cyber security framework for autonomous machines 1.0 · tag cyber – research in iot security 1...
TRANSCRIPT
TAG CYBER – RESEARCH IN IOT SECURITY 1
CyberSecurityFrameworkforAutonomousMachines
PrincipalAuthor:Dr.EdwardG.Amoroso
ChiefExecutiveOfficer,TAGCyberLLC
Version1.0
September18,2018
Abstract
ThisCyberSecurityFrameworkforAutonomousMachinesisofferedasahigh-levelsecurityandcompliancerequirementsguidefordeveloperscreatingautonomousmachinesincludingfutureconnectedcars,robots,medicaldevices,andindustrialcontrollers.Theframeworkiswritteninanabstractmannersothatitcanaddresseachofthesediverseareaswithoutimposingspecificdesigndecisions.TheframeworkiswritteninthestyleoftheNIST800-53Rev4CybersecurityFrameworktosimplifyitsapplicationanduse,perhapsasanappendixtoanyNISTassessmentforacomputingentitywithautonomousmachinecharacteristics.
Introduction
Anautonomousmachineisacomputingentityconsistingofhardware,software,andcommunicationinterfacesthataccomplishesasetofdesiredfunctionswithoutrequiringassistancefromhumanbeings.Self-drivingcarsrepresentoneofthemorecommonly-citedexamplesofautonomousmachines.Humaninvolvementwithautonomousmachinesislimitedtoprogramming,provisioning,protocolinteraction,remoteupdate,andde-provisioning.Theautonomousmachinedynamicallyself-controlsreal-timeandon-goinginteractionswithitsenvironment,includinglocaldecisionsabouthowtocollectincomingstimuli,howtointerpretsuchdata,andhowtoinitiateactions.
Thedistinctionbetweenanautonomousmachineanditsenvironmentissubtle,becausethefunctionaloperationofanymoderncomputingentitycouldincludeinteractionwithremotecapabilities,suchasmightbefoundinacloudcomputingsystem.Theautonomousmachineisthusviewedastheminimalsetofprocessing,memory,andinput/outputfunctionsrequiredtoaccomplishitsmission.Ifsuchfunctionsarescatteredphysicallyacrossvirtualinfrastructure,thenthisdoesnotchangetheunderlyingautonomyofthemachine.Thisframeworkthusreferencesautonomousmachinesindependentlyoftheirspecificimplementation,distributedorotherwise.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 2
Cybersecurityrequirementsforvarioustypesofautonomousmachinesarecurrentlybeingdevelopedinavarietyofspecificareasaroundtheworld.Forexample,theSAEVehicleElectricalSystemSecurityCommitteeisdevelopingsecurityrequirementsguidebookthatfocusesspecificallyonasetofdetailedcontrols.Thisreport,incontrast,focusesmoregenerallyonthecybersecurityaspectsofautonomyandself-controlofmachines,undertheassumptionthatsuchautonomyintroducesfunctionalissuessuchasmaintenanceofasetofcommonbeliefsandnorms,asanautonomousmachinemakesdecisions.1
Ageneralmodelforautonomousmachinesandhowtheyinteractwiththeirmanufacturer,theirfunctionalenvironment,andotherautonomousmachinesisprovidedinFigure1.
Figure1.ModelofanAutonomousMachine
Theprocessing,datahandling,computation,andnetworkinteractionsforanautonomousmachinewillinvolveitsmanufacturer,environment,andotherautonomousmachines.Thisimpliesthreetypesofoperationalentitiesthatwillrequirecybersecurityprotection:Manufacturer,autonomousmachine,andenvironment.Italsoimpliesfivetypesofcommunicationinteractionsthatwillrequirecybersecurityprotection:Autonomousmachinetomanufacturer(A2M),manufacturertoautonomousmachine(M2A),autonomousmachinetoautonomousmachine(A2A),autonomousmachinetoenvironment(A2E),andenvironmenttoautonomousmachine(E2A).Thegoalineachcaseistoensurepreventionofunauthorizeddisclosure,integrity-reducinginteractionsormodifications,anddenialofservice.
Thepurposeofthisframeworkistointroducecybersecurityrequirementsthathumandesignersmustenforceinthedesign,development,provisioning,management,update,interaction,andde-provisioningofautonomousmachines.Sinceautonomousmachinesmightmakeinsecuredecisions,asecurityframeworkisthusrequiredtoguideallfunctionalandproceduraloutcomestoensurethatpolicyviolationsdonotoccur.Tosupportlocalself-controlandautonomy,suchframeworkinvolvesestablishingfoundationalprinciplesthatareimmutable;italsoincludespolicydecisionsthatcanbemodified–solongastheymaintainconsistencywithprinciples;andfinally,itincludessetoffunctionalcontrolsthatprotecttheautonomousmachinefromexternal,environmentthreats.
1 The term “autonomous machine” was selected rather than “autonomous system” to avoid conflict with the familiar notion of an autonomous system (AS) as a collection of Internet protocol prefixes under common management.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 3
TherequirementsdefinitionstylefollowsthefamiliarNIST800-53Rev4issuancetohelpautonomousmachinedesignersunderstandhowtoapplytheframework.Eachrequirementbelowisdefinedinthecontextofthemodelofanautonomousmachineshownabove,aswellasanoutlineforhowanassessorwoulddeterminecompliancewiththedesignatedrequirement.Auditandregulatoryteamsmightchoosetocut-and-pastethisframeworkasanappendixtotheNISTframework,shouldtheserequirementsmatchtheautonomousmissionofwhateversystemisbeinginvestigated.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 4
1.SecurityRequirementsforManufacturers
Manufacturersofautonomousmachinesshouldmaintaincompliancewiththefollowingcybersecurityrequirements:
1.1 FoundationalSecurityPrincipleIssuance
“Manufacturersmustcreateafoundationalbeliefstructureforautonomousmachines.”
ControlRequirement:Theautonomousmachineshallbeprovisionedbyitsmanufacturerwithasetofsecurityfoundationprinciplesthatserveasanimmutablebeliefstructurethatcannotbealteredbytheautonomousmachine,externalenvironment,humanusersoftheautonomousmachine,oranyotherautonomousmachinesforanyreason.Foundationalprinciplesshallbebasedonlocalstandards,customs,laws,andnorms.Ifthemanufacturerchoosestochangefoundationalsecurityprinciples,thenthiscanonlybedonethroughretirementandre-deploymentoftheautonomousmachinewithnewfoundationalprinciples.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• ProvisionedPrinciples:Thesecurityfoundationalprinciplesshallbeshowntobeincludedintheprovisioningprocess.
• ImmutabilityTesting:Securityandpenetrationtestingshallbeperformedtodemonstrateimmutabilityofstoredprinciples.
• ImmutabilityDesignReview:Reviewsofautonomousmachinedesignshallbeperformedtoconfirmthatmechanismsareinplacetopreventchangestothesecurityprinciples.
1.2 InitialSecurityPolicyIssuance
“Autonomousmachinesmustacceptaninitialsetofsecuritypolicyrules.”
ControlRequirement:Theautonomousmachineshallbeprovisionedbyitsmanufacturerwithaninitial,defaultsetofsecuritypolicyrules.Thesecanbeeithergenericorspecificallytailoredtothelocalenvironmentbythemanufacturer.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• ProvisionedInitialPolicyRules:Evidenceshallbeobtainedthataninitialsetofsecuritypolicyruleshasbeenincludedintheprovisioningprocess.
1.3 AutonomousMachineDeployment
“Manufacturersmustensurequalitybeforeprovisionofautonomousmachines.”
ControlRequirement:Theautonomousmachineshallbedeployedbyitsmanufactureronlyonceithasundergonesufficientqualitycontroltesting,includingsecuritychecks,toensurethatitwillfunctionasintended.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 5
• Deployment:Evidenceshallbeobtainedthattestingisbeingperformedaspartofthedeploymentprocesstocheckforqualitycontrol-basedissuesthatmightnegativelyaffectsecuritycompliance.
1.4AutonomousMachineUpdate
“Autonomousmachinesmustself-updatepolicyrulesconsistentwithbeliefs.”
ControlRequirement:Theautonomousmachineshallincludetheabilitytoeitherself-updatewithintheconstraintsofitsdeployedfoundationalprinciples,orhaveitssoftwareupdatedbythemanufactureraccordingtoastrongly-authenticatedsecureprotocolbetweenthemanufacturerandanyautonomousmachinesithasprovisioned.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• AutonomousMachineUpdateAllowance:Evidenceshallbeobtainedthatthemanufacturercanupdatetheautonomousmachineviastronglyauthenticatedsecureprotocol.
• AutonomousMachineUpdatePrevention:Evidenceshallbeobtainedthatanautonomousmachinecannotbeupdatedexternallybynon-specifiedprotocols.
• Self-Update:Evidenceshallbeobtainedthatanautonomousmachinecanupdateitsownsoftwarewithintheconstraintsofitsfoundationalprinciples.
1.5InitialAutonomousMachineTraining
“Initialmachinetrainingmustcomefromthemanufacturer.”
ControlRequirement:Themanufacturershallbetheonlyentitypermittedtoprovideinitialmachine-learning-basedtrainingfortheautonomousmachine.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• AutonomousMachineUpdateAllowance:Evidenceshallbeobtainedthatcontrolsexistthatconstraininitial,pre-deploymentmachinetrainingtothemanufacturer.
1.6AutonomousMachineMonitoring
“Manufacturersmustmaintaingeneralawarenessofthebehaviorofitsprovisionedautonomousmachines.”
ControlRequirement:Themanufacturermaintaingeneralawarenessofthebehaviorofallautonomousmachinesithasdeployedforevidenceofviolationsofsecurityfoundationalprinciples.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• AutonomousMachineMonitoring:Evidenceshallbeobtainedthatthemanufacturerwilldetectviolationsofsecurityfoundationalprincipleviolationsindeployedautonomousmachines.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 6
1.7AutonomousMachineRetirement
“Autonomousmachinesmustberetiredifnecessarybythemanufacturer.”
ControlRequirement:Themanufacturershallbetheonlyentitypermittedtoremotelyretireanautonomousmachineifevidenceofsecurityfoundationalprincipleshasbeenidentifiedinthatmachine.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• AutonomousMachineUpdateAllowance:Evidenceshallbeobtainedthatthemanufacturerincludesfunctionalitythatallowsforretirementoftheautonomousmachineshouldevidenceofsecurityfoundationalprinciplesbeobserved.
2.SecurityRequirementsforAutonomousMachines
Autonomousmachinesshouldbedesignedtomaintaincompliancewiththefollowingcybersecurityrequirements:
2.1FoundationalSecurityPrincipleCompliance
“Autonomousmachinesmustfollowthebeliefstructurefromtheirmanufacturer.”
ControlRequirement:Theautonomousmachineshallbeprogrammedtoconformallprovisionedandlearnedbehavior,includinganychangestoitslocalsecuritypolicy,totheconstraintsestablishedinthefoundationalsecurityprinciplesprovisionedbythemanufacturer.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• FoundationalSecurityPrincipleEnforcement:Theautonomousmachineshallbeshowntoneverintroducesecuritypolicyrulesornewbehaviorsthatareinconsistentwithitsprovisionedfoundationalsecuritypolicies.
• ImmutabilityDesignReview:Reviewsofthespecificautonomousmachinedeployedhardwareandsoftwareshallbeperformedtoconfirmthatmechanismsareinplacetopreventbehaviorsthatareinconsistentwiththesecurityprinciples.
2.2SecurityPolicyCompliance
“Autonomousmachinebehaviormustremainwithinpolicybounds.”
ControlRequirement:Theautonomousmachineshallbeprogrammedtomanageitsbehaviorconsistentwiththeconstraintsestablishedintheinitialsecuritypolicyprovisionedbythemanufacturer.Updatestothesecuritypolicywillresultinnewbaselinebehavioralconstraints.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 7
• InitialSecurityPolicyEnforcement:Evidenceshallbeobtainedthattheautonomousmachineconformsuponprovisioningtotheinitialsecuritypolicyestablishedbythemanufacturer.
• SubsequentSecurityPolicyEnforcement:Evidenceshallbeobtainedthattheautonomousmachineconformstosubsequentpolicyruleupdatesmadethroughauthorizedprocedures.
2.3AutonomousSecurityPolicyUpdates
“Policyupdatesmustbeself-managedwithinbeliefconstraints.”
ControlRequirement:Changestosecuritypolicy,self-initiatedbytheautonomousmachine,shallbeinfluencedbythreatintelligence,environmentalobservation,andotherinputstimuli,includingfromthemanufacturer.Suchchangesmustremainconsistentwiththesecurityfoundationalprinciples.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• EnvironmentInfluencedSecurityPolicyUpdate:Evidenceshallbeobtainedthatchangestotheexistingsetofsecuritypolicyrulesareinfluencedbyrelevantthreatintelligenceorotherenvironmentalstimuli.
• ManufacturerInfluencedSecurityPolicyUpdate:Evidenceshallbeobtainedthatchangestotheexistingsetofsecuritypolicyrulesareinfluencedbyrecommendationsfromthemanufacturer.
2.4Authenticated,SecureExternalCommunication
“Autonomousmachinesmustsupportauthenticationandencryption.”
ControlRequirement:Theautonomousmachineshallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithitsmanufacturer,environment,andotherautonomousmachinesoveravailablenetworkmedia.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• Authentication:Evidenceshallbeobtainedthattheautonomousmachinecanstronglyandmutuallyauthenticatewithitsmanufacturer,environment,orotherautonomousmachines.
• Encryption:Evidenceshallbeobtainedthattheautonomousmachinecansecurelycommunicateviaencrypteddatatransferwiththemanufacturer,environment,orotherautonomousmachines.
2.5AutonomousThreatInformationSharing
“Autonomousmachinesmusthavetheabilitytosharethreatinformation.”
ControlRequirement:Theautonomousmachineshallparticipateinautomatedthreatinformationsharingprotocolswiththeirmanufacturer,environment,andotherautonomousmachines.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 8
• ThreatInformationGeneration:Evidenceshallbeobtainedthattheautonomousmachinecanlocallygeneratethreatinformationforsharingwiththemanufacturer,environment,orotherautonomousmachines.
• SecureThreatInformationSharing:Evidenceshallbeobtainedthattheautonomousmachinecansecurelysharethreatinformationwiththemanufacturer,environment,orotherautonomousmachines.
2.6AutonomousMachineLearning
“Autonomousmachinesmustlearnwithintheconstraintsoftheirbeliefs.”
ControlRequirement:Theautonomousmachineshallexecutemachinelearningalgorithmswithintheguidelinesestablishedbythesecurityfoundationalprinciplesdeployedbyitsmanufacturer.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• LearningBoundaries:Evidenceshallbeobtainedthattheautonomousmachinewillnotallowfortrainingdatatocausebehaviorsinconsistentwithitssecurityfoundationalprinciples.
2.7AutonomousIncidentResponse
“Autonomousmachinesmustself-initiateincidentresponse.”
ControlRequirement:Theautonomousmachineshalleitherself-initiateincidentresponseprocessesbasedonavailableindicatorsofattack,whichmightincludeinformationsharedfromthemanufacturer,environment,orotherautonomousmachines.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• IndicatorProcess:Evidenceshallbeobtainedthattheautonomousmachinecollectsandanalyzesavailabledataforindicatorsofattack.
• IncidentResponse:Evidenceshallbeobtainedthattheautonomousmachineself-initiatesincidentresponsebasedondeterminationthatanattackisunderway.
3.SecurityRequirementsforEnvironment
Activeenvironmentalcomputingentitiesthatmightinteractdynamicallywithautonomousmachinesarenotpresumedtofollowanycybersecurityframeworkmodelforconventionalthreats.Instead,theautonomousmachinemustbecapabletoassignsuitablelevelsoftrustforanyinteractionwithanuntrustedenvironment.Thesecurityrequirementsincludedinthissectionarethusfocusedonexternalenvironmentalsystemsthatvoluntarilychoosetofollowsecuritycontrolsthatwillenablemoretrustedinteractionswithautonomousmachines.
3.1FoundationalSecurityPrincipleSharing
“Environmentalentitiesmightchoosetosharebeliefswithautonomousmachines.”
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 9
ControlRequirement:Theenvironmentalentityshallshareitssecurityfoundationalprinciplesondemandfromanyrequestingautonomousmachine.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• PrincipleSharing:Evidenceshallbeobtainedthattheenvironmentalentitycanshareitssecurityfoundationalprincipleswithanyrequestingautonomousmachine.
3.2Authenticated,SecureCommunicationsSupport
“Environmentalmachinesmightchoosetosupportauthenticationandencryption.”
ControlRequirement:Theenvironmentalentityshallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithautonomousmachinesoveravailablenetworkmedia.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• Authentication:Evidenceshallbeobtainedthattheenvironmentalentitycanstronglyandmutuallyauthenticatewithautonomousmachines.
• Encryption:Evidenceshallbeobtainedthattheenvironmentalentitycansecurelycommunicateviaencrypteddatatransferwithautonomousmachines.
3.3ValidationSupportforTelemetry
“Environmentalentitiesmightchoosetodigitallysignandassigntrusttotelemetry.”
ControlRequirement:Theenvironmentalentityshallhavetheabilitytoprovidedigitallysignedauthenticityandintegritytrustlevelsforanyexportedtelemetry.
ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:
• Authentication:Evidenceshallbeobtainedthattheenvironmentalentitycandigitallysigntelemetrysenttoanautonomousmachine.
• Encryption:Evidenceshallbeobtainedthattheenvironmentalentitycanprovideanestimatedtrustlevelforanytelemetrysenttoanautonomousmachine.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 10
CaseStudy:AssessingCyberSecurityFrameworkComplianceforanAutonomousVacuumCleanerThemarketforautonomousvacuumcleanershasgrowntothepointwhereoneestimateplaces23%ofcurrentvacuumproductsasrobotic.2AtypicalcommercialroboticvacuumcleanerproductistheNeatoRoboticsXV-15,whichcleansthesurfaceareaofahomewhenhumansarenotpresenttocontrolitsactivityaswithaconventionalvacuumcleaner.Mobilephone-basedmanagementandmonitoringisincludedwiththeproduct,forexample,toseeamapofwhathasbeencleaned.Theautonomousproductisdepictedinthefigurebelow.
Figure2.NeatoRoboticsXV-15SecurityRequirementsforNeatoRobotics
NeatoRoboticsshouldmaintaincompliancewiththefollowingcybersecurityrequirements:
1. FoundationalSecurityPrincipleIssuance
“NeatoRoboticsmustcreateafoundationalbeliefstructurefortheXV-15.”
ControlRequirement:TheXV-15shallbeprovisionedbyNeatoRoboticswithasetofsecurityfoundationprinciplesthatserveasanimmutablebeliefstructurethatcannotbealteredbytheXV-15,itsexternalenvironment(includinganyotherautonomousmachineslocatedinthehomeorbusiness),orhumanusersoftheXV-15.Foundationalprinciplesshallbebasedonlocalstandards,customs,laws,andnorms.IfNeatoRoboticschoosestochangefoundationalsecurityprinciples,thenthiscanonlybedonethroughretirementandre-deploymentoftheXV-15withnewfoundationalprinciples.
2. InitialSecurityPolicyIssuance
“TheXV-15mustacceptaninitialsetofsecuritypolicyrules.”
ControlRequirement:TheXV-15shallbeprovisionedbyNeatoRoboticswithaninitial,defaultsetofsecuritypolicyrules.ThesecanbeeithergenericorspecificallytailoredtothelocalhomeorbusinessenvironmentbyNeatoRobotics.
3. XV-15Deployment
“NeatoRoboticsmustensurequalitybeforeprovisionoftheXV-15.”
ControlRequirement:TheXV-15shallbedeployedbyNeatoRoboticsonlyonceithasundergonesufficientqualitycontroltesting,includingsecuritychecks,toensurethatitwillfunctionasintended.
2 http://tenrows.com/robot-vacuum/
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 11
4. XV-15Update
“TheXV-15mustself-updatepolicyrulesconsistentwithbeliefs.”
ControlRequirement:TheXV-15shallincludetheabilitytoeitherself-updatewithintheconstraintsofitsdeployedfoundationalprinciples,orhaveitssoftwareupdatedbyNeatoRoboticsaccordingtoastrongly-authenticatedsecureprotocolbetweentheNeatoRoboticsandprovisionedXV-15s.
5. InitialXV-15Training
“InitialmachinetrainingmustcomefromNeatoRobotics.”
ControlRequirement:NeatoRoboticsshallbetheonlyentitypermittedtoprovideinitialmachine-learning-basedtrainingfortheXV-15.
6. XV-15Monitoring
“NeatoRoboticsmustmaintaingeneralawarenessofthebehaviorofprovisionedXV-15s.”
ControlRequirement:NeatoRoboticsshallmaintaingeneralawarenessofthebehaviorofalldeployedXV-15sforevidenceofviolationsofsecurityfoundationalprinciples.
7. XV-15Retirement
“XV-15smustberetiredifnecessarybyNeatoRobotics.”
ControlRequirement:NeatoRoboticsshallbetheonlyentitypermittedtoremotelyretireanXV-15ifevidenceofsecurityfoundationalprincipleshasbeenidentified.
8. FoundationalSecurityPrincipleCompliance
“TheXV-15mustfollowthebeliefstructurefromNeatoRobotics.”
ControlRequirement:TheXV-15shallbeprogrammedtoconformallprovisionedandlearnedbehavior,includinganychangestoitslocalsecuritypolicy,totheconstraintsestablishedinthefoundationalsecurityprinciplesprovisionedbyNeatoRobotics.
9. SecurityPolicyCompliance
“XV-15behaviormustremainwithinpolicybounds.”
ControlRequirement:TheXV-15shallbeprogrammedtomanageitsbehaviorconsistentwiththeconstraintsestablishedintheinitialsecuritypolicyprovisionedbyNeatoRobotics.Updatestothesecuritypolicywillresultinnewbaselinebehavioralconstraints.
10. AutonomousSecurityPolicyUpdates
“Policyupdatesmustbeself-managedwithinbeliefconstraints.”
ControlRequirement:Changestosecuritypolicy,self-initiatedbytheXV-15,shallbeinfluencedbythreatintelligence,environmentalobservation,andotherinputstimuli,includingfromNeatoRobotics.Suchchangesmustremainconsistentwiththesecurityfoundationalprinciples.
11. Authenticated,SecureExternalCommunication
“TheXV-15mustsupportauthenticationandencryption.”
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 12
ControlRequirement:TheXV-15shallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithNeatoRobotics,thehomeorbusinessenvironment,andotherautonomousmachinesoveravailablenetworkmedia.
12. XV-15InformationSharing
“TheXV-15musthavetheabilitytosharethreatinformation.”
ControlRequirement:TheXV-15shallparticipateinautomatedthreatinformationsharingprotocolswithNeatoRobotics,thelocalhomeorbusinessenvironment,andotherautonomousmachines.
13. XV-15Learning
“TheXV-15mustlearnwithintheconstraintsoftheirbeliefs.”
ControlRequirement:TheXV-15shallexecutemachinelearningalgorithmswithintheguidelinesestablishedbythesecurityfoundationalprinciplesdeployedbyNeatoRobotics.
14. XV-15Response
“TheXV-15mustself-initiateincidentresponse.”
ControlRequirement:TheXV-15shalleitherself-initiateincidentresponseprocessesbasedonavailableindicatorsofattack,whichmightincludeinformationsharedfromNeatoRobotics,thelocalhomeorbusinessenvironment,orotherautonomousmachines.
15. FoundationalSecurityPrincipleSharing
“EnvironmentalentitiesmightchoosetosharebeliefswiththeXV-15.”
ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetosharetheirsecurityfoundationalprinciplesondemandfromanyrequestingXV-15.TheXV-15shallhavetheabilitytoparticipateinsuchsharing.
16. Authenticated,SecureCommunicationsSupport
“Environmentalmachinesmightchoosetosupportauthenticationandencryption.”
ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetostronglyauthenticateandsecurelycommunicatewiththeXV-15overavailablenetworkmedia.TheXV-15shallhavetheabilitytosupportsuchsecurityfunctions.
17. ValidationSupportforTelemetry
“Environmentalentitiesmightchoosetodigitallysignandassigntrusttotelemetry.”
ControlRequirement:Environmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetoprovidedigitallysignedauthenticityandintegritytrustlevelsforanyexportedtelemetry.TheXV-15shallhavetheabilitytosupportsuchsecurityfunctions.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 13
CaseStudy:AssessingCyberSecurityFrameworkComplianceforanAutonomousVehicleThemarketforautonomousvehiclesisexpectedtogrowtosixbilliondollarsby2015.Thismarketislikelytoinducenon-traditionalmanufacturerstothedesignanddevelopmentofsuchcomplexsystems.Dysonisanexamplecompanythathassuggestedfutureworkinthisarea.AsketchofanautonomousvehiclefromDysonisdepictedinthefigurebelow.
Figure2.DysonSketchforAutonomousVehicle
ThisdocumentsuggestsdesignconsiderationsforDysonastheyintroducecybersecurityconstraintsfortheautonomousoperationoftheirfuturevehicles.SecurityRequirementsforDyson
Dysonshouldmaintaincompliancewiththefollowingcybersecurityrequirements:
18. FoundationalSecurityPrincipleIssuance
“DysonmustcreateafoundationalbeliefstructurefortheDysonautonomousvehicle.”
ControlRequirement:TheDysonautonomousvehicleshallbeprovisionedbyDysonwithasetofsecurityfoundationprinciplesthatserveasanimmutablebeliefstructurethatcannotbealteredbytheDysonautonomousvehicle,itsexternalenvironment(includinganyotherautonomousmachineslocatedinthehomeorbusiness),orhumanusersoftheDysonautonomousvehicle.Foundationalprinciplesshallbebasedonlocalstandards,customs,laws,andnorms.IfDysonchoosestochangefoundationalsecurityprinciples,thenthiscanonlybedonethroughretirementandre-deploymentoftheDysonautonomousvehiclewithnewfoundationalprinciples.
19. InitialSecurityPolicyIssuance
“TheDysonautonomousvehiclemustacceptaninitialsetofsecuritypolicyrules.”
ControlRequirement:TheDysonautonomousvehicleshallbeprovisionedbyDysonwithaninitial,defaultsetofsecuritypolicyrules.ThesecanbeeithergenericorspecificallytailoredtothelocalhomeorbusinessenvironmentbyDyson.
20. DysonautonomousvehicleDeployment
“DysonmustensurequalitybeforeprovisionoftheDysonautonomousvehicle.”
ControlRequirement:TheDysonautonomousvehicleshallbedeployedbyDysononlyonceithasundergonesufficientqualitycontroltesting,includingsecuritychecks,toensurethatitwillfunctionasintended.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 14
21. DysonautonomousvehicleUpdate
“TheDysonautonomousvehiclemustself-updatepolicyrulesconsistentwithbeliefs.”
ControlRequirement:TheDysonautonomousvehicleshallincludetheabilitytoeitherself-updatewithintheconstraintsofitsdeployedfoundationalprinciples,orhaveitssoftwareupdatedbyDysonaccordingtoastrongly-authenticatedsecureprotocolbetweentheDysonandprovisionedDysonautonomousvehicles.
22. InitialDysonautonomousvehicleTraining
“InitialmachinetrainingmustcomefromDyson.”
ControlRequirement:Dysonshallbetheonlyentitypermittedtoprovideinitialmachine-learning-basedtrainingfortheDysonautonomousvehicle.
23. DysonautonomousvehicleMonitoring
“DysonmustmaintaingeneralawarenessofthebehaviorofprovisionedDysonautonomousvehicles.”
ControlRequirement:DysonshallmaintaingeneralawarenessofthebehaviorofalldeployedDysonautonomousvehiclesforevidenceofviolationsofsecurityfoundationalprinciples.
24. DysonautonomousvehicleRetirement
“DysonautonomousvehiclesmustberetiredifnecessarybyDyson.”
ControlRequirement:DysonshallbetheonlyentitypermittedtoremotelyretireanDysonautonomousvehicleifevidenceofsecurityfoundationalprincipleshasbeenidentified.
25. FoundationalSecurityPrincipleCompliance
“TheDysonautonomousvehiclemustfollowthebeliefstructurefromDyson.”
ControlRequirement:TheDysonautonomousvehicleshallbeprogrammedtoconformallprovisionedandlearnedbehavior,includinganychangestoitslocalsecuritypolicy,totheconstraintsestablishedinthefoundationalsecurityprinciplesprovisionedbyDyson.
26. SecurityPolicyCompliance
“Dysonautonomousvehiclebehaviormustremainwithinpolicybounds.”
ControlRequirement:TheDysonautonomousvehicleshallbeprogrammedtomanageitsbehaviorconsistentwiththeconstraintsestablishedintheinitialsecuritypolicyprovisionedbyDyson.Updatestothesecuritypolicywillresultinnewbaselinebehavioralconstraints.
27. AutonomousSecurityPolicyUpdates
“Policyupdatesmustbeself-managedwithinbeliefconstraints.”
ControlRequirement:Changestosecuritypolicy,self-initiatedbytheDysonautonomousvehicle,shallbeinfluencedbythreatintelligence,environmentalobservation,andotherinputstimuli,includingfromDyson.Suchchangesmustremainconsistentwiththesecurityfoundationalprinciples.
28. Authenticated,SecureExternalCommunication
“TheDysonautonomousvehiclemustsupportauthenticationandencryption.”
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 15
ControlRequirement:TheDysonautonomousvehicleshallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithDyson,thehomeorbusinessenvironment,andotherautonomousmachinesoveravailablenetworkmedia.
29. DysonautonomousvehicleInformationSharing
“TheDysonautonomousvehiclemusthavetheabilitytosharethreatinformation.”
ControlRequirement:TheDysonautonomousvehicleshallparticipateinautomatedthreatinformationsharingprotocolswithDyson,thelocalhomeorbusinessenvironment,andotherautonomousmachines.
30. DysonautonomousvehicleLearning
“TheDysonautonomousvehiclemustlearnwithintheconstraintsoftheirbeliefs.”
ControlRequirement:TheDysonautonomousvehicleshallexecutemachinelearningalgorithmswithintheguidelinesestablishedbythesecurityfoundationalprinciplesdeployedbyDyson.
31. DysonautonomousvehicleResponse
“TheXv-15mustself-initiateincidentresponse.”
ControlRequirement:TheDysonautonomousvehicleshalleitherself-initiateincidentresponseprocessesbasedonavailableindicatorsofattack,whichmightincludeinformationsharedfromDyson,thelocalhomeorbusinessenvironment,orotherautonomousmachines.
32. FoundationalSecurityPrincipleSharing
“EnvironmentalentitiesmightchoosetosharebeliefswiththeDysonautonomousvehicle.”
ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetosharetheirsecurityfoundationalprinciplesondemandfromanyrequestingDysonautonomousvehicle.TheDysonautonomousvehicleshallhavetheabilitytoparticipateinsuchsharing.
33. Authenticated,SecureCommunicationsSupport
“Environmentalmachinesmightchoosetosupportauthenticationandencryption.”
ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetostronglyauthenticateandsecurelycommunicatewiththeDysonautonomousvehicleoveravailablenetworkmedia.TheDysonautonomousvehicleshallhavetheabilitytosupportsuchsecurityfunctions.
34. ValidationSupportforTelemetry
“Environmentalentitiesmightchoosetodigitallysignandassigntrusttotelemetry.”
ControlRequirement:Environmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetoprovidedigitallysignedauthenticityandintegritytrustlevelsforanyexportedtelemetry.TheDysonautonomousvehicleshallhavetheabilitytosupportsuchsecurityfunctions.
Cyber Security Framework for Autonomous Machines September 2018
TAG CYBER – RESEARCH IN IOT SECURITY 16
Appendix:Definitions
AutonomousMachine–Anautonomousmachine(AM)isanycomputingentitythatisprogrammedbyitsmanufacturertodynamicallyself-determineitsownfunctionalbehaviorbasedoningestedinformationfromitsenvironment.
ConnectedCar–Aconnectedcarisanyvehicle,autonomousorotherwise,thatdynamicallysharescontrolinformationoveranetworkwithanexternalentitytosupportmission-relatedfunctions.
Self-DrivingCar–Aself-drivingcarisanautonomousvehicleandisoneofthemostcommonlycitedexamplesofanautonomousmachine.