cyber security framework for autonomous machines 1.0 · tag cyber – research in iot security 1...

TAG CYBER – RESEARCH IN IOT SECURITY 1

CyberSecurityFrameworkforAutonomousMachines

PrincipalAuthor:Dr.EdwardG.Amoroso

ChiefExecutiveOfficer,TAGCyberLLC

[email protected]

Version1.0

September18,2018

Abstract

ThisCyberSecurityFrameworkforAutonomousMachinesisofferedasahigh-levelsecurityandcompliancerequirementsguidefordeveloperscreatingautonomousmachinesincludingfutureconnectedcars,robots,medicaldevices,andindustrialcontrollers.Theframeworkiswritteninanabstractmannersothatitcanaddresseachofthesediverseareaswithoutimposingspecificdesigndecisions.TheframeworkiswritteninthestyleoftheNIST800-53Rev4CybersecurityFrameworktosimplifyitsapplicationanduse,perhapsasanappendixtoanyNISTassessmentforacomputingentitywithautonomousmachinecharacteristics.

Introduction

Anautonomousmachineisacomputingentityconsistingofhardware,software,andcommunicationinterfacesthataccomplishesasetofdesiredfunctionswithoutrequiringassistancefromhumanbeings.Self-drivingcarsrepresentoneofthemorecommonly-citedexamplesofautonomousmachines.Humaninvolvementwithautonomousmachinesislimitedtoprogramming,provisioning,protocolinteraction,remoteupdate,andde-provisioning.Theautonomousmachinedynamicallyself-controlsreal-timeandon-goinginteractionswithitsenvironment,includinglocaldecisionsabouthowtocollectincomingstimuli,howtointerpretsuchdata,andhowtoinitiateactions.

Thedistinctionbetweenanautonomousmachineanditsenvironmentissubtle,becausethefunctionaloperationofanymoderncomputingentitycouldincludeinteractionwithremotecapabilities,suchasmightbefoundinacloudcomputingsystem.Theautonomousmachineisthusviewedastheminimalsetofprocessing,memory,andinput/outputfunctionsrequiredtoaccomplishitsmission.Ifsuchfunctionsarescatteredphysicallyacrossvirtualinfrastructure,thenthisdoesnotchangetheunderlyingautonomyofthemachine.Thisframeworkthusreferencesautonomousmachinesindependentlyoftheirspecificimplementation,distributedorotherwise.

Cyber Security Framework for Autonomous Machines September 2018


Cybersecurityrequirementsforvarioustypesofautonomousmachinesarecurrentlybeingdevelopedinavarietyofspecificareasaroundtheworld.Forexample,theSAEVehicleElectricalSystemSecurityCommitteeisdevelopingsecurityrequirementsguidebookthatfocusesspecificallyonasetofdetailedcontrols.Thisreport,incontrast,focusesmoregenerallyonthecybersecurityaspectsofautonomyandself-controlofmachines,undertheassumptionthatsuchautonomyintroducesfunctionalissuessuchasmaintenanceofasetofcommonbeliefsandnorms,asanautonomousmachinemakesdecisions.1

Ageneralmodelforautonomousmachinesandhowtheyinteractwiththeirmanufacturer,theirfunctionalenvironment,andotherautonomousmachinesisprovidedinFigure1.

Figure1.ModelofanAutonomousMachine

Theprocessing,datahandling,computation,andnetworkinteractionsforanautonomousmachinewillinvolveitsmanufacturer,environment,andotherautonomousmachines.Thisimpliesthreetypesofoperationalentitiesthatwillrequirecybersecurityprotection:Manufacturer,autonomousmachine,andenvironment.Italsoimpliesfivetypesofcommunicationinteractionsthatwillrequirecybersecurityprotection:Autonomousmachinetomanufacturer(A2M),manufacturertoautonomousmachine(M2A),autonomousmachinetoautonomousmachine(A2A),autonomousmachinetoenvironment(A2E),andenvironmenttoautonomousmachine(E2A).Thegoalineachcaseistoensurepreventionofunauthorizeddisclosure,integrity-reducinginteractionsormodifications,anddenialofservice.

Thepurposeofthisframeworkistointroducecybersecurityrequirementsthathumandesignersmustenforceinthedesign,development,provisioning,management,update,interaction,andde-provisioningofautonomousmachines.Sinceautonomousmachinesmightmakeinsecuredecisions,asecurityframeworkisthusrequiredtoguideallfunctionalandproceduraloutcomestoensurethatpolicyviolationsdonotoccur.Tosupportlocalself-controlandautonomy,suchframeworkinvolvesestablishingfoundationalprinciplesthatareimmutable;italsoincludespolicydecisionsthatcanbemodified–solongastheymaintainconsistencywithprinciples;andfinally,itincludessetoffunctionalcontrolsthatprotecttheautonomousmachinefromexternal,environmentthreats.

1 The term “autonomous machine” was selected rather than “autonomous system” to avoid conflict with the familiar notion of an autonomous system (AS) as a collection of Internet protocol prefixes under common management.



TherequirementsdefinitionstylefollowsthefamiliarNIST800-53Rev4issuancetohelpautonomousmachinedesignersunderstandhowtoapplytheframework.Eachrequirementbelowisdefinedinthecontextofthemodelofanautonomousmachineshownabove,aswellasanoutlineforhowanassessorwoulddeterminecompliancewiththedesignatedrequirement.Auditandregulatoryteamsmightchoosetocut-and-pastethisframeworkasanappendixtotheNISTframework,shouldtheserequirementsmatchtheautonomousmissionofwhateversystemisbeinginvestigated.



1.SecurityRequirementsforManufacturers

Manufacturersofautonomousmachinesshouldmaintaincompliancewiththefollowingcybersecurityrequirements:

1.1 FoundationalSecurityPrincipleIssuance

“Manufacturersmustcreateafoundationalbeliefstructureforautonomousmachines.”

ControlRequirement:Theautonomousmachineshallbeprovisionedbyitsmanufacturerwithasetofsecurityfoundationprinciplesthatserveasanimmutablebeliefstructurethatcannotbealteredbytheautonomousmachine,externalenvironment,humanusersoftheautonomousmachine,oranyotherautonomousmachinesforanyreason.Foundationalprinciplesshallbebasedonlocalstandards,customs,laws,andnorms.Ifthemanufacturerchoosestochangefoundationalsecurityprinciples,thenthiscanonlybedonethroughretirementandre-deploymentoftheautonomousmachinewithnewfoundationalprinciples.

ControlCompliance:Theautonomousmachineassessorshalldeterminecompliancewiththiscontrolrequirementbasedonthefollowingtests:

• ProvisionedPrinciples:Thesecurityfoundationalprinciplesshallbeshowntobeincludedintheprovisioningprocess.

• ImmutabilityTesting:Securityandpenetrationtestingshallbeperformedtodemonstrateimmutabilityofstoredprinciples.

• ImmutabilityDesignReview:Reviewsofautonomousmachinedesignshallbeperformedtoconfirmthatmechanismsareinplacetopreventchangestothesecurityprinciples.

1.2 InitialSecurityPolicyIssuance

“Autonomousmachinesmustacceptaninitialsetofsecuritypolicyrules.”

ControlRequirement:Theautonomousmachineshallbeprovisionedbyitsmanufacturerwithaninitial,defaultsetofsecuritypolicyrules.Thesecanbeeithergenericorspecificallytailoredtothelocalenvironmentbythemanufacturer.


• ProvisionedInitialPolicyRules:Evidenceshallbeobtainedthataninitialsetofsecuritypolicyruleshasbeenincludedintheprovisioningprocess.

1.3 AutonomousMachineDeployment

“Manufacturersmustensurequalitybeforeprovisionofautonomousmachines.”

ControlRequirement:Theautonomousmachineshallbedeployedbyitsmanufactureronlyonceithasundergonesufficientqualitycontroltesting,includingsecuritychecks,toensurethatitwillfunctionasintended.




• Deployment:Evidenceshallbeobtainedthattestingisbeingperformedaspartofthedeploymentprocesstocheckforqualitycontrol-basedissuesthatmightnegativelyaffectsecuritycompliance.

1.4AutonomousMachineUpdate

“Autonomousmachinesmustself-updatepolicyrulesconsistentwithbeliefs.”

ControlRequirement:Theautonomousmachineshallincludetheabilitytoeitherself-updatewithintheconstraintsofitsdeployedfoundationalprinciples,orhaveitssoftwareupdatedbythemanufactureraccordingtoastrongly-authenticatedsecureprotocolbetweenthemanufacturerandanyautonomousmachinesithasprovisioned.


• AutonomousMachineUpdateAllowance:Evidenceshallbeobtainedthatthemanufacturercanupdatetheautonomousmachineviastronglyauthenticatedsecureprotocol.

• AutonomousMachineUpdatePrevention:Evidenceshallbeobtainedthatanautonomousmachinecannotbeupdatedexternallybynon-specifiedprotocols.

• Self-Update:Evidenceshallbeobtainedthatanautonomousmachinecanupdateitsownsoftwarewithintheconstraintsofitsfoundationalprinciples.

1.5InitialAutonomousMachineTraining

“Initialmachinetrainingmustcomefromthemanufacturer.”

ControlRequirement:Themanufacturershallbetheonlyentitypermittedtoprovideinitialmachine-learning-basedtrainingfortheautonomousmachine.


• AutonomousMachineUpdateAllowance:Evidenceshallbeobtainedthatcontrolsexistthatconstraininitial,pre-deploymentmachinetrainingtothemanufacturer.

1.6AutonomousMachineMonitoring

“Manufacturersmustmaintaingeneralawarenessofthebehaviorofitsprovisionedautonomousmachines.”

ControlRequirement:Themanufacturermaintaingeneralawarenessofthebehaviorofallautonomousmachinesithasdeployedforevidenceofviolationsofsecurityfoundationalprinciples.


• AutonomousMachineMonitoring:Evidenceshallbeobtainedthatthemanufacturerwilldetectviolationsofsecurityfoundationalprincipleviolationsindeployedautonomousmachines.



1.7AutonomousMachineRetirement

“Autonomousmachinesmustberetiredifnecessarybythemanufacturer.”

ControlRequirement:Themanufacturershallbetheonlyentitypermittedtoremotelyretireanautonomousmachineifevidenceofsecurityfoundationalprincipleshasbeenidentifiedinthatmachine.


• AutonomousMachineUpdateAllowance:Evidenceshallbeobtainedthatthemanufacturerincludesfunctionalitythatallowsforretirementoftheautonomousmachineshouldevidenceofsecurityfoundationalprinciplesbeobserved.

2.SecurityRequirementsforAutonomousMachines

Autonomousmachinesshouldbedesignedtomaintaincompliancewiththefollowingcybersecurityrequirements:

2.1FoundationalSecurityPrincipleCompliance

“Autonomousmachinesmustfollowthebeliefstructurefromtheirmanufacturer.”

ControlRequirement:Theautonomousmachineshallbeprogrammedtoconformallprovisionedandlearnedbehavior,includinganychangestoitslocalsecuritypolicy,totheconstraintsestablishedinthefoundationalsecurityprinciplesprovisionedbythemanufacturer.


• FoundationalSecurityPrincipleEnforcement:Theautonomousmachineshallbeshowntoneverintroducesecuritypolicyrulesornewbehaviorsthatareinconsistentwithitsprovisionedfoundationalsecuritypolicies.

• ImmutabilityDesignReview:Reviewsofthespecificautonomousmachinedeployedhardwareandsoftwareshallbeperformedtoconfirmthatmechanismsareinplacetopreventbehaviorsthatareinconsistentwiththesecurityprinciples.

2.2SecurityPolicyCompliance

“Autonomousmachinebehaviormustremainwithinpolicybounds.”

ControlRequirement:Theautonomousmachineshallbeprogrammedtomanageitsbehaviorconsistentwiththeconstraintsestablishedintheinitialsecuritypolicyprovisionedbythemanufacturer.Updatestothesecuritypolicywillresultinnewbaselinebehavioralconstraints.




• InitialSecurityPolicyEnforcement:Evidenceshallbeobtainedthattheautonomousmachineconformsuponprovisioningtotheinitialsecuritypolicyestablishedbythemanufacturer.

• SubsequentSecurityPolicyEnforcement:Evidenceshallbeobtainedthattheautonomousmachineconformstosubsequentpolicyruleupdatesmadethroughauthorizedprocedures.

2.3AutonomousSecurityPolicyUpdates

“Policyupdatesmustbeself-managedwithinbeliefconstraints.”

ControlRequirement:Changestosecuritypolicy,self-initiatedbytheautonomousmachine,shallbeinfluencedbythreatintelligence,environmentalobservation,andotherinputstimuli,includingfromthemanufacturer.Suchchangesmustremainconsistentwiththesecurityfoundationalprinciples.


• EnvironmentInfluencedSecurityPolicyUpdate:Evidenceshallbeobtainedthatchangestotheexistingsetofsecuritypolicyrulesareinfluencedbyrelevantthreatintelligenceorotherenvironmentalstimuli.

• ManufacturerInfluencedSecurityPolicyUpdate:Evidenceshallbeobtainedthatchangestotheexistingsetofsecuritypolicyrulesareinfluencedbyrecommendationsfromthemanufacturer.

2.4Authenticated,SecureExternalCommunication

“Autonomousmachinesmustsupportauthenticationandencryption.”

ControlRequirement:Theautonomousmachineshallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithitsmanufacturer,environment,andotherautonomousmachinesoveravailablenetworkmedia.


• Authentication:Evidenceshallbeobtainedthattheautonomousmachinecanstronglyandmutuallyauthenticatewithitsmanufacturer,environment,orotherautonomousmachines.

• Encryption:Evidenceshallbeobtainedthattheautonomousmachinecansecurelycommunicateviaencrypteddatatransferwiththemanufacturer,environment,orotherautonomousmachines.

2.5AutonomousThreatInformationSharing

“Autonomousmachinesmusthavetheabilitytosharethreatinformation.”

ControlRequirement:Theautonomousmachineshallparticipateinautomatedthreatinformationsharingprotocolswiththeirmanufacturer,environment,andotherautonomousmachines.




• ThreatInformationGeneration:Evidenceshallbeobtainedthattheautonomousmachinecanlocallygeneratethreatinformationforsharingwiththemanufacturer,environment,orotherautonomousmachines.

• SecureThreatInformationSharing:Evidenceshallbeobtainedthattheautonomousmachinecansecurelysharethreatinformationwiththemanufacturer,environment,orotherautonomousmachines.

2.6AutonomousMachineLearning

“Autonomousmachinesmustlearnwithintheconstraintsoftheirbeliefs.”

ControlRequirement:Theautonomousmachineshallexecutemachinelearningalgorithmswithintheguidelinesestablishedbythesecurityfoundationalprinciplesdeployedbyitsmanufacturer.


• LearningBoundaries:Evidenceshallbeobtainedthattheautonomousmachinewillnotallowfortrainingdatatocausebehaviorsinconsistentwithitssecurityfoundationalprinciples.

2.7AutonomousIncidentResponse

“Autonomousmachinesmustself-initiateincidentresponse.”

ControlRequirement:Theautonomousmachineshalleitherself-initiateincidentresponseprocessesbasedonavailableindicatorsofattack,whichmightincludeinformationsharedfromthemanufacturer,environment,orotherautonomousmachines.


• IndicatorProcess:Evidenceshallbeobtainedthattheautonomousmachinecollectsandanalyzesavailabledataforindicatorsofattack.

• IncidentResponse:Evidenceshallbeobtainedthattheautonomousmachineself-initiatesincidentresponsebasedondeterminationthatanattackisunderway.

3.SecurityRequirementsforEnvironment

Activeenvironmentalcomputingentitiesthatmightinteractdynamicallywithautonomousmachinesarenotpresumedtofollowanycybersecurityframeworkmodelforconventionalthreats.Instead,theautonomousmachinemustbecapabletoassignsuitablelevelsoftrustforanyinteractionwithanuntrustedenvironment.Thesecurityrequirementsincludedinthissectionarethusfocusedonexternalenvironmentalsystemsthatvoluntarilychoosetofollowsecuritycontrolsthatwillenablemoretrustedinteractionswithautonomousmachines.

3.1FoundationalSecurityPrincipleSharing

“Environmentalentitiesmightchoosetosharebeliefswithautonomousmachines.”



ControlRequirement:Theenvironmentalentityshallshareitssecurityfoundationalprinciplesondemandfromanyrequestingautonomousmachine.


• PrincipleSharing:Evidenceshallbeobtainedthattheenvironmentalentitycanshareitssecurityfoundationalprincipleswithanyrequestingautonomousmachine.

3.2Authenticated,SecureCommunicationsSupport

“Environmentalmachinesmightchoosetosupportauthenticationandencryption.”

ControlRequirement:Theenvironmentalentityshallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithautonomousmachinesoveravailablenetworkmedia.


• Authentication:Evidenceshallbeobtainedthattheenvironmentalentitycanstronglyandmutuallyauthenticatewithautonomousmachines.

• Encryption:Evidenceshallbeobtainedthattheenvironmentalentitycansecurelycommunicateviaencrypteddatatransferwithautonomousmachines.

3.3ValidationSupportforTelemetry

“Environmentalentitiesmightchoosetodigitallysignandassigntrusttotelemetry.”

ControlRequirement:Theenvironmentalentityshallhavetheabilitytoprovidedigitallysignedauthenticityandintegritytrustlevelsforanyexportedtelemetry.


• Authentication:Evidenceshallbeobtainedthattheenvironmentalentitycandigitallysigntelemetrysenttoanautonomousmachine.

• Encryption:Evidenceshallbeobtainedthattheenvironmentalentitycanprovideanestimatedtrustlevelforanytelemetrysenttoanautonomousmachine.



CaseStudy:AssessingCyberSecurityFrameworkComplianceforanAutonomousVacuumCleanerThemarketforautonomousvacuumcleanershasgrowntothepointwhereoneestimateplaces23%ofcurrentvacuumproductsasrobotic.2AtypicalcommercialroboticvacuumcleanerproductistheNeatoRoboticsXV-15,whichcleansthesurfaceareaofahomewhenhumansarenotpresenttocontrolitsactivityaswithaconventionalvacuumcleaner.Mobilephone-basedmanagementandmonitoringisincludedwiththeproduct,forexample,toseeamapofwhathasbeencleaned.Theautonomousproductisdepictedinthefigurebelow.

Figure2.NeatoRoboticsXV-15SecurityRequirementsforNeatoRobotics

NeatoRoboticsshouldmaintaincompliancewiththefollowingcybersecurityrequirements:

1. FoundationalSecurityPrincipleIssuance

“NeatoRoboticsmustcreateafoundationalbeliefstructurefortheXV-15.”

ControlRequirement:TheXV-15shallbeprovisionedbyNeatoRoboticswithasetofsecurityfoundationprinciplesthatserveasanimmutablebeliefstructurethatcannotbealteredbytheXV-15,itsexternalenvironment(includinganyotherautonomousmachineslocatedinthehomeorbusiness),orhumanusersoftheXV-15.Foundationalprinciplesshallbebasedonlocalstandards,customs,laws,andnorms.IfNeatoRoboticschoosestochangefoundationalsecurityprinciples,thenthiscanonlybedonethroughretirementandre-deploymentoftheXV-15withnewfoundationalprinciples.

2. InitialSecurityPolicyIssuance

“TheXV-15mustacceptaninitialsetofsecuritypolicyrules.”

ControlRequirement:TheXV-15shallbeprovisionedbyNeatoRoboticswithaninitial,defaultsetofsecuritypolicyrules.ThesecanbeeithergenericorspecificallytailoredtothelocalhomeorbusinessenvironmentbyNeatoRobotics.

3. XV-15Deployment

“NeatoRoboticsmustensurequalitybeforeprovisionoftheXV-15.”

ControlRequirement:TheXV-15shallbedeployedbyNeatoRoboticsonlyonceithasundergonesufficientqualitycontroltesting,includingsecuritychecks,toensurethatitwillfunctionasintended.

2 http://tenrows.com/robot-vacuum/



4. XV-15Update

“TheXV-15mustself-updatepolicyrulesconsistentwithbeliefs.”

ControlRequirement:TheXV-15shallincludetheabilitytoeitherself-updatewithintheconstraintsofitsdeployedfoundationalprinciples,orhaveitssoftwareupdatedbyNeatoRoboticsaccordingtoastrongly-authenticatedsecureprotocolbetweentheNeatoRoboticsandprovisionedXV-15s.

5. InitialXV-15Training

“InitialmachinetrainingmustcomefromNeatoRobotics.”

ControlRequirement:NeatoRoboticsshallbetheonlyentitypermittedtoprovideinitialmachine-learning-basedtrainingfortheXV-15.

6. XV-15Monitoring

“NeatoRoboticsmustmaintaingeneralawarenessofthebehaviorofprovisionedXV-15s.”

ControlRequirement:NeatoRoboticsshallmaintaingeneralawarenessofthebehaviorofalldeployedXV-15sforevidenceofviolationsofsecurityfoundationalprinciples.

7. XV-15Retirement

“XV-15smustberetiredifnecessarybyNeatoRobotics.”

ControlRequirement:NeatoRoboticsshallbetheonlyentitypermittedtoremotelyretireanXV-15ifevidenceofsecurityfoundationalprincipleshasbeenidentified.

8. FoundationalSecurityPrincipleCompliance

“TheXV-15mustfollowthebeliefstructurefromNeatoRobotics.”

ControlRequirement:TheXV-15shallbeprogrammedtoconformallprovisionedandlearnedbehavior,includinganychangestoitslocalsecuritypolicy,totheconstraintsestablishedinthefoundationalsecurityprinciplesprovisionedbyNeatoRobotics.

9. SecurityPolicyCompliance

“XV-15behaviormustremainwithinpolicybounds.”

ControlRequirement:TheXV-15shallbeprogrammedtomanageitsbehaviorconsistentwiththeconstraintsestablishedintheinitialsecuritypolicyprovisionedbyNeatoRobotics.Updatestothesecuritypolicywillresultinnewbaselinebehavioralconstraints.

10. AutonomousSecurityPolicyUpdates


ControlRequirement:Changestosecuritypolicy,self-initiatedbytheXV-15,shallbeinfluencedbythreatintelligence,environmentalobservation,andotherinputstimuli,includingfromNeatoRobotics.Suchchangesmustremainconsistentwiththesecurityfoundationalprinciples.

11. Authenticated,SecureExternalCommunication

“TheXV-15mustsupportauthenticationandencryption.”



ControlRequirement:TheXV-15shallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithNeatoRobotics,thehomeorbusinessenvironment,andotherautonomousmachinesoveravailablenetworkmedia.

12. XV-15InformationSharing

“TheXV-15musthavetheabilitytosharethreatinformation.”

ControlRequirement:TheXV-15shallparticipateinautomatedthreatinformationsharingprotocolswithNeatoRobotics,thelocalhomeorbusinessenvironment,andotherautonomousmachines.

13. XV-15Learning

“TheXV-15mustlearnwithintheconstraintsoftheirbeliefs.”

ControlRequirement:TheXV-15shallexecutemachinelearningalgorithmswithintheguidelinesestablishedbythesecurityfoundationalprinciplesdeployedbyNeatoRobotics.

14. XV-15Response

“TheXV-15mustself-initiateincidentresponse.”

ControlRequirement:TheXV-15shalleitherself-initiateincidentresponseprocessesbasedonavailableindicatorsofattack,whichmightincludeinformationsharedfromNeatoRobotics,thelocalhomeorbusinessenvironment,orotherautonomousmachines.

15. FoundationalSecurityPrincipleSharing

“EnvironmentalentitiesmightchoosetosharebeliefswiththeXV-15.”

ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetosharetheirsecurityfoundationalprinciplesondemandfromanyrequestingXV-15.TheXV-15shallhavetheabilitytoparticipateinsuchsharing.

16. Authenticated,SecureCommunicationsSupport


ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetostronglyauthenticateandsecurelycommunicatewiththeXV-15overavailablenetworkmedia.TheXV-15shallhavetheabilitytosupportsuchsecurityfunctions.

17. ValidationSupportforTelemetry


ControlRequirement:Environmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetoprovidedigitallysignedauthenticityandintegritytrustlevelsforanyexportedtelemetry.TheXV-15shallhavetheabilitytosupportsuchsecurityfunctions.



CaseStudy:AssessingCyberSecurityFrameworkComplianceforanAutonomousVehicleThemarketforautonomousvehiclesisexpectedtogrowtosixbilliondollarsby2015.Thismarketislikelytoinducenon-traditionalmanufacturerstothedesignanddevelopmentofsuchcomplexsystems.Dysonisanexamplecompanythathassuggestedfutureworkinthisarea.AsketchofanautonomousvehiclefromDysonisdepictedinthefigurebelow.

Figure2.DysonSketchforAutonomousVehicle

ThisdocumentsuggestsdesignconsiderationsforDysonastheyintroducecybersecurityconstraintsfortheautonomousoperationoftheirfuturevehicles.SecurityRequirementsforDyson

Dysonshouldmaintaincompliancewiththefollowingcybersecurityrequirements:

18. FoundationalSecurityPrincipleIssuance

“DysonmustcreateafoundationalbeliefstructurefortheDysonautonomousvehicle.”

ControlRequirement:TheDysonautonomousvehicleshallbeprovisionedbyDysonwithasetofsecurityfoundationprinciplesthatserveasanimmutablebeliefstructurethatcannotbealteredbytheDysonautonomousvehicle,itsexternalenvironment(includinganyotherautonomousmachineslocatedinthehomeorbusiness),orhumanusersoftheDysonautonomousvehicle.Foundationalprinciplesshallbebasedonlocalstandards,customs,laws,andnorms.IfDysonchoosestochangefoundationalsecurityprinciples,thenthiscanonlybedonethroughretirementandre-deploymentoftheDysonautonomousvehiclewithnewfoundationalprinciples.

19. InitialSecurityPolicyIssuance

“TheDysonautonomousvehiclemustacceptaninitialsetofsecuritypolicyrules.”

ControlRequirement:TheDysonautonomousvehicleshallbeprovisionedbyDysonwithaninitial,defaultsetofsecuritypolicyrules.ThesecanbeeithergenericorspecificallytailoredtothelocalhomeorbusinessenvironmentbyDyson.

20. DysonautonomousvehicleDeployment

“DysonmustensurequalitybeforeprovisionoftheDysonautonomousvehicle.”

ControlRequirement:TheDysonautonomousvehicleshallbedeployedbyDysononlyonceithasundergonesufficientqualitycontroltesting,includingsecuritychecks,toensurethatitwillfunctionasintended.



21. DysonautonomousvehicleUpdate

“TheDysonautonomousvehiclemustself-updatepolicyrulesconsistentwithbeliefs.”

ControlRequirement:TheDysonautonomousvehicleshallincludetheabilitytoeitherself-updatewithintheconstraintsofitsdeployedfoundationalprinciples,orhaveitssoftwareupdatedbyDysonaccordingtoastrongly-authenticatedsecureprotocolbetweentheDysonandprovisionedDysonautonomousvehicles.

22. InitialDysonautonomousvehicleTraining

“InitialmachinetrainingmustcomefromDyson.”

ControlRequirement:Dysonshallbetheonlyentitypermittedtoprovideinitialmachine-learning-basedtrainingfortheDysonautonomousvehicle.

23. DysonautonomousvehicleMonitoring

“DysonmustmaintaingeneralawarenessofthebehaviorofprovisionedDysonautonomousvehicles.”

ControlRequirement:DysonshallmaintaingeneralawarenessofthebehaviorofalldeployedDysonautonomousvehiclesforevidenceofviolationsofsecurityfoundationalprinciples.

24. DysonautonomousvehicleRetirement

“DysonautonomousvehiclesmustberetiredifnecessarybyDyson.”

ControlRequirement:DysonshallbetheonlyentitypermittedtoremotelyretireanDysonautonomousvehicleifevidenceofsecurityfoundationalprincipleshasbeenidentified.

25. FoundationalSecurityPrincipleCompliance

“TheDysonautonomousvehiclemustfollowthebeliefstructurefromDyson.”

ControlRequirement:TheDysonautonomousvehicleshallbeprogrammedtoconformallprovisionedandlearnedbehavior,includinganychangestoitslocalsecuritypolicy,totheconstraintsestablishedinthefoundationalsecurityprinciplesprovisionedbyDyson.

26. SecurityPolicyCompliance

“Dysonautonomousvehiclebehaviormustremainwithinpolicybounds.”

ControlRequirement:TheDysonautonomousvehicleshallbeprogrammedtomanageitsbehaviorconsistentwiththeconstraintsestablishedintheinitialsecuritypolicyprovisionedbyDyson.Updatestothesecuritypolicywillresultinnewbaselinebehavioralconstraints.

27. AutonomousSecurityPolicyUpdates


ControlRequirement:Changestosecuritypolicy,self-initiatedbytheDysonautonomousvehicle,shallbeinfluencedbythreatintelligence,environmentalobservation,andotherinputstimuli,includingfromDyson.Suchchangesmustremainconsistentwiththesecurityfoundationalprinciples.

28. Authenticated,SecureExternalCommunication

“TheDysonautonomousvehiclemustsupportauthenticationandencryption.”



ControlRequirement:TheDysonautonomousvehicleshallhavetheabilitytostronglyauthenticateandsecurelycommunicatewithDyson,thehomeorbusinessenvironment,andotherautonomousmachinesoveravailablenetworkmedia.

29. DysonautonomousvehicleInformationSharing

“TheDysonautonomousvehiclemusthavetheabilitytosharethreatinformation.”

ControlRequirement:TheDysonautonomousvehicleshallparticipateinautomatedthreatinformationsharingprotocolswithDyson,thelocalhomeorbusinessenvironment,andotherautonomousmachines.

30. DysonautonomousvehicleLearning

“TheDysonautonomousvehiclemustlearnwithintheconstraintsoftheirbeliefs.”

ControlRequirement:TheDysonautonomousvehicleshallexecutemachinelearningalgorithmswithintheguidelinesestablishedbythesecurityfoundationalprinciplesdeployedbyDyson.

31. DysonautonomousvehicleResponse

“TheXv-15mustself-initiateincidentresponse.”

ControlRequirement:TheDysonautonomousvehicleshalleitherself-initiateincidentresponseprocessesbasedonavailableindicatorsofattack,whichmightincludeinformationsharedfromDyson,thelocalhomeorbusinessenvironment,orotherautonomousmachines.

32. FoundationalSecurityPrincipleSharing

“EnvironmentalentitiesmightchoosetosharebeliefswiththeDysonautonomousvehicle.”

ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetosharetheirsecurityfoundationalprinciplesondemandfromanyrequestingDysonautonomousvehicle.TheDysonautonomousvehicleshallhavetheabilitytoparticipateinsuchsharing.

33. Authenticated,SecureCommunicationsSupport


ControlRequirement:EnvironmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetostronglyauthenticateandsecurelycommunicatewiththeDysonautonomousvehicleoveravailablenetworkmedia.TheDysonautonomousvehicleshallhavetheabilitytosupportsuchsecurityfunctions.

34. ValidationSupportforTelemetry


ControlRequirement:Environmentalentitiesinthelocalhomeorbusinessenvironmentmightchoosetoprovidedigitallysignedauthenticityandintegritytrustlevelsforanyexportedtelemetry.TheDysonautonomousvehicleshallhavetheabilitytosupportsuchsecurityfunctions.



Appendix:Definitions

AutonomousMachine–Anautonomousmachine(AM)isanycomputingentitythatisprogrammedbyitsmanufacturertodynamicallyself-determineitsownfunctionalbehaviorbasedoningestedinformationfromitsenvironment.

ConnectedCar–Aconnectedcarisanyvehicle,autonomousorotherwise,thatdynamicallysharescontrolinformationoveranetworkwithanexternalentitytosupportmission-relatedfunctions.

Self-DrivingCar–Aself-drivingcarisanautonomousvehicleandisoneofthemostcommonlycitedexamplesofanautonomousmachine.

cyber security framework for autonomous machines 1.0 · tag cyber – research in iot security 1...

Documents