Autonomous vehicles (AVs) have been given considerable attention lately, and for good reason, as large tech giants such as Google, Apple, Amazon and of course Tesla have invested hundreds of millions into the development of AVs. More than 60 cities around the globe have driverless car testing programs either ongoing or in preparation, and nearly three dozen others have launched efforts exploring vehicle automation. A staggering $80 billion has already been invested in the technology, and virtually every modern automaker has dedicated resources to driver automation. While only about 130,000 vehicles per year are currently being sold with partial automation, about 98,000 are projected to be sold with full automation capabilities by 2020. That number is expected to rise to more than 96 million by 2040 – representing fully 95 percent of all vehicles sold.
AVs are also receiving a lot of attention due to the security and safety problems that have arisen almost since Day 1. AVs are borne of the Internet where many – or all – of a vehicle’s systems are controlled by computers and therefore open to attack. White-hat hackers have been demonstrating security flaws in connected vehicles for years, illustrating how easy it is to seize control over a variety of systems by exploiting even non-automated cars. Also, recently the National Transportation Safety Board wrapped up its nearly two-year-long investigation of a Tesla Autopilot-involved crash in California, and found that the design of the semi-autonomous feature was one “probable cause” of the crash.
I believe that the future success of AVs is dependent on the appropriate management of multiple factors – safety and security, operational technology (OT) and information technology (IT), risk and convenience. These factors are also being addressed by the National Highway Transportation and Safety Administration (NHTSA) as part of a multi-faceted research approach that leverages the National Institute of Standards and Technology (NIST) Cybersecurity Framework and encourages industry to adopt practices that improve the cybersecurity posture of their vehicles in the United States. NHTSA’s goal is to collaborate with the automotive industry to proactively address vehicle cybersecurity challenges, and to continuously seek methods to mitigate associated safety risks.
At the forefront of this research at NIST is Dr. Ed Griffor. I was introduced to Dr. Griffor by a mutual colleague [thanks Colin!] and we have had several interesting discussions on his work and the need for measurement science to provide a strong foundation for resolving some of the issues listed above. Below is my interview with Dr. Griffor which just highlights some of the major themes of his research. So check out the interview below and also be on the lookout for an upcoming podcast in which Dr. Ron Ross of NIST and Dr. Griffor join me in a discussion on the issues of risk, resiliency, and OT/IT convergence.
Spotlight on Dr. Edward Griffor
» Title: Associate Director, Smart Grid and Cyber Physical Systems Program Office, National Institute of Standards and Technology (NIST)
» Website: https://www.nist.gov/people/edward-griffor
» LinkedIn: https://www.linkedin.com/in/edward-griffor-18aab18/
Read his bio below.
Chris Daly, Active Cyber™: What are some of the key facets of your research in Cyber-Physical Systems (CPS) / Autonomous Vehicles (AVs)? When did you start on this effort? Who are the expected beneficiaries of the research and development work you are performing and what are your expected outcomes and when?
Dr. Ed Griffor, Associate Director, Smart Grid and Cyber Physical Systems Program Office, NIST: Two years ago NIST released a CPS Framework in three volumes that are available on the NIST website. It was the product of a 3-year, 500-person Public Working Group, including government, industry and academic experts. This framework provides the backdrop to the research we are currently conducting for AVs. It describes the three elements of a CPS – logic, physics, and the human – through conceptualization, realization and the assurance facets involved in developing and operating a CPS. It incorporates the functional decomposition of a CPS, including allocation of function to the cyber or to the physical, as well as the concerns that drive the requirements on these systems. There are some 116 concerns in the framework and they form a tree-like structure. For example, trustworthiness is one of the high-level concerns of the framework and it includes safety, security, privacy, resilience and reliability.
NIST’s work on applying this framework to AVs, [or Automated Driving System (ADS) Enabled Vehicles in the language of USDOT], began once the Framework was released 2 years ago and has resulted in foundational research (math for the studied) and an ADS Testbed – an instance of the NIST CPS Testbed technology called UCEF (Universal CPS Environment for Federation). This technology integrates, using the USAF co-simulation protocol HLA (High Level Architecture), various component simulations based on models of SW/HW, emulations, and hardware-in-the-loop (HIL) to enable testing and interaction across the Internet.
Most recently, NIST worked with USDOT, and Intel/Intel Mobileye in June 2019 to hold a workshop on Consensus Measurement Methodologies for ADS-Equipped Vehicle Safety. Measurement of the various concerns of AVs, as highlighted by the Framework, is one of the key outcomes of our on-going work.
Active Cyber™: Understanding the real-time performance, safety, security, and robustness of distributed CPS systems such as AV is a daunting task. Most vehicles have over 80 embedded processors, all of which are interconnected. Now with the existence of malware such as Hatman which targets safety systems of CPS, the possibility of maliciously introduced faults into the safety system of AVs exists. Given that several states have legalized AVs on public roads, what types of adversary detection and prevention capabilities are needed for AVs?
Dr. Griffor: AVs are instances of both managed and unmanaged integration of CPS/IoT. (see NIST SP 1900-202 on the Convergence of CPS and IoT). Attacks on these systems may be anticipated during design by the organization developing the system, but if the system is the result of a user spontaneously composing existing systems then monitoring of some kind seems to be the only available defense. Gathering of intrusion data and training cases, as for AI, would allow the system to learn and recognize malicious activity. Dynamic protection, like rotating key encryption of communications on and off vehicle, also have promise for future protection of AVs. This sort of continuous validation or onboard HMS (Health Management Systems) is used in military and space exploration technologies where it is even more difficult to modify the system to defend against emerging threats.
Active Cyber™: What types of new security considerations must be taken into account for cyber-physical systems? How does the security space and associated risk posture change when computation interacts with the physical world? What are some of the innovations in scientific foundations that are necessary for greater robustness, security and safety of cyber-physical systems in general and in AV systems in particular? What types of legal or policy changes are needed and how is NIST supporting these?
Dr. Griffor: CPS/IoT are integrations of three elements – logic, physics and humans – sensing and actuation (transduction) integrate the three elements. Any discussion of the security of such systems must take into account that attacks will also involve a combination of exploits across all three elements, including attacks on sensors and actuators. NIST’s Engineering Laboratory is developing the tools needed to represent and study these attacks. In the operation of CPS/IoT, there are 4 lanes of state transition activity: cyber, transduction, physical and human. All of these state transitions are vulnerable to manipulation, prior to or during an attack on a cyber-physical system. The diagram, “CPS attack diagram,” displays all of the transitions involved in the attack. Cybersecurity is part of picture but far from the whole. We will not be able to design protections for vehicles, or any other CPS or IoT, without this broader view.
Active Cyber™: Uncertainty in the environment, security attacks, and errors in physical devices and in wireless communication pose critical challenges to overall system robustness, security and safety of CPS such as AVs. What security standards or frameworks exist for CPS/AVs to ensure their safety and security?
Dr. Griffor: As I mentioned earlier, NIST Engineering Laboratory has released a CPS Framework and further methods and tools related to CPS/IoT trustworthiness, including security and safety. On the cyber front, NIST Information Technology Laboratory has produced extensive documentation related to cybersecurity specifically. A key element of NIST work on CPS/IoT trustworthiness is the study of trade-offs or interdependencies between the concerns, like security, safety and reliability, using reasoning. Most recently the CPS/IoT Trustworthiness Project has turned to the task of building foundations for reasoning or calculation “under uncertainty.” The AV space has recognized that the car will perform reasoning tasks using its logical models/data about the operational driving domain. Additional NIST collaborations on the AV front are with MIT, Intel Mobileye and others.
Most recently NIST and USDOT have set in motion discussions of the consensus measurement strategies for ADS-equipped vehicle trustworthiness. Pre- and post- deployment measurement strategies must be coordinated. SAE J2980 (Functional Safety) and J3061 (Cybersecurity) are “recommended practices” that address safety and security. Most stakeholders agree that a common approach to safety and security is necessary. These concerns interact strongly! Industry is aware of these standards and framework efforts, but their application across the industry remains uneven. NIST’s focus on the primacy of measurement is a good fit with the ADS community’s efforts in working on consensus measurement strategies for AV safety. These measurement strategies can inform standards and product safety and security efforts.
Active Cyber™: As the transfer of control from human to computer moves forward with autonomous vehicles, there will likely be a shift from human (driver) error to programmer error. What types of new sensors, protocols, safety and security algorithms, metrics and testing approaches are needed to tolerate intermittent failures in CPS/AV systems and to ensure safety- and security-resilient CPS and AV systems?
Dr. Griffor: I would say there will indeed be a shift from driver error to system error, complicated by a mixed fleet in the short run. The study of this is nascent. In the near term we need to focus on the endowment of these systems with learning capability and on the explainability of these enhanced CPS and ADS systems, i.e., their predictability and accountability.
Active Cyber™: Software updates or upgrading of running systems are another critical aspect of cyber-physical systems, especially in large critical infrastructure systems or in AV systems that cannot turn off or it is too expensive to shut down. What types of efforts are underway by industry or government to provide a reliable framework for over the air software updates? What standards are present or in the works to ensure secure updates are made?
Dr. Griffor: There are discussions within industry of flash reprogramming of vehicles over-the-air (OTA) based on the understanding that updates will be necessary. These discussions include of course discussion of the potential hazards. I am not aware of specific NIST efforts in this regard, but I suspect that previous work at NIST on the security of wireless communications will play a key role going forward.
Active Cyber™: As the verification and validation of a cyber-physical system is not a one-time event, how should the life cycle process change for the testing and certification of safety- and security-critical services of the CPS/AV system? What role does the NIST Risk Management Framework (RMF) play in such a life cycle?
Dr. Griffor: Assurance in the CPS Framework is about “judgment” in the technical sense. Judgments are generally of the form: “Based on expert consensus about the methodology for testing a property of a systems and the test results for this system, it satisfies the property.” On the other hand, verification is about having built the system right while validation is about whether you built the right system. Any system can be seen as a solution to a problem/need. In logic and physics, problems are represented in very distinct ways, the former as a compilation problem and the latter as sets of differential equations. For CPS/IoT we need a new language where we can pose cyber-physical problems and solve them combinatorially – a unified mathematics of the cyber and the physical together. An early example of success here is the work on ‘”symbolic integration and differentiation” where computing rules integrate with calculus for physics – this is one focus of current work at NIST.
Active Cyber™: Reliable, on demand, real-time data streaming must co-exist among multiple wireless devices belonging to the CPS / AV and to other CPS/AVs and CPS/AV infrastructure. This necessitates a network infrastructure to reliably integrate myriad wireless devices and protocols, to let them co-exist safely, securely, reliably and efficiently. What is NIST doing to address the security and safety of this wireless infrastructure, especially now that 5G will also be added? How is NIST collaborating with other agencies and with the public in this space?
Dr. Griffor: There is extensive NIST activity surrounding wireless technologies, including 5G, and advanced networking in Information and Communications Technology Laboratories (ITL and CTL). The problem is once again, the integration of the logical/cyber with the mechanical/physical. Example work includes NASA’s Disruption Tolerant Networking (DTN) and “hot swapping” of printed circuit boards (PCBs) using a library of the software needed to operate commercial aircraft. I have collaborated and published work with ITL experts on automotive Software Defined Networking (SDN) and virtual function reallocation and their relation to safety. Again, it is paramount that all relevant constraints, both physical and logical, be captured and solved together, including ones related to networking infrastructure.
Active Cyber™: CPS systems such as AVs are distributed and real-time dynamic systems, with many control loops of different degree of application criticality operating at different time and space scales. Maintaining security and safety of such a complex system will require precision regarding QoS properties, subsystem interactions, and the functional correctness of the system. What efforts does NIST have underway to provide methods and tools that will derive QoS metrics for such a composite system? How can the basic measurement science involved here help to address unresolved policy issues for CPS, especially AV systems.
Dr. Griffor: This is the theme of compositionality. Understanding timing and trustworthiness, two key aspects of the NIST CPS Framework, at all levels of controls is paramount. The composition of two safe and secure systems is not in general safe and secure! The CPS/IoT Program at NIST has focused efforts related to the timing and trustworthiness of these systems. Measurement science is at the center of these efforts, both the foundational science of measurement and tools for experimentation. Regarding ADS, we have gathered industry and government experts to assess the appetite for consensus measurement methodologies for AV trustworthiness. Together with auto industry experts we are preparing a report on this assessment that will indicate the level of consensus. Measuring the interdependencies between logical control loops and physics is once again the key – that’s why we need the unified foundations of the logical and the physical.
Active Cyber™: Users of cyber-physical systems such as AV will need to place a high level of trust in the operation of the systems. Given the high degree of complexity of CPS and AV systems, how will trust be measured for such systems and what additional system models and policies – both technological and social – do you feel are needed to underlie this trust relationship?
Dr. Griffor: Trust is a complex that must be the “driver” for any technical notion of trustworthiness. Efforts toward standards and certifications, like those from UL used for electrical safety of ordinary appliances, are one way of building user trust and confidence. The current UL-SAE activity around UL 4600 could ultimately result in a “safety and even a security label” for AVs. I believe that effort is also needed on explainability and risk estimates for ADS – users/operators need actionable information about and from these systems. This risk analysis and communication should cascade through the all levels of system function. E.g. if my AV provides a notification that cybersecurity and privacy protection is impaired, I would expect the car not only to attempt detect and remedy faults, but to also tell me not to use the “Save my Song” function until privacy protection is restored. Successful defense against the consequences of intrusion should include the operator and can have real benefits in a connected world.
Thank you Dr. Griffor for sharing these insights into your team’s research in CPS/AVs at NIST. I am sure your work, including your outreach to industry, will have positive effects on the safety and security of CPS/AVs in the coming years. I also look forward to hearing more about your efforts to a unified mathematics as they progress, and to any lessons learned with regard to the application of the CPS Framework. And thanks to my subscribers and visitors to my site for checking out ActiveCyber.net! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing ICS / IIoT and IoT systems, or other security topics. Also, email firstname.lastname@example.org if you’re interested in interviewing or advertising with us at Active Cyber™.
About Dr. Ed Griffor
Dr. Edward Griffor is the Associate Director for Cyber Physical Systems at the US National Institute of Standards and Technology (NIST). Prior to joining NIST, he served on the Engineering and Mathematical Science research faculties of universities in the US, Europe and South America and as Walter P. Chrysler Technical Fellow and Chair of the Chrysler Technology Council and represented Sweden to the EU Technical Committee on VLSI. He was named NSF/NATO Fellow in Science and Engineering in 1980. Dr. Griffor holds a Ph.D. in Mathematics from MIT and a European Doctorate in Mathematics and Engineering from the University of Oslo. He is Adjunct Professor of Medicine at the Wayne State University School of Medicine Center for Molecular Medicine and Genetics and Adjunct Professor of Computing and Software at McMaster University. His research spans the fields of Mathematics, Advanced Computing, Biosystem Modeling and Cyber-Physical Systems. Dr. Griffor is a member of the US delegation to the Halden Reactor Safety Project, representative of NIST to the High Confidence Software Systems committee of the US Networking and Information Technology Research and Development Program and member of the INCITS/Artificial Intelligence standardization committee. Dr. Griffor’s current work combines methods of mathematical physics and computing science to provide assurance methods for cyber physical systems, including the safety and security of autonomous systems. He is responsible for the foundations of Cyber-Physical Systems and applications to system trustworthiness, modeling and simulation. His team at NIST AV Lab has released tools for to assessing cyber-physical security in the infrastructure and transportation sectors.