Cyber-Physical Systems Framework Set for NIST Publication by August 31

A draft framework to guide the development of cyber-physical systems (CPS) is expected to be ready for public review by the end of August, according to an official at the National Institute of Standards and Technology.

“We have done a lot of work together these past months and your NIST team is pulling together the results into our best effort at achieving a consensus draft integrating all your thoughts and discussions and inputs,” Martin Burns, director of NIST’s CPS program office, told CPS working group participants in an Aug. 6 e-mail.

The completion deadline for the publication has slipped considerably since the effort was launched a year ago (TRDaily, Aug. 11, 2014).  The working group now should expect a “quick dash to completion of a draft worthy of a public review,” Mr. Burns told participants.

NIST plans to subject the draft to a 45-day public review before a final version is published.  A draft being circulated among working group participants defines CPS as “smart systems that include co-engineered interacting networks of physical and computational components.”

“CPS and related systems (including the Internet of things, industrial Internet, and more) are widely recognized as having great potential to enable innovative applications and impact multiple economic sectors in the world-wide economy,” it said.

But a top concern for the emerging CPS ecosystem is security, the document said.  “Security is a necessary feature of the CPS architecture to ensure that actions taken by CPS are not compromised by malicious agents, and the information processed and transferred preserves its integrity and is kept confidential where needed,” it said.

“The nature of CPS not only increases the consequences of a breach but adds additional types of vulnerabilities,” it added.  “For example, timing in a CPS has unique vulnerabilities different from traditional data vulnerabilities considered in cybersecurity.”

“Security needs to be built into CPS by design and to be flexible to support a diverse set of applications,” the draft document said.  “This security should include component security, access control, and communications security.” – Tom Leithauser, tom.leithauser@wolterskluwer.com