A Polite Disagreement

I must unfortunately disagree with parts of Bruce Schneier’s recent post.  His subject is cyber-physical systems although he doesn’t seem to use that term.  His point of view is firmly rooted in information technology (IT).  As I have said before, that approach is inadequate to create and maintain safe and secure cyber-physical and IoT systems.  He characterizes computational control of physical systems as new; in fact, embedded control was an early application of computers.  He also characterizes embedded devices as inexpensive; not so when car engines are operated by vector multiprocessors. And cost is not the causal factor for insecurity—we have plenty of very expensive IT systems that embody security flaws.

As one example, he praises NIST’s cybersecurity guidelines.   NIST’s approach can be summarized as treating sensors and actuators as I/O devices attached to a traditional IT system.  NIST and Mr. Schneier don’t take into account that these systems are real-time distributed computing systems.  Security mechanisms designed for transaction-oriented IT are inadequate for timing-critical control systems.

In order to make CPS and IoT systems safe and secure, we need to consistently apply what we already know and develop new methods.  CPS and IoT can no longer treat safety and security as separate concerns.  Safety people need to learn more about computer security; security folks need to learn more about safety.   Mr. Schneier is firmly planted in the security side.  I hope that he continues to expand his knowledge base.

GAO Report on DoD Cybersecurity Vulnerabilities

The U. S. Government Accountability Office released here a report on vulnerabilities in Department of Defense weapons systems and processes.  A sample quote:


In operational testing, DOD routinely found mission-critical cyber vulnerabilities in systems that were under development, yet program officials GAO met with believed their systems were secure and discounted some test results as unrealistic. Using relatively simple tools and techniques, testers were able to take control of systems and largely operate undetected, due in part to basic issues such as poor password management and unencrypted communications. In addition, vulnerabilities that DOD is aware of likely represent a fraction of total vulnerabilities due to testing limitations. For example, not all programs have been tested and tests do not reflect the full range of threats.