Cyber-physical systems let you analyze Fitbit data on a smartphone. They tell your house to bump up the thermostat before you get home. They run traffic lights. Mass transit. Electrical grids.
It’s not a question about whether these systems connecting humans and technology are hackable. America’s challenge is to keep them running after inevitable hacks occur.
The National Security Agency has selected a Vanderbilt University team to lead a $14 million, five-year, multi-university effort to figure out how. The grant funds a Science of Security Lablet—mini-labs aimed at increasing knowledge and collaboration in the field.
“It comes as no surprise that basic systems in America are not as secure as we would like them to be,” said Xenofon Koutsoukos, the new Lablet’s principal investigator and a professor of computer science, computer engineering and electrical engineering.
“The main motivation of the program is to stop being reactive and start being proactive by designing resilient systems. We need to understand the foundational principles of cyber-physical systems, develop methodologies to keep them going when they’re compromised, and then build these solutions in on the front end,” he said.
University of California–Berkeley, Massachusetts Institute of Technology and University of Texas at Dallas are the other three universities involved in the massive project.
Most of the Vanderbilt team is affiliated with the Institute for Software Integrated Systems, whose founding director, Janos Sztipanovits, the E. Bronson Ingram Distinguished Professor of Engineering, is a renowned researcher in the field of cyber-physical systems. He and six other Vanderbilt School of Engineering professors are on the grant, along with Jennifer Trueblood, assistant professor of psychology.
An MIT political scientist is part of the project as well, developing analytics for cyber-physical systems cybersecurity policy.
“We have a critical mass of talent at Vanderbilt,” Koutsoukos said. “That only gets stronger when you add in our partners. We wanted a strong, interdisciplinary team.”
Understanding and accounting for human behavior is one of the five “hard problems” identified by the NSA’s Science of Security program, along with scalability and composability, policy-governed secure collaboration, security metrics and resilient architectures.
“End users are a critical link in the cyber-security chain,” said Trueblood, who uses computational modeling to predict human behavior. “Users often make poor decisions, for example, clicking on suspicious links. Through computational modeling and experimentation, we can uncover how users think about cyber-physical systems, ultimately leading to the development of tools for improving cyber-security behavior.”
The four-university team not only will determine how cyber-physical systems can bounce back, they also will develop multiple testing methods for their theories and ways to analyze the results.
The Lablet results will be shared on the Science of Security Virtual Organization’s website.