they work together when you bring those into a systems context?”

He added, “We’ve been focused on innovation and building all this technology. Now we’re having to take a step back and say, ‘OK, how vulnerable is this stuff that we’re building?’ ”

Ross made a distinction between framework-based processes and engineering processes. Frameworks tend to be check-off and compliance exercises, he said, while an engineering approach looks at how complex systems operate in reality.

It starts with learning from various functions in the organization “what’s the mission of the organization? What’s our business model? And what are we trying to achieve?” he said.

Looking into black boxes

The cyber-physical convergence produces the so-called black boxes, Ross said. As example, he cited cars, in which a multitude of subsystems operate over a single bus — everything from obstacle-sensing brakes to entertainment. A stack of “hardware, software, middleware, operating systems and applications all work together in an environment. We have very little visibility and transparency into that black box,” he said.

When software crashes in cyber-physical systems occur, the results can be far more severe than when computers alone crash, Ross pointed out.

“The blue screen of death might be an inconvenience. But in the world of complex systems today, cyber-physical convergence computers are being pushed into everything from pacemakers to power plants,” he said. “Every time that computer is part of that cyber-physical system, there’s potential for bad things to happen that we never anticipated before.”

He said the addition of artificial intelligence to operational systems brings the potential to change their characteristics, including the engineering relationships. Cyber-physical integration and AI have prompted NIST to propose an updated strategy in the two volumes of SP 800-160, Ross said. Forty years of a perimeter, penetration resistance strategy will give way to a strategy of resilience.

“You do everything you can to keep [attacks] out,” Ross said. “Once they’re inside, you try to limit the damage they can do. We have lots of technologies that can help us do that.” He said complex systems also need resilience from human error and components that break or wear out.

The engineering approach presupposes that the potentially millions of components in a complex system each have vulnerabilities, no matter how carefully they’re coded, Ross said.

Security “becomes an engineering task to figure out. How much do I trust this component? What does this component interact with? And how do I make sure I can have the highest level of assurance?” Ross said.

Such work then falls multidisciplinary teams collaborating, not to any individual or even one IT staff but, he said. That’s the approach NASA has long used for launch assurance.

“Each one of those individuals around the table, they would go through the countdown phase, and they would go to each individual, give them a thumbs up or a thumbs down. If you got a thumbs down, they stop the launch sequence and they fix the problem,” Ross said.

Proving ground: Real-world NASA project

To deepen understanding of resilience, security engineering and cyber-physical convergence, NIST is partnering with NASA’s Jet Propulsion Laboratory and the California Institute of Technology. Ross called it “the best project I’ve worked on, not just in my 27 years at NIST but in my entire cybersecurity community career.”

The project is an outgrowth of NIST’s continuing work on SP 800-160. Engineers at JPL, a federal-funded R&D center, and NASA were frustrated because they couldn’t figure out a way to apply the cybersecurity framework approach to engineering.

“It’s not that the framework is incorrect,” Ross said. “It does really well with what it was intended to do. But it can’t always solve the engineering problems when it comes to security.”

He added, “I’ve heard this across almost every federal agency that builds things and that are using our risk management framework or our cybersecurity framework.”

After discussions, a NASA mission director, JPL and Caltech offered up a real system over which to team with NIST in an experiment to work out the problem: The goal is to determine how to “apply the concepts of 800-160, the security design principles — which come out a principled engineering process — to a real system,” Ross said.

The system being use for this research is the Sun Radio Interferometer Space Experiment (SunRISE) satellite system, an as-yet unlaunched array of six cube satellites, each about the size of a Rubik’s cube. NASA and other organizations typically launch cube satellites in clusters simultaneously. The SunRISE project will study solar activities such as particle storms.

The experiment is a complex one. It brings together measurements of solar and space particles that will affect the satellites and the data systems that support the mission.

The NIST-NASA-JPL-Caltech team is “going back and repeating the entire development process in a simulated mode,” Ross said. The experiment focuses on the ground data system. “They’re saying, ‘If we were to do this again and use the security design principles from 800-160, what things would have changed? What kinds of vulnerabilities are there … that we could fix?’ ”

Ross added, “Everything we’re learning about this, we’re going to document.” NIST will publish the findings and generalize what the team learned.

The learnings will help illuminate those black boxes so engineers can optimize how and where to put safeguards inside, among the components, he said.

“It’s not good enough anymore, in a compliance framework to say you’ve got two-factor authentication or access control or encryption,” Ross said.

He said the SunRISE Satellite program is the first of many.

“This experiment is not going to stop with one and done. NASA plans to expand it, and NIST is already talking to other agencies, including the Defense and Energy departments,” Ross said.

“We’re going to learn a lot of things,” he said, and he predicted both failures and successes along the way. “But the ultimate objective is to better protect our cyber-physical systems in a very hostile threat environment.”

Discover more articles and videos now on Federal News Network’s Risk & Compliance Exchange 2024 event page.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more