This is the 43rd article in the “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress.
By Ray Bernard, PSP, CHS-III
Electronic physical security systems are cyber-physical systems, and we must update our security design thinking to include what “cyber-physical system” means given the rapid advance of computing and networking technologies.
In the previous Real Words or Buzzwords article – Cyberspace (Part 1) – I provided a high-level descriptive definition of a cyber-physical system from Dr. Edward Lee’s Ptolemy Project at the University of California at Berkeley, which I have expanded slightly by my insertion of examples:
“A cyber-physical system (CPS) is an integration of computation with physical processes. Embedded computers and networks (such as in a vehicle, vacuum cleaner, manufacturing line, robotic surgery system, or city traffic management system) monitor and control the physical processes, usually with feedback loops where physical processes affect computations and vice versa.”
In the May 2018 issue of Security Dealer and Integrator magazine (since rebranded Security Business), Joe Gittens, Director of Standards for the Security Industry Association (SIA), in his article titled, “NIST’s Cyber-Physical Systems (CPS) Framework: A closer look”, wrote, “CPS are more than individual devices or systems – they are systems of systems, and physical security integrators will play a key role in deploying security services that fit harmoniously into a CPS approach.”
To me this was the most important sentence in the article, which discussed cybersecurity for physical security systems, which Gittens stated is a key focus of the Cyber:Secured Forum annual event presented by ISC, PSA Security Network and SIA.
Systems of Systems
Today’s automobiles are good examples of systems of systems. When you see the list, you’ll realize that the auto industry has been working on computing-based vehicle capabilities for several decades. Here are 19 of the many computer-controlled systems, excluding the major electric and hybrid vehicle systems and many autonomous driving systems:
- Airbag system
- Anti-lock braking systems (ABS)
- Automatic windshield wipers
- Backup camera
- Battery management system
- Blind spot monitor
- Cruise control
- Dashboard electronic instrument cluster
- Electronic fuel injection
- Electronic Ignition
- Engine control unit (ECU)
- Entertainment systems
- Power door locks
- Rear-view mirror data display
- Self-dimming headlights
- Self-retracting side-view mirrors
- Tire pressure monitoring system
- Transmission control module
The dashboard electronic instrument cluster itself a good example of a system of systems. It’s displays depict or present the data provided by many systems, one such system being the wireless tire sensor system. Pirelli, an Italian tire company who is a leader in premium and prestige automobile and motorcycle tires, makes such a system, which they call the “Cyber Tyre”.
Microsoft Research provides an interesting high-level technical look at the system, in a 2016 video presentation by Anurag Kumar, Director of the Indian Institute of Science, titled, “Cyber Physical Systems (CPS) over IoT: Inference and Control over Resource Challenged Wireless Networks.” Think of the design challenges involved in taking a sensor that is smaller than a one-half inch cube affixed to the inside of a tubeless tire, and must accurately measure the tire pressure while the tire is bouncing along on a road at 60 miles per hour (10 revolutions per second) and must transmit the tire pressure data to the dashboard’s electronic instrument cluster and/or the car’s electronic control unit.
In his presentation, Kumar describes the future vision for the tire sensor system, which includes reporting not only tire pressure, but also temperature, tire wear, revolutions and providing an imminent failure alert. Furthermore, the system must provide driver decision support including road conditions (slippery, dry, wet, icy) and inform drive train and braking control. Ideally, another system will harvest the motion from the tire and axle, eliminating the need to change the car battery.
It’s a system that collects information and provides it to other systems, all of whom evaluate that and other data collected from multiple systems, and continually updates its digital twin of the vehicle, so as to support automated vehicle management as well as provide driver decision support.
This kind of thinking is nothing new for the auto industry. In my original automotive design engineering role, we had systems thinking drummed into us. When determining the performance requirements of a spring for a passenger compartment’s ashtray lid (no longer a vehicle feature), we’d have to consider the forces operating on the ashtray lid. That included a driver slamming on the brakes, a tire running over a bump or a hole in the road, or a collision impact. All of these had different force dynamics affecting the ash tray, and we had to make sure that the ashtray would remain closed during all of them, so that a still-burning cigarette butt wouldn’t be thrown out of the ashtray and land on the upholstery or carpeting, starting a vehicle fire.
Security Design Thinking
This kind of systems thinking is decades old in the auto industry, but not in the physical security industry. That’s only natural, given the history of security product development and what was feasible to accomplish with earlier technologies.
Now, given the advancement of computing, data processing and related information technology trends, we must update our system design thinking to encompass capabilities and address risks that never before could be considered. This is especially important given the emergence of modern artificial intelligence technologies, IoT, and today’s Internet capabilities.
What does it mean to cyber-enable our physical security operations? That is a question that many of the new AI firms are answering, although they have been keeping those answers under wraps as most of them have been in “stealth mode” for the past few years while they develop and validate their concepts.
Milestone revealed this year that they have an R&D division that’s primarily focused on AI. Milestone Systems unveiled an R&D project that uses AI deep learning to configure video cameras in real time, optimizing their performance based on real-time lighting and other conditions to ensure that the camera is always performing optimally for its specific purpose. See the demonstration video here.
Our security design thinking must change in many ways, including how we think about intelligent devices. Milestone wants to gather camera and AI partners who can help each camera accomplish its mission.
Each intelligent device is a system unto itself. For example, a camera is a sensor system that can provide metadata about what it sees in its field of view, in three dimensions, and provide that information via an API. It contains a web server for manual configuration capabilities and to support the API transactions.
A camera is its own system and can also acts as a part of other systems, such as a security surveillance system a city traffic management system, and a retail store customer behavior tracking system.
This is a novel idea, that devices will have a mission, a role, and active responsibilities within a larger system. They must take direction from a larger system and serve the overall mission and purpose.
This is the vision that Milestone and several of the emerging AI companies have, but overall as designers and employers of modern systems-based technologies, we haven’t fully grasped what this means and thus neither have our customers.
Betamax In a Streaming World
We haven’t fully grasped the implications of the systems of systems concept, including its implications for cybersecurity. Watch the 20-minute June 2019 video in the article titled, “Video: How organizations are coping with today’s cyber-physical security threats”, from Verint’s recent Engage 19 event in Orlando. SecurityInfoWatch.com Editor-in-Chief Joel Griffin sat down with Valerie Thomas, Executive Consultant at Securicon, Eric Michaud, CEO and Founder of Rift Recon, Joe Luna, Founding Partner at Furtim, and Terry Gold, Principal Analyst at D6 Research, to discuss where organizations stand when it comes to protecting physical security systems against cyber threats as well as other cybersecurity trends impacting enterprises today.
Terry Gold starts the discussion off with a description of the state of physical security industry product and system architecture, acknowledging that the security industry is no longer ignoring IT and cybersecurity issues. However, there is still a long way to go, as many industry companies are coming out with a new feature here and there, but still don’t understand how poor the commonly accepted architectures are. Gold stated, “Right now we have an architecture in physical security that’s a wall-to wire, 30-to-40-year old architecture, and we have companies basically coming out with a new feature here and a new feature there, but it’s still Betamax. It’s like Betamax in a streaming world.”
Making Real Progress
The industry won’t make real progress unless we: (a) understand what today’s technologies are capable of and where they are going, and (b) learn from what other industries are doing so that we don’t waste time and money re-inventing the wheel.
Before we can continue with the cyberspace series of articles, we need to finish our examination of cyber-physical systems, because these are now Internet-connected and part of cyberspace. Not the original cyberspace as we first learned of it, which for its first decade had connection points numbering in the hundreds of thousands, none of them cyber-physical. The new cyberspace now has connection points in the billions, many of them cyber-physical and stemming from the Internet of Things (IoT), including our security systems.
We need to understand the design concepts of full-blown cyber-physical systems, not just the kind of security products and systems we have now, which are “baby” systems compare to, for example, self-driving cars and city-wide traffic management systems. We have to explore the possibilities of using IoT technology, not just being labelled as such, so we can answer questions like these:
- What would it look like to fully cyber-enable our physical security operations?
- How could we detect and respond to cyber-enabled adversaries?
- How can a security department provide technology systems that are the systems within other company systems such building automation systems and business operations ?
We’ll answer these questions in the upcoming articles.
I have put together an outstanding panel of experts, including Terry Gold, which I’m moderating for a special session at the September ASIS GSX event in Chicago. Here is a short description of that session.
The Flat and the Furious
Session # 6210 on Wednesday, September 11 from 2:15 p.m to 3:15 p.m.
Global cyber-physical gamers can seriously kick your assets and disappear into thin air! Thomas Friedman’s best-selling book – The World is Flat – doesn’t mention cyber-risk or the Internet of Things. Yet today our super-flattened physical world is cyber-activated with over 23 billion cyber-physical touchpoints.
Being furious in the cyber world has levels of energy, violence and intensity of scale and speed that you don’t want coming at your physical world assets. Don’t have your security cameras hijacked and weaponized for cyber-attacks, or your factory machinery or cars going wild. Cyber-physical experts (security, insurance and technology) explain where cyber-physical threats and counter-measures are going and how you can and must cover your assets now.
I hope to see you there.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s Top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.
© 2019 RBCS