Computation is everywhere. Greeting cards have processors that play songs. Fireworks have processors for precisely timing their detonation. Computers are in engines, monitoring combustion and performance. They are in our homes, hospitals, offices, ovens, planes, trains, and automobiles. These computers, when networked, will form the Internet of Things (IoT). The resulting applications and services have the potential to be even more transformative than the World Wide Web. The security implications are enormous. Internet threats today steal credit cards. Internet threats tomorrow will disable home security systems, flood fields, and disrupt hospitals. The root problem is that these applications consist of software on tiny low-power devices and cloud servers, have difficult networking, and collect sensitive data that deserves strong cryptography, but usually written by developers who have expertise in none of these areas. The goal of the research is to make it possible for two developers to build a complete, secure, Internet of Things applications in three months. The research focuses on four important principles. The first is "distributed model view controller." A developer writes an application as a distributed pipeline of model-view-controller systems. A model specifies what data the application generates and stores, while a new abstraction called a transform specifies how data moves from one model to another. The second is "embedded-gateway-cloud." A common architecture dominates Internet of Things applications. Embedded devices communicate with a gateway over low-power wireless. The gateway processes data and communicates with cloud systems in the broader Internet. Focusing distributed model view controller on this dominant architecture constrains the problem sufficiently to make problems, such as system security, tractable. The third is "end-to-end security." Data emerges encrypted from embedded devices and can only be decrypted by end user applications. Servers can compute on encrypted data, and many parties can collaboratively compute results without learning the input. Analysis of the data processing pipeline allows the system and runtime to assert and verify security properties of the whole application. The final principle is "software-defined hardware." Because designing new embedded device hardware is time consuming, developers rely on general, overkill solutions and ignore the resulting security implications. The data processing pipeline can be compiled into a prototype hardware design and supporting software as well as test cases, diagnostics, and a debugging methodology for a developer to bring up the new device. These principles are grounded in Ravel, a software framework that the team collaborates on, jointly contributes to, and integrates into their courses and curricula on cyberphysical systems.

Security and privacy concerns in the increasingly interconnected world are receiving much attention from the research community, policymakers, and general public. However, much of the recent and on-going efforts concentrate on security of general-purpose computation and on privacy in communication and social interactions. The advent of cyber-physical systems (e.g., safety-critical IoT), which aim at tight integration between distributed computational intelligence, communication networks, physical world, and human actors, opens new horizons for intelligent systems with advanced capabilities. These systems may reduce number of accidents and increase throughput of transportation networks, improve patient safety, mitigate caregiver errors, enable personalized treatments, and allow older adults to age in their places. At the same time, cyber-physical systems introduce new challenges and concerns about safety, security, and privacy. The proposed project will lead to safer, more secure and privacy preserving CPS. As our lives depend more and more on these systems, specifically in automotive, medical, and Internet-of-Things domains, results obtained in this project will have a direct impact on the society at large. The study of emerging legal and ethical aspects of large-scale CPS deployments will inform future policy decision-making. The educational and outreach aspects of this project will help us build a workforce that is better prepared to address the security and privacy needs of the ever-more connected and technologically oriented society. Cyber-physical systems (CPS) involve tight integration of computational nodes, connected by one or more communication networks, the physical environment of these nodes, and human users of the system, who interact with both the computational part of the system and the physical environment. Attacks on a CPS system may affect all of its components: computational nodes and communication networks are subject to malicious intrusions, and physical environment may be maliciously altered. CPS-specific security challenges arise from two perspectives. On the one hand, conventional information security approaches can be used to prevent intrusions, but attackers can still affect the system via the physical environment. Resource constraints, inherent in many CPS domains, may prevent heavy-duty security approaches from being deployed. This proposal will develop a framework in which the mix of prevention, detection and recovery, and robust techniques work together to improve the security and privacy of CPS. Specific research products will include techniques providing: 1) accountability-based detection and bounded-time recovery from malicious attacks to CPS, complemented by novel preventive techniques based on lightweight cryptography; 2) security-aware control design based on attack resilient state estimator and sensor fusions; 3) privacy of data collected and used by CPS based on differential privacy; and, 4) evidence-based framework for CPS security and privacy assurance, taking into account the operating context of the system and human factors. Case studies will be performed in applications with autonomous features of vehicles, internal and external vehicle networks, medical device interoperability, and smart connected medical home.

Smart grid includes two interdependent infrastructures: power transmission and distribution network, and the supporting telecommunications network. Complex interactions among these infrastructures lead to new pathways for attack and failure propagation that are currently not well understood. This innovative project takes a holistic multilevel approach to understand and characterize the interdependencies between these two infrastructures, and devise mechanisms to enhance their robustness. Specifically, the project has four goals. The first goal is to understand the standardized smart grid communications protocols in depth and examine mechanisms to harden them. This is essential since the current protocols are notoriously easy to attack. The second goal is to ensure robustness in state estimation techniques since they form the basis for much of the analysis of smart grid. In particular, the project shall exploit a steganography-based approach to detect bad data and compromised devices. The third goal is to explore trust-based attack detection strategies that combine the secure state estimation with power flow models and software attestation to detect and isolate compromised components. The final goal is to study reconfiguration strategies that combine light-weight prediction models, stochastic decision processes, intentional islanding, and game theory techniques to mitigate the spreading of failures and the loss of load. A unique aspect of smart grid security that will be studied in this project is the critical importance of timeliness, and thus a tradeoff between effectiveness of the mechanisms and the overhead introduced. The project is expected to provide practical techniques for making the smart grid more robust against failures and attacks, and enable it to recover from large scale failures with less loss of capacity. The project will also train students in the multidisciplinary areas of power systems operation and design, networking protocols, and cyber-physical security.

Strategic decision-making for physical-world infrastructures is rapidly transitioning toward a pervasively cyber-enabled paradigm, in which human stakeholders and automation leverage the cyber-infrastructure at large (including on-line data sources, cloud computing, and handheld devices). This changing paradigm is leading to tight coupling of the cyber- infrastructure with multiple physical- world infrastructures, including air transportation and electric power systems. These management-coupled cyber- and physical- infrastructures (MCCPIs) are subject to complex threats from natural and sentient adversaries, which can enact complex propagative impacts across networked physical-, cyber-, and human elements. We propose here to develop a modeling framework and tool suite for threat assessment for MCCPIs. The proposed modeling framework for MCCPIs has three aspects: 1) a tractable moment-linear modeling paradigm for the hybrid, stochastic, and multi-layer dynamics of MCCPIs; 2) models for sentient and natural adversaries, that capture their measurement and actuation capabilities in the cyber- and physical- worlds, intelligence, and trust-level; and 3) formal definitions for information security and vulnerability. The attendant tool suite will provide situational awareness of the propagative impacts of threats. Specifically, three functionalities termed Target, Feature, and Defend will be developed, which exploit topological characteristics of an MCCPI to evaluate and mitigate threat impacts. We will then pursue analyses that tie special infrastructure-network features to security/vulnerability. As a central case study, the framework and tools will be used for threat assessment and risk analysis of strategic air traffic management. Three canonical types of threats will be addressed: environmental-to-physical threats, cyber-physical co-threats, and human-in-the-loop threats. This case study will include development and deployment of software decision aids for managing man-made disturbances to the air traffic system.

Many critical infrastructures, such as the power grid, are complex cyber physical systems (CPS). Protecting these systems against cyber-attacks is of paramount importance to national security and economic well-being. Risk assessment considering cyber-attacks against critical infrastructures is not well understood due to ever growing, dynamic threat landscape coupled with complex cyber-physical interactions in these systems. In addition, there is a compelling need to create environments in which realistic attack-defense experiments (including risk assessment and risk mitigation) and training exercises can be safely conducted to advance the science and workforce development in this important area of national need. This project has two key goals: (1) the short-term goal is to design, develop, and demonstrate a cyber defense exercise for improving the security of CPS systems in alignment with the NIST/US Ignite Global Cities Team Challenge; and (2) the long-term goal is to explore fundamental models and algorithms for cyber risk assessment and mitigation. The project makes synergistic federation of three existing security testbeds hosted at Iowa State University and the University of Southern California to create a realistic environment for conducting CPS security experimentation and security preparedness and training exercise, like the North American Reliability Corporation (NERC) GridEx. The intellectual merit of the project lies in two key contributions: (i) realistic experimentations on CPS security testbed federation, and (ii) the development of a novel methodology for cyber risk modeling of CPS systems. The broader impacts of the project lie in developing realistic attack-defense scenarios and learning/training modules that enable academic researchers, students, and industry practitioners to systematically understand, analyze, and improve the security and resiliency of critical infrastructures.

The focus of this project is on creating new techniques for understanding population analytics over a space of interest, e.g., a shopping mall, a busy street, or an entire city. Knowledge of population behavior important for many applications. For instance, knowledge of which are the busy corners of city sidewalk can provide city planners with input on where to invest city resources. Knowledge of where people congregate in a shopping mall allows officials to plan where to provide useful services, e.g., information kiosks, floor plans, and more. The process of gathering population analytics today is tedious -- some stores and shops use manual people counters to track how many persons are entering wireless technologies. The technical contributions of this project are two-fold. First, it is attempting to reduce the complexity of determining location of people by reducing the number of infrastructure points needed. Second, automated approaches to population analytics are fraught with privacy concerns, and this project is examining techniques that mitigate such concerns. Personnel involved in this project will be trained in significant technical skills across a broad set of domains including wireless technologies, privacy techniques, and machine learning. To demonstrate the feasibility of this project, the PI team is deploying a version of the system in an urban downtown area of Madison, WI. The team is collaborating with a number of local partners -- the city of Madison, the University of Wisconsin Bookstore, 5NINES (a local Internet Service Provider), and a few local participants. Together they are entering this technology demonstration as part of the Global City Teams Challenge being hosted by NSF and NIST.

Device authentication and identification has been recently cited as one of the most pressing security challenges facing the Internet of things (IoT). In particular, the open-access nature of the IoT renders it highly susceptible to insider attacks. In such attacks, adversaries can capture or forge the identity of the small, resource constrained IoT devices and, thus, bypass conventional authentication methods. Such attacks are challenging to defend against due to the apparent legitimacy of the adversaries' devices. The primary goal of this research is to overcome this challenge by developing new authentication methods that supplement traditional security solutions with cyber-physical fingerprints extracted from the IoT devices' environment. This project will develop a novel machine learning framework that enables the IoT to dynamically identify, classify, and authenticate devices based on their cyber-physical environment and with limited available prior data. This will result in the creation of environment-based IoT device credentials that can serve as a means of attestation, not only on the legitimacy of a device's identity, but also on the validity of the physical environment it claims to monitor and the actions it claims to be performing over time. The framework will also encompass an experimental IoT software platform that will be built to validate the proposed research. Owing to a partnership with the NIST Global City Teams Challenge (GCTC) project "Bringing Internet of Things Know-How to High School Students", a collaboration with IoT-DC, Arlington County, VA, and other entities, the proposed research will train high school students, STEM educators, and a broad community on a variety of research topics that will include IoT security, cyber-physical systems, and data analytics. The broader impacts will also include the creation of an interdisciplinary workforce focused on securing tomorrow's smart cities.

The electric power grid is a complex cyber-physical system (CPS) that forms the lifeline of modern society. Cybersecurity and resiliency of the power grid is of paramount importance to national security and economic well-being. CPS security testbeds are enabling technologies that provide realistic experimental platforms for the evaluation and validation of security technologies within controlled environments, and they also enable the exploration of robust security solutions. The project has two objectives: (a) to develop innovative architectures, abstractions, models, and algorithms for large-scale CPS security testbeds; and (b) to design and implement a high-fidelity, scalable, open-access CPS security testbed for the smart grid, and to conduct research experimentation. The testbed integrates appropriate cyber-control-physical hardware/software components, models, and algorithms in a modular design that enables federation of smaller testbeds to form a large-scale virtual experimental environment. The use cases for the testbed include vulnerability assessment, risk assessment, risk mitigation studies, and attack-defense exercises. The project also aims to develop standardized datasets, models, libraries, and use cases, and make the testbed available to a broader research community through an open-, remote-access model by leveraging collaboration from academic and industry partners. Besides contributing to research and technology that will enable a future electric power grid that is secure and resilient, this project develops and disseminates innovative curriculum modules including CPS Cyber Defense Competitions (CPS-CDC) for imparting security knowledge to students via an inquiry-based learning paradigm. The project also mentors students, including underrepresented minorities, in thesis work and Capstone projects, and exposes high-school students to cybersecurity concepts via testbed demonstrations.

Programs describe successions of actions to be performed by computers. Unfortunately programmers make errors which are exploited by attackers to divert program actions from their goals. Accordingly, program actions must be checked to be always safe and secure. Program security starts with the definition of which actions might be insecure and when they are bad. Insecure actions cannot be always forbidden as for safety. This project formalizes the concept of responsibility analysis. Responsibility analysis aims at determining automatically which program entities cause bad insecure actions to happen. This is possible by examining the program text only, because this text precisely describes all possible actions that can happen when later running a program. Based on an operational semantics of programs, the project formally defines semantic responsibility as the most precise way of locating the possible origin of bad actions. A sound static responsibility analysis will be designed by abstract interpretation of this operational semantics, on top of traditional safety analyses of C programs. A prototype static responsibility analyzer will be built to check for the security of cyber-physical systems (given bad actions and a security policy). The result of the analysis will be used to check that all entities responsible for bad actions are duly authorized (or the security policy is wrong). This tool will help programmers to soundly cure potential vulnerabilities at program design time as opposed to present-day post-mortem remedies after those attacks on programs that get detected. This would be a breakthrough at the confluence of cyber security, privacy, and cyber-physical systems.

The evolution of manufacturing systems from loose collections of cyber and physical components into true cyber-physical systems has expanded the opportunities for cyber-attacks against manufacturing. To ensure the continued production of high-quality parts in this new environment requires the development of novel security tools that transcend both the cyber and physical worlds. Potential cyber-attacks can cause undetectable changes in a manufacturing system that can adversely affect the product's design intent, performance, quality, or perceived quality. The result of this could be financially devastating by delaying a product's launch, ruining equipment, increasing warranty costs, or losing customer trust. More importantly, these attacks pose a risk to human safety, as operators and consumers could be using faulty equipment/products. New methods for detecting and diagnosing cyber-physical attacks will be studied and evaluated through our established industrial partners. The expected results of this project will contribute significantly in further securing our nation's manufacturing infrastructure. This project establishes a new vision for manufacturing cyber-security based upon modeling and understanding the correlation between cyber events that occur in a product/process development-cycle and the physical data generated during manufacturing. Specifically, the proposed research will take advantage of this correlation to characterize the relationships between cyber-attacks, process data, product quality observations, and side-channel impacts for the purpose of attack detection and diagnosis. These process characterizations will be coupled with new manufacturing specific cyber-attack taxonomies to provide a comprehensive understanding of attack surfaces for advanced manufacturing systems and their cyber-physical manifestations in manufacturing processes. This is a fundamental missing element in the manufacturing cyber-security body of knowledge. Finally, new forensic techniques, based on constraint optimization and machine learning, will be researched to differentiate process changes indicative of cyber-attacks from common variations in manufacturing due to inherent system variability.