Understanding cyber-physical security’s relevance
"Cyber-physical" is an appropriate term to capture a new environment we are entering, where machines operate automatically and rapidly based on real-time feedback. For product managers, who merge the engineering of a solution with customer and market needs, understanding implications of cyber-physical can be critical. It is these leaders who will determine how tightly to secure equipment communication modules, whether or not to include access such as Wi-Fi, and most importantly, whether to sacrifice convenience for security (rarely a good choice).
Pulse of cyber-physical security
Why does understanding cyber-physical characteristics matter? Consider how many critical services that the broader population relies on are, in fact, dependent upon cyber-physical interactivity. It’s difficult to pinpoint a more immediate example to our lives than heart pacemakers. More than three million people rely on pacemakers every day, and 600,000 new implants are performed each year, according to the American Heart Association. These cyberphysical devices not only manage electrical impulses in the human body, but they can also connect to external, remote systems for diagnosis and adjustments. Security takes on new meaning when you consider how and where these cyberphysical systems reside. Another set of cyberphysical systems delivers our electricity, which we ambitiously consume at approximately 18,000 TerraWatts a year. How many of us can go 60 minutes without an electrical charge to our cell phones? Smart meters, not to mention power generation control systems, play a part in delivering this critical energy service.
Moving forward, we can envision a host of additional cyberphysical systems beyond these two examples, managing and impacting our daily lives. Many have seen self-driving cars, which are expected to grow at 134% CAGR in the next five years. Or consider home automation systems and maritime cargo monitoring. As a security specialist, while I anticipate great reward from these new types of cyber-physical systems, I also envision the need for better protection. The dependency on cyber-physical systems exposes the broader population to a variety of risks. This is one of many reasons we want to ensure product managers, designers, R&D, and anyone managing such product deliveries understands how seriously to prioritize and adapt security for the cyber-physical era. The earlier they build in considerations for the behavior and usage of cyber-physical, the earlier vulnerabilities and product misuse possibilities can be phased out.
Changing approach to security
While I will outline some of these risks, be assured that my follow up column will discuss solutions. My intent is to help readers visualize the relevance of cyber-physical systems in day-to-day lives, as background to why new approaches to security are required. And while our researchers handle very targeted and device-specific vulnerabilities behind closed doors, I will discuss in public only broad strokes of exposure, rather than risk proliferating any attack specifics. Researchers have already performed "jail break" attacks to take over these devices.
Product managers will always be up against market pressures to deliver their product first, and it’s likely quite a few can cite examples there they had to trade off convenience and price for limited protection. In some cases, it might not even be a conscious design decision. But considering our growing dependency on cyber-physical systems, this trade off can have severe consequences.
In other industries, it is less a competitive push to reach a consumer market triggering risks than it is a status quo about what constitutes a secure product.
In the energy sector, offshore oil rigs were once "air gapped" and not connected to other systems. We all know today that is not the case, with remote access and multiple contractor entry points. Similarly today, devices from as far afield as transportation and government services have a status quo to prioritize physical security first. Will seatbelts cause more injuries or save more lives, for example, or how will devices from state clinics affect the medical condition of citizens?
As cyber merges with the inside of vehicles and operating rooms, product security needs a new perspective. Has the system been tested against remote control access through Wi-Fi and USB penetration? If a cyber-physical device receives false commands, what are the implications for those relying on such systems?
Such examples are initial illustrations representing the changing aspects of risk we are exposed to as we enter the cyber-physical era.
The high level of machine-to-machine interactivity, the speed of sharing real-time information automatically, and the trade off of convenience for security in product lifecycle management all contribute to new levels of risk as cyber-physical systems emerge. Considering our increasing dependence on these critical systems, it is imperative to train and inspire product managers to share security knowledge and prioritize new cyber-physical security models. In my next column, I will illuminate options for how we can move forward, including implementing security measures much earlier in the design lifecycle.
– Nate Kube is the founder and chief technology officer at Wurldtech Security Technologies. This article originally appeared on ISSSource. ISSSource is a CFE Media content partner. Edited by Joy Chang, Digital Project Manager, CFE Media, firstname.lastname@example.org.