Cross-Cutting Protection¶

Although the cybersecurity of traditional IT systems also considers the physical world, the physical nature of CPS systems introduces several unique characteristics for their cybersecurity. These arise concretely, for example, from the fact that CPSs often consist of low-power embedded systems, some of which may be very old (so-called legacy systems), and from the fact that CPS measurement and sensor equipment are vulnerable to analog attacks. While preventing, detecting, and mitigating attacks are core topics of this course for traditional IT systems, their treatment in the case of CPS is largely left outside the scope of this course. If you are interested, the CyBOK text provides more information (Chapter 21). Here, however, we address the problems of legacy systems. As justification, consider that an ATM from which you withdraw cash may be running on an operating system and software more than 20 years old. Such age spanning multiple generations of hardware and software (hence the term legacy) naturally affects security.

Security of Legacy Systems: The lifecycle of CPS devices can be an order of magnitude longer than that of ordinary servers, desktop computers, or laptops. Consumers expect their cars to last longer than their laptops, hospitals expect medical devices to last over a decade, and industrial (cyber-physical) devices typically last at least 25 years, with most not being replaced until they are completely obsolete. Some of these devices were designed for trusted environments that no longer exist. Furthermore, even if devices were designed with the security mechanisms of their time, new vulnerabilities emerge. If the manufacturer no longer supports the devices, they are not updated. For example, when the OpenSSL Heartbleed vulnerability was discovered, major manufacturers distributed patches. However, most embedded systems that monitor or control physical processes were not updated. Updating some safety-critical systems could even break their safety certifications. Therefore, even if the manufacturer originally used OpenSSL to secure communication channels between CPSs, they must also consider long-term device support.

To prevent attacks, it is necessary both (1) to design systems whose security can be continuously updated and (2) to retrofit security solutions into legacy systems.

Some devices cannot be updated with new mechanisms, so a popular protection method is adding a bump-in-the-wire. It is typically a network device used to add integrity, authentication, and confidentiality to network packets exchanged between legacy devices. The legacy device sends unencrypted and unauthenticated packets to this network device, which securely tunnels them over an insecure channel to another similar device, which removes the protections and delivers the original packet to the destination device. Note that this technique only protects against network threats and does not help if an endpoint is compromised.

For wireless devices, such as medical implants, similar solutions have been proposed. Since some of them communicate over unsecured networks, attackers can eavesdrop or inject malicious packets. To prevent this, a wireless shield can be used near vulnerable devices. The wireless shield interferes with all communication attempts coming from untrusted devices. Shields have also been proposed for other areas, such as protecting the privacy of consumer low-energy Bluetooth devices (BLE devices). Due to the disruptive nature of wireless shields, it remains an open question whether they can be made practical for consumer devices.