Why cybersecurity needs a common vocabulary

Before government, industry and academia can tackle the issue of cyber physical system security, they have to figure out how to talk about cyber physical system security.

The private, non-profit research consortium Cyber Security Research Alliance (CSRA) is looking to guide the nascent conversation.

“[Concerned parties] in government, industry and academia are all calling for a unified taxonomy, a unified way of looking at and talking about the problem space [within cyber physical system security],” said Ron Perez, CSRA Fellow and director of security architecture at Advanced Micro Devices.

In pursuit of a unified taxonomy, CSRA has partnered with Drexel University and George Mason University.

The pair of universities will participate in research, beginning with a survey and taxonomy, aimed at advancing cyber security in transportation vehicles, medical devices and the power grid.

The research is much-needed, said Lee Holcomb, CSRA president and director, engineering and technology, for Lockheed Martin Information Systems & Global Solutions.

“Cyber physical systems touch just about everything that we do,” Holcomb said, citing everything from smart power grids to aircraft guidance systems. “The security of those systems is really imperative.”

With connected systems moving from screens to appliances, automobiles and more – “The Internet of Things,” in popular parlance – potential threats proliferate.

“As Internet-connected systems move from the realm of, say, finance, into our day-to-day lives, in things like homes and automobiles,” Holcomb said, “we move from being at risk of losing money to the risk of losing life.”

Interconnected systems bring convenience, but “if you don’t architect the system correctly, adversaries could get in” – and they have, Holcomb said, noting that “breaches of security have become much more commonplace” over the past few years.

After kicking off cyber physical system security work last year with a “broad-ranging workshop,” CSRA solicited academic partners and received four applications, Holcomb said.

Drexel and GMU were chosen based on the individual strengths of each proposal and how the two complemented each other, Holcomb said.

The work will focus particularly on cyber physical systems security within the power grid, medical devices and transportation vehicles, due to the critical nature of those infrastructural assets, Holcomb said.

Calling the survey and taxonomy “Phase One of multi-phase efforts,” Holcomb said CSRA, GMU and Drexel are shooting to present some findings at a May 12 workshop, while the final report will come towards the end of June.

“The problem space goes beyond one company’s ability to address,” Holcomb said, saying that CSRA possesses a unique capacity to “bring all the stakeholders together.”

Lockheed Martin is one of the founding partners of the alliance along with Advanced Micro Devices, Honeywell, Intel Corp. and RSA.

The companies within CSRA “represent the breadth of the ecosystem,” Holcomb said, pointing to the varied interests of software-centered companies like RSA and Honeywell versus a systems integrator like Lockheed Martin.

“We welcome participation from additional members of the government contractor space,” he said, stressing the importance of engaging the private sector early on as the terms, relationships, common vocabulary and “roots of trust” in cyber physical systems security are established.