Cyber-Physical Systems Security

Course Description

The goal of this course is to familiarize the student with the elements of automated production systems from both traditional and modern (cyber-physical) perspectives, reflecting the long (20-40 year) asset lifecycles commonly seen in large manufacturing plants in both discrete and process industries.

Traditional industrial control systems (ICS) were built from mechanical and electrotechnical devices in closed (air-gapped) systems, but information technologies and communication protocols are central to modern control systems. Although this increases efficiency and can reduce waste and costs, these changes have made the infrastructures more vulnerable to external attack. Safety and ergonomics are often drivers of automation, but in the era of wide-scale cyber-physical systems, both physical and cognitive ergonomics play a key role: even in highly automated systems, humans are still required to rapidly integrate and interpret information. Confusion (which can be brought about by both physical and cognitive impairments) can be costly, dangerous, and increase an organization’s vulnerability to attack.

As a result, this course will familiarize the student with the terms, definitions, and architecture of Industrial Control Systems (ICS) from the joint perspectives of quality management and cybersecurity. Using hazards, risks, vulnerabilities, threats, and impacts as the basis for understanding, we will explore conceptual frameworks and analytical tools for understanding and managing aspects of cyber-physical industry based on new research. This course is not a deep dive into specific tools, protocols, vulnerabilities, or exploits, but will help the student navigate the industrial environment and its expanding ecosystem of connected components.

This course is broken into four logical modules:

Lesson 1: Introduction to Industrial Control Systems
Lesson 2: Critical Infrastructure & Smart Cities
Lesson 3: Managing Security, Safety, and Risk
Lesson 4: Physical and Cognitive Ergonomic

Learning Objectives

Explain how cybersecurity contributes to quality and innovation
Describe the history of industrial automation from ancient times, to the first industrial revolution, through Industry 4.0 and the roles of industrial control systems (ICS) – including machine to machine communications (M2M), Cyber-Physical Systems (CPS), and Internet of Things (IoT)
Identify the components of industrial control systems (RTU, PLC, SCADA, HMI, SIS, DCS)
Explain the relationships between risk identification, risk management, hazard analysis, safety, and security on multiple levels (physical, hardware, software, and services)
Describe and use management models for industrial cybersecurity, in particular, how to apply them in an industrial context: C2M2, Baldrige Cybersecurity Excellence Builder, NIST Cybersecurity Framework
Apply common top-down (FMEA/RPN, FTA, Ishikawa) and bottom-up risk management tools (PHA, FMECA, HAZOP, HCCP) used in process industries and discrete production
Apply quality cost models to determine whether automation process improvements are effective
Describe how principles of physical and cognitive ergonomics influence security and performance
Apply objective and subjective measures (e.g. time, error rates, NASA TLX) and common analysis methods (Chi-square, Mann-Whitney U, Spearman rank correlation) for empirical studies of cognitive aspects of industrial HMIs

Prerequisites

No previous experience with or understanding of industrial control systems is required
A foundational understanding of statistical inference would be helpful for the ergonomics labs

Course materials

Readings are selected from:

Groover, M. P. (2016) Automation, Production Systems, & Computer-Integrated Manufacturing, 4th Ed. (http://amzn.to/2igGVKU)
Hoeller, J. et al. From Machine-to-Machine to the Internet of Things: Introduction to a New Age of Intelligence (http://amzn.to/2igSxxd)
Macaulay & Singer (2011) Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS. (http://amzn.to/2iNzU1b)

Homework Assignments and Labs

Modules 1 and 2 cover foundational information. Modules 3 and 4 address topics that are more applied in nature, and are accompanied by 8 lab exercises to help students synthesize the information into practical, actionable knowledge that will improve their performance as cybersecurity professionals. The labs correspond to, and are labeled with, the lesson IDs:

Lab 3B: Risk Analysis and Prioritization
Lab 3C: The NIST Cybersecurity Framework
Lab 3D: The Baldrige Cybersecurity Excellence Builder (BCEB)
Lab 3F: Hazard Analysis with PHA/What-if and HAZOP
Lab 3H: Quality Costs Analysis
Lab 4D: Hicks Law and the Nature of Choice
Lab 4E/4F: Ergonomic HMI Design
Lab 4D/4G: Fitts Law

Exams

There are four exams, each of which consists of 8 short-answer questions. Each exam is designed to be completed in a 90-minute session, but if less time is available, the instructor can request can the student choose 5 questions (for a 50-minute exam period) or 6 questions (for a 60-minute exam period).

Recommended Grading

The student’s grade in this course is based on one exam for each module and 8 lab exercises that synthesize the concepts from all modules: