Cover Page

Security and Privacy in Cyber-Physical Systems

Foundations, Principles, and Applications

 

Edited by

Houbing Song

Embry-Riddle Aeronautical University
Daytona Beach, FL, US

 

Glenn A. Fink

Pacific Northwest National Laboratory
Richland, WA, US

 

Sabina Jeschke

RWTH Aachen University
Aachen, GM

 

 

 

Wiley Logo

List of Contributors

  1. Amber Adams-Progar
  2. Department of Animal Sciences
  3. Washington State University
  4. USA

 

  1. David W. Archer
  2. Galois, Inc.
  3. USA

 

  1. Gerd Ascheid
  2. Institute for Communication Technologies and Embedded Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Naim Bajcinca
  2. University of Kaiserslautern
  3. Kaiserslautern
  4. Germany

 

  1. Paolo Bellavista
  2. Computer Science and Engineering Department (DISI)
  3. University of Bologna
  4. Bologna
  5. Italy

 

  1. Aida Čaušević
  2. Mälardalen University
  3. Västerås
  4. Sweden

 

  1. Antonio Celesti
  2. Department of Engineering
  3. University of Messina
  4. Messina
  5. Italy

 

  1. Cary E. Crawford
  2. Oak Ridge National Laboratory
  3. Nuclear Science and Engineering Directorate
  4. USA

 

  1. Guido Dartmann
  2. Environmental Campus Birkenfeld
  3. University of Applied Sciences Trier
  4. Hoppstädten-Weiersbach
  5. Germany

 

  1. Mehmet Ö. Demir
  2. Faculty of Electrical and Electronics Engineering
  3. Istanbul Technical University
  4. Istanbul
  5. Turkey

 

  1. Jean Philippe Ducasse
  2. Digital and Global Team
  3. U.S. Postal Service Office of Inspector General
  4. Arlington, VA
  5. USA

 

  1. Thomas W. Edgar
  2. Pacific Northwest National Laboratory
  3. National Security Directorate
  4. USA

 

  1. Maria Fazio
  2. Department of Engineering
  3. University of Messina
  4. Messina
  5. Italy

 

  1. Glenn A. Fink
  2. Pacific Northwest National Laboratory
  3. National Security Directorate
  4. USA

 

  1. Hossein Fotouhi
  2. Mälardalen University
  3. Västerås
  4. Sweden

 

  1. Linqiang Ge
  2. Department of Computer Science
  3. Georgia Southwestern State University
  4. USA

 

  1. Nada Golmie
  2. Wireless Network Division
  3. National Institute of Standards and Technology
  4. USA

 

  1. David Griffith
  2. Wireless Network Division
  3. National Institute of Standards and Technology
  4. USA

 

  1. Md. Mahmud Hasan
  2. School of Electrical Engineering and Computer Science
  3. University of Ottawa
  4. Ottawa, ON
  5. Canada

 

  1. Martin Henze
  2. Communication and Distributed Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Jens Hiller
  2. Communication and Distributed Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Christopher M. Hoxie
  2. Georgetown University School of Law
  3. Washington, DC
  4. USA

 

  1. René Hummen
  2. Communication and Distributed Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Jiong Jin
  2. School of Software and Electrical Engineering
  3. Swinburne University of Technology
  4. Melbourne
  5. Australia

 

  1. Jaspreet Kaur
  2. Department of Cyber Security
  3. Fraunhofer FKIE
  4. Bonn
  5. Germany

 

  1. Sye L. Keoh
  2. School of Computing Science
  3. University of Glasgow
  4. Glasgow
  5. UK

 

  1. Hajoon Ko
  2. Harvard John A. Paulson School of Engineering and Applied Sciences
  3. Harvard University
  4. Cambridge, MA
  5. USA

 

  1. Alexandra Kobekova
  2. Department of Cyber Security
  3. Fraunhofer FKIE
  4. Bonn
  5. Germany

 

  1. Jeff Kosseff
  2. Cyber Science Department
  3. United States Naval Academy
  4. Annapolis, MD
  5. USA

 

  1. Gunes K. Kurt
  2. Faculty of Electrical and Electronics Engineering
  3. Istanbul Technical University
  4. Istanbul
  5. Turkey

 

  1. Hendrik Laux
  2. Institute for Communication Technologies and Embedded Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Don Llewellyn
  2. Washington State University
  3. Benton County Extension
  4. USA

 

  1. Francesco Longo
  2. Department of Engineering
  3. University of Messina
  4. Messina
  5. Italy

 

  1. Volker Lücken
  2. Institute for Communication Technologies and Embedded Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Kristina Lundqvist
  2. Mälardalen University
  3. Västerås
  4. Sweden

 

  1. Douglas G. MacDonald
  2. Pacific Northwest National Laboratory
  3. National Security Directorate
  4. USA

 

  1. Sriharsha Mallapuram
  2. Department of Computer & Information Sciences
  3. Towson University
  4. Maryland
  5. USA

 

  1. Roman Matzutt
  2. Communication and Distributed Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Jeffery A. Mauth
  2. National Security Directorate
  3. Pacific Northwest National Laboratory
  4. USA

 

  1. Giovanni Merlino
  2. Department of Engineering
  3. University of Messina
  4. Messina
  5. Italy

 

  1. Rebecca Montanari
  2. Computer Science and Engineering Department (DISI)
  3. University of Bologna
  4. Bologna
  5. Italy

 

  1. Hussein T. Mouftah
  2. School of Electrical Engineering and Computer Science
  3. University of Ottawa
  4. Ottawa, ON
  5. Canada

 

  1. Paul Moulema
  2. Department of Computer and Information Technology
  3. Western New England University
  4. USA

 

  1. Jason Nikolai
  2. College of Computing
  3. Dakota State University
  4. Madison, SD
  5. USA

 

  1. Pouya Ostovari
  2. Department of Computer and Information Sciences
  3. Temple University
  4. Philadelphia, PA
  5. USA

 

  1. Paola Piscioneri
  2. Digital and Global Team
  3. U.S. Postal Service Office of Inspector General
  4. Arlington, VA
  5. USA

 

  1. Antonio Puliafito
  2. Department of Engineering
  3. University of Messina
  4. Messina
  5. Italy

 

  1. Jessica Raines
  2. Digital and Global Team
  3. U.S. Postal Service Office of Inspector General
  4. Arlington, VA
  5. USA

 

  1. Theora R. Rice
  2. Pacific Northwest National Laboratory
  3. National Security Directorate
  4. USA

 

  1. Alan C. Rither
  2. Pacific Northwest National Laboratory
  3. operated by Battelle Memorial Institute for the United States Department of Energy
  4. Richland, WA
  5. USA

 

  1. David Su
  2. Wireless Network Division
  3. National Institute of Standards and Technology
  4. Maryland
  5. USA

 

  1. Hala Tawalbeh
  2. Computer Engineering Department
  3. Jordan University of Science and Technology
  4. Irbid
  5. Jordan

 

  1. Lo'ai A. Tawalbeh
  2. Computer Engineering Department
  3. Umm Al-Qura University
  4. Makkah
  5. Saudi Arabia
  6. and
  7. Computer Engineering Department
  8. Jordan University of Science and Technology
  9. Irbid
  10. Jordan

 

  1. Jernej Tonejc
  2. Department of Cyber Security
  3. Fraunhofer FKIE
  4. Bonn
  5. Germany

 

  1. Ely Walker
  2. Department of Animal Sciences
  3. Washington State University
  4. USA

 

  1. Yong Wang
  2. College of Computing
  3. Dakota State University
  4. Madison, SD
  5. USA

 

  1. Klaus Wehrle
  2. Communication and Distributed Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Steffen Wendzel
  2. Department of Cyber Security
  3. Fraunhofer FKIE
  4. Bonn
  5. Germany

 

  1. Jie Wu
  2. Department of Computer and Information Sciences
  3. Temple University
  4. Philadelphia, PA
  5. USA

 

  1. Guobin Xu
  2. Department of Computer Science and Information Technologies
  3. Frostburg State University
  4. USA

 

  1. Wei Yu
  2. Department of Computer and Information Sciences
  3. Towson University
  4. USA

 

  1. Martina Ziefle
  2. Human-Computer Interaction Center
  3. RWTH Aachen University
  4. Aachen
  5. Germany

 

  1. Jan H. Ziegeldorf
  2. Communication and Distributed Systems
  3. RWTH Aachen University
  4. Aachen
  5. Germany

Foreword

Over the past years, my students and I have been looking for a reference book that can provide comprehensive knowledge on security and privacy issues in cyber-physical systems (CPSs). Our fruitless search did not make us feel disappointed as we understand that the subject areas are full of unique challenges stemming from various application domains such as healthcare, smart grids, and smart homes, making nonexistent the “one-size-fits-all” type of solutions, and that the integration of “cyber” and “physical” worlds opens the doors for insidious and smart attackers to manipulate extraordinarily, leading to new cyber-attacks and defense technologies other than those originated from the traditional computer and network systems.

Thanks to this book edited by three distinguished scholars in cybersecurity and privacy, we finally get access to first-hand and state-of-the-art knowledge in security and privacy of CPSs. Dr. Houbing Song brings his multidisciplinary background spanning communications and networking, signal processing and control. He has worked on authentication, physical layer security, and differential privacy, and their applications in transportation, healthcare, and emergency response. Dr. Glenn A. Fink is a cybersecurity researcher who specializes in bioinspired security and privacy technologies. He has worked for the US government on a variety of military and national security projects. Dr. Sabina Jeschke is an expert in Internet of Things (IoT) and AI-driven control technologies in distributed systems. She has worked on safeguarding the reliability and trustworthiness of cyber manufacturing systems.

The term “cyber-physical systems,” CPSs in short, was coined 10 years ago (in 2006) by several program officers at the National Science Foundation (NSF) in the United States. According to the NSF CPS program solicitation, CPS is defined to be “engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components.” It is strongly connected to the popular term IoT, which emphasizes more on implementation than on foundation of the conjoining of our physical and information worlds. One can use three words to summarize CPS as “connected,” “sensing,” and “control,” corresponding to the three intermingled aspects of CPSs: the physical world itself is connected via networking technologies and it is integrated with the cyberspace via sensing and control, typically forming a closed loop. Just like the Internet, which has been suffering from various attacks from the very beginning (an early warning of intrusion was raised in 1973, only 4 years after ARPANET was built), the system vulnerabilities of CPSs can be easily exploited maliciously, threatening the safety, efficiency, and service availability of CPSs.

Security and privacy are the most critical concerns that may hinder the wide deployment of CPSs if not properly addressed, as highlighted in the Federal Cybersecurity Research and Development Strategic Plan (RDSP) and the National Privacy Research Strategy (NPRS) released by the National Science and Technology Council (NSTC) in 2016. The connected physical world suffers from not only the attacks targeting today's networked systems but also new ones such as sensitive device (e.g., a controller of a power plant) discovery; the fine-grained, heterogeneous, and massive sensing data are vulnerable to various inference attacks, causing privacy disclosure and data safety violations; and the control signals can be manipulated to launch various attacks such as the device state inference attack, leading to system instability. Therefore, any effort toward securing the emerging CPSs and protecting their data privacy is of paramount importance. Nevertheless, to the larger CPS community, building economically successful CPSs seems to be the priority, since traditionally security and privacy issues can be resolved via patching. This obviously is inappropriate as security and privacy protection must be considered from the very beginning when building a CPS – an important lesson we have learned from the evolution of the Internet. To educate today's CPS engineers as well as the next-generation CPS players, materials summarizing the state-of-the-art techniques and potential challenges in security and privacy of CPS are desperately needed.

This timely book provides a comprehensive overview on security and privacy of CPSs. It positions itself uniquely from the following aspects based on its contents/technical contributions:

This book contains 19 self-contained chapters authored by experts in academia, industry, and government. By reading this book, readers can gain thorough knowledge on security and privacy in CPSs, preparing them for furthering their in-depth security and privacy research, enhancing the attack resistance of their own CPS, and enabling them to identify and defend potential security violations and system vulnerabilities.

Xiuzhen (Susan) Cheng
Professor, IEEE Fellow,
Department of Computer Science,
The George Washington University

Preface

The idea of automation is as old as mankind and has produced a wide range of artifacts from simple tools to complex robotic control systems. In the 1940s, work-saving machinery began to evolve from the purely mechanical to information systems, starting with the birth of computers and the emerging discipline of cybernetics. The idea behind cybernetics was to have machines conduct sensing and control operations that exceeded human capabilities for warfare applications. Robotics (machines to semiautonomously manipulate the physical world) was the natural outgrowth of this field of inquiry. In the 1960s, the Internet was conceived, bringing new ways for humans to communicate worldwide across computer networks. The blending of mechanical power, information processing, and global communications was perhaps inevitable, but the applications and implications of this merger are yet to be fully understood.

Cyber-physical systems (CPSs) are engineered systems that are built from, and depend upon, the seamless integration of sensing, computation, control, and networking in physical objects and infrastructures. This integration of communication, sensing, and control is enabling highly adaptable, scalable, resilient, secure, and usable applications whose capabilities far exceed stand-alone embedded systems. The CPS revolution is transforming the way people interact with engineered systems and is driving innovation and competition in sectors such as agriculture, energy, transportation, building design and automation, healthcare, and manufacturing.

The number of Internet-connected devices already outnumbers the human population of the planet. By 2020, some expect the number of these devices to exceed 50 billion. Many of these devices are CPSs that control automobiles, airplanes, appliances, smart electric grids, dams, industrial systems, and even multinational infrastructures such as pipelines, transportation, and trade. This trend toward distributed systems of Internet-connected smart devices has recently accelerated with the rise of the Internet of Things (IoT) as its backbone. A goal of the IoT is to connect any device to any other at any time via any protocol from anywhere in the world. Today this goal is only partially realized.

CPS technologies blur the lines between infrastructural and personal spaces. This blurring is being engineered into the IoT where personal CPSs (such as phones, appliances, and automobiles) bearing personal data can reach up into public infrastructures to access services. Infrastructural technologies such as smart roads, e-government, and city services have become personal by providing private portals into public services. Thus, personal technologies, enabled by the IoT, have vastly extended the scope of critical infrastructures and even created new ones. Unlike the embedded systems of a decade ago, modern CPSs incorporate components from different providers using interface standards that specify communication protocols and physical operation requirements.

While a CPS can be thought of as a blend of cybernetics and telecommunications, every CPS is much greater than the sum of its parts. The cyber and physical components cannot be analyzed separately. Malfunctions in the software portion of the system may cause unexpected physical behaviors. Unanticipated physical sensations may trigger untested parts of the system software. Beyond cyber or physical failures, problems can arise from communications between devices that are allowed to interact in ways that will be harmful or allow sensitive data to fall into the wrong hands. Further, a CPS typically involves real-time sensing and human operators who make their decisions informed by real-time data. Thus, humans, too, can be a major source of failure in these complex systems. Holistic system analysis is critical to ensure security, integrity, and conformance to the expected behavior profile.

The blended nature of CPSs simultaneously offers new uses of technology and enables new abuses of it. The increasing intelligence and awareness of physical devices such as medical devices, cars, houses, and utilities can dramatically increase the adverse consequences of misuse. Cybersecurity and privacy have emerged as major concerns in human rights, commerce, and national security that affect individuals, governments, and society as a whole. New degrees of connectivity between personal and infrastructural systems can result in leakage of personal data producing serious privacy concerns. Integration with private devices may threaten infrastructure by expanding its attack surface. CPSs are subject to security threats that exploit their increased complexity and connectivity to critical infrastructure systems and may introduce new societal risks to economy, public safety, and health. Some of these concerns are “existential threats” to individual lives and society. The potentially global nature of CPSs has produced a need for trust in cyber-physical (and other) systems that transcend national regulatory authorities.

To address these cybersecurity and privacy challenges, novel, transformative, and multidisciplinary approaches are needed at the confluence of cybersecurity, privacy, and CPSs. We are at a critical juncture where the growth and ubiquity of CPSs is accelerating exponentially. We must understand these systems and engineer them thoughtfully to prevent anticipated and unknown problems.

The purpose of the book is to help readers expand and refine their understanding of the key technical, social, and legal issues at stake, to understand the range of technical issues affecting hardware and software in infrastructure components, and to assess the impacts of the blended nature of these systems on individuals, infrastructures, and society. Especially, this book will present the state of the art and the state of the practice of how to address a number of unique security and privacy challenges facing CPSs including the following:

  1. 1. The irreversible nature of the interactions of CPSs with the physical world
  2. 2. The rapidly increasing scale of deployment
  3. 3. The amalgamated nature of CPS-enabled infrastructures
  4. 4. The deep embedding and long projected lifetimes of CPS components
  5. 5. The interaction of CPSs with users at different scales, degrees of control, and expertise levels
  6. 6. The economic and policy constraints that are needed to govern CPS design and deployment
  7. 7. The accelerated degree of sensing and collection of information related to a large range of everyday human activities
  8. 8. The asymmetric ability of adversaries to attack physical-world targets through cyber means and vice versa.

This edited book aims at presenting the scientific foundations and engineering principles needed to ensure cybersecurity and privacy in CPSs in general and in various innovative domain-specific applications. The reader will gain an understanding of how the principles of security and privacy must be rethought for Internet-connected CPSs. Our hope is that this book will enhance the capability of the technical workforce to understand the less obvious implications of CPSs and to improve civil and economic security.

This book will challenge the research community to advance research and education at the confluence of security, privacy, and CPSs and to transition its findings into engineering practice. However, our desire is to provide useful information even for readers without any prior domain knowledge. Thus, most chapters are in tutorial/survey style. We anticipate many of our readers will be involved in research and development of technologies to better the lives of others, and, thus, they would be interested to gain an understanding of the security and privacy implications of their work. We also address the CPS design workforce and aim to provide an important source of comprehensive foundations and principles of cybersecurity and privacy as it applies to CPSs. Toward these goals, this book is organized into three parts: Foundations, Principles, and Applications.

Part 1 is composed of six chapters. In addition to presenting an overview of the opportunities and challenges of cybersecurity and privacy (Chapter 1), this part presents scientific foundations of cybersecurity and privacy in various subdomains, including networks (Chapter 2), information theory (Chapter 3), national security (Chapter 4), legal aspects (Chapter 5), and cryptographic key management (Chapter 6).

Part 2 is composed of six chapters. This part presents engineering principles of cybersecurity and privacy as applied to the IoT (Chapter 7), access control (Chapter 8), privacy (Chapters 9 and 10), network coding (Chapter 11), and lightweight cryptography (Chapter 12).

Part 3 is composed of seven chapters. This part presents application areas of CPSs along with domain-specific cybersecurity and privacy recommendations. The several diverse application areas include smart cities (Chapter 13), energy (Chapters 14 and 19), healthcare (Chapter 15), building design and automation (Chapter 16), postal infrastructure (Chapter 17), and agriculture (Chapter 18).

This book presents a collection of research results and real-world deployment experiences that provide examples of CPSs across multiple sectors of society. It is our desire that our book would illustrate not only the state of the art and practice in cybersecurity and privacy for CPSs but also the foundations and principles of CPS security and privacy that will educate and prepare designers of these technologies to meet societal desires and needs safely. Our hope is that by reading this book you, the reader, will be better equipped to shape our world with these new technologies in a way that enhances safety, security, and privacy for all.

July 2016

Houbing Song, Daytona Beach, Florida, USA
Glenn A. Fink, Richland, Washington, USA
Sabina Jeschke, Aachen, Germany

Acknowledgments

This book would not have been possible without the help of many people. First, we would like to thank all the contributors and reviewers of the book from all over the world. We would also like to thank our editorial assistants, Wendy M. Maiden and Katherine E. Wolf, both at Pacific Northwest National Laboratory, and Ruth Hausmann, Alicia Dröge and Pia Bresenitz, at RWTH Aachen University, who provided essential support at all stages of the editorial process of the book. Also we would like to thank Preethi Belkese and Sandra Grayson, at Wiley, who shepherded us through the book-editing process. Finally, we would like to acknowledge the support of the Cluster of Excellence Integrative Production Technology for High-Wage Countries at RWTH Aachen University, German Research Foundation, and German Federation of Industrial Research Associations – AiF.

Special thanks go out to the following reviewers:

  1. Mohammed Aazam (Jinnah University, Islamabad)
  2. Syed Hassan Ahmed (Kyungpook National University)
  3. David Archer (Galois)
  4. Lane Arthur (John Deere)
  5. Safdar H. Bouk (Kyungpook National University)
  6. Ismail Butun (Bursa Technical University)
  7. Zhi Chen (Arkansas Tech University)
  8. Michael Crouse (Harvard University)
  9. Qinghe Du (Xi'an Jiaotong University)
  10. Melike Erol-Kantarci (University of Ottawa)
  11. Glenn Fink (Pacific Northwest National Laboratory)
  12. Errin Fulp (Wake Forest University)
  13. Carlos Gómez Gallego (Aruba, a Hewlett Packard Enterprise Company)
  14. Jon Green (Aruba, a Hewlett Packard Enterprise)
  15. Hudson Harris (ADAPT of America, Inc.)
  16. Arlett Hart (US Federal Bureau of Investigation)
  17. Md. Mahmud Hasan (University of Ottawa)
  18. Martin Henze (RWTH Aachen University)
  19. Yu Jiang (Tsinghua University)
  20. Burak Kantarci (University of Ottawa)
  21. Wenjia Li (New York Institute of Technology)
  22. Chi Lin (Dalian University of Technology)
  23. Jaime Lloret (Universidad Politecnica de Valencia)
  24. Rongxing Lu (Nanyang Technological University)
  25. Volker Lücken (RWTH Aachen University)
  26. Kevin Nesbitt (US Federal Bureau of Investigation)
  27. Kaoru Ota (Muroran Institute of Technology)
  28. Antonio Puliafito (Università Degli Studi Di Messina)
  29. Devu Manikantan Shila (United Technologies Research Center)
  30. Mohammad Shojafar (University Sapienza of Rome)
  31. Siddharth Sridhar (Pacific Northwest National Laboratory)
  32. Eric Swanson (Cisco)
  33. Lo'ai A. Tawalbeh (Umm Al-Qura University)
  34. Hasan Tercan (RWTH Aachen University)
  35. Huihui Wang (Jacksonville University)
  36. Steve Weingart (Aruba, a Hewlett Packard Enterprise Company)
  37. Justin Wolf (Cisco)
  38. Katherine Wolf (Pacific Northwest National Laboratory)
  39. Guobin Xu (Frostburg State University)
  40. Wei Yu (Towson University)