Cyber Physical Systems Security Engineering Plan (CPSSEP)
Collaboration is proposed that includes government, industry, and academia recognizing a need for action in developing a systems engineering approach to standardization of cyber physical systems security, including the following:
• Characterize the risk of the CPS, assess vulnerabilities and weaknesses, and recommend mitigating actions.
• Advance the knowledge of how vulnerabilities and weaknesses are introduced and exploited in cyber physical systems.
• Identify best practices for addressing different areas of concern utilizing existing processes, procedures, and standards when possible.
• Close gaps in Hardware and Software Assurance (HwA/SwA) and integrate holistic approach through CPSS Systems Engineering Effort.
• Develop a detailed taxonomy for cyber physical system security.
• Establish and standardize methods for identifying vulnerabilities and weaknesses in cyber physical systems that could be introduced at any point in the CPS life cycle.
• Standardize a systems engineering approach to address cyber physical systems security with a goal of designing resilient systems that can survive an attack.
• Develop cost-effective design and evaluation methods for mitigation of risk in cyber physical systems security design that includes assessing effectiveness of solutions.
Rationale: This standard is proposed in response to a significant and increasing volume of cyber physical system exploits due to a broad range of attack vectors exploiting vulnerabilities and weaknesses with the integration of complex hardware, software, and firmware supporting the cyber physical system. Attack vectors are introduced through vulnerabilities and weaknesses in electronic parts and software that could be used to compromise cyber physical system function or gain access to critical and sensitive system information. Attack vectors can be introduced through hostile code at the time of software or firmware updates. Cyber physical systems are susceptible to compromising attacks due to counterfeit or tampered electronic parts with embedded malware or hardware Trojans or legitimate components with vulnerabilities and weaknesses due to the design.