A draft framework to guide the development of cyber-physical systems (CPS) has been issued for public comment by the National Institute of Standards and Technology. The comment deadline is Nov. 2. Developed in partnership with industry, academic, and government experts in the NIST CPS Public Working Group (CPS PWG), the publication has taken more than a year to develop (TRDaily, Aug. 7).
The framework is intended to provide a methodology for understanding, designing, and building CPS, including those with multiple applications, according to David Wollman, deputy director of NIST’s Smart Grid and Cyber-Physical Systems Program Office.
“Creating a complex device involves a lot of people with varying interests and concerns, from the designers to the engineers to the safety testers,” Mr. Wollman said. “What the framework provides is an organized treatment of these concerns so the group can address and manage them all effectively. It will prompt them to think of concerns they may not be aware of, and support understanding and integration of different CPS.”
In an introduction to the framework, NIST said it established the working group “to bring together a broad range of CPS experts in an open public forum to help define and shape key characteristics of CPS, so as to better manage development and implementation within and across multiple ‘smart’ application domains, including smart manufacturing, transportation, energy, and healthcare.”
In addition to CPS, there are many words and phrases (industrial Internet, Internet of things (IoT), machine-to-machine (M2M), smart cities, and others) that describe similar or related systems and concepts,” the framework said.
“There is significant overlap between these concepts, in particular CPS and IoT, such that CPS and IoT are sometimes used interchangeably, and the approach described in this CPS Framework should be considered to be equally applicable to IoT,” it said.
“The impacts of CPS will be revolutionary and pervasive; this is evident today in emerging autonomous vehicles, intelligent buildings, smart energy systems, robots, and smart medical devices,” it continued. “Realizing the full promise of CPS will require interoperability among heterogeneous components and systems, supported by new reference architectures using shared vocabularies and definitions.”
A top concern for the emerging CPS ecosystem is security, the document said. “Because CPS are designed to interact directly with the physical world, there is a more urgent need for emphasis on security, privacy, safety, reliability, and resilience, and corresponding assurance for pervasive interconnected devices and infrastructures,” it said.
“As opposed to IT cybersecurity, which focuses only on mitigating the impact of cyber attacks, CPS security and privacy consider the coordinated exploitation of both physical and cyber vulnerabilities,” it said.
“Certainly, many of the cybersecurity challenges that apply to IT systems also apply to CPS. However, some challenges may not have the same criticality in the CPS space as they do in IT systems, and CPS may pose additional challenges not present in the IT space,” it added.
“A denial-of-service attack against a website produces loss of access to data, loss of revenue, or even damage to a server, but if the attack is addressed in minutes, recovery may not be difficult. By contrast, a denial of service attack against the system that regulates the safe operation of a power generation facility or an industrial plant can lead to irreparable damage to capital equipment that could take months or years to replace. For systems like these, the time scale for addressing the attack cannot be minutes,” the framework said.
“CPS cybersecurity must protect operational goals from the impacts of malicious cyber attack, enabling continuing safe operations even in compromised conditions,” it said. “Cybersecurity for CPS must address how a system can continue to function correctly when under attack, provide mechanisms that support fault-tolerance and/or graceful degradation in accordance with mission- or business-driven priorities, and enable the system to fail-safe in those circumstances in which resilience cannot be provided in the face of threat.” – Tom Leithauser, tom.leithauser@wolterskluwer.com
Courtesy TRDaily