Let’s get Physical: The SAE G-32 Solution for the Cyber-Physical Cyber Menace
Posted: June 9, 2022
On June 2, SAE International’s G-32 Cyber Physical Systems Security Committee published its first joint Aerospace and Automotive standard JA7496: Cyber Physical Systems Security Engineering Plan. The new standard is intended for broad industry use for both commercial and defense applications along with other high reliability and/or critical systems in aerospace, transportation, medicine, and finance.
“Before security risks of cyber physical systems (CPS) can successfully be assessed and managed, it is necessary to clearly understand the cyber landscape and define the problem statement. Threats to cybersecurity cover a broad range of attack vectors with the integration of complex hardware, software, and firmware supporting the cyber physical system. Cyber physical system security begins with the electronic parts, assemblies, software, and firmware that make up the system,” said Judith Ritchie, Director, Government and Industry Affairs – Aerospace for SAE International.
She goes on to add, “Attack vectors can be introduced through hostile code at the time of software or firmware updates. Cyber physical systems are susceptible to compromising attacks due to counterfeit tampered electronic parts with embedded malware or hardware Trojans, or legitimate components with vulnerabilities due to the design. The risk analysis expands beyond the construction to the entire system.”
The JA7496 standard provides the framework for a systems engineering approach to standardization of cyber physical systems security. The following goals are addressed:
- Characterize CPS risk, assess vulnerabilities, and recommend mitigating actions
- Advance knowledge of how weaknesses in CPS are introduced and exploited
- Identify best practices for addressing concerns
- Close gaps in hardware and software assurance
- Develop a detailed CPS security taxonomy
- Establish and standardize methods for identifying CPS weaknesses
- Standardize a systems engineering approach to CPS security to design resilient systems that can survive attack
- Develop evaluation methods for mitigation of CPS security risk
The G-32 committee is also working on additional standards that are a response to a significant and increasing volume of cyber physical system threats. These include JA6801: Cyber Physical Systems Security Hardware Assurance, and JA6678: Cyber Physical Systems Security Software Assurance.
The Co-Charis of the G-32 committee are William Scofield of Boeing and Gloria D’Anna of Ford. For further information on the committee’s work, contact Judith Ritchie at: Judith.firstname.lastname@example.org.