Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Releases Discussion Draft on Cyber-Physical Systems Framework

500px-NIST_logo.svgThis week, the National Institute of Standards and Technology (NIST) released a preliminary discussion draft of its Framework for Cyber-Physical Systems. The draft has an ambitious goal: to create an integrated framework of standards that will form the blueprint for the creation of a massive interoperable network of cyber-physical systems (CPS), also known as the “Internet of Things.” In 2014, NIST established the cyber-physical systems public working group (CPS PWG)—an open public forum which includes representatives from government, industry, and academia—to develop the CPS framework. By creating a common framework at an early stage of the Internet of Things, the CPS PWG hopes to ensure the development of a secure, integrated, and interoperable ecosystem of connected devices. The CPS PWG will continue to solicit input as it refines the draft and works to finalize the framework for use in multiple industry sectors.

The draft defines CPS as “smart systems that include co-engineered interacting networks of physical and computational components.” CPS includes systems, structures, and objects as diverse as smart power grids, self-driving cars, and prescription medicine containers that automatically order refills when pills are running low.

The discussion draft aims to integrate the work of five different CPS PWG sub-groups: cybersecurity and privacy, data interoperability, reference architecture, and use cases. In order to develop a unifying framework applicable to the universe of unique dimensions of CPS, the CPS PWG developed three interrelated lines of analysis: Domains, Facets, and Aspects.

  • Domains: the environments in which CPS are deployed. Example domains include manufacturing, transportation, energy, and healthcare, among many others. At the foundation of each domain there are individual devices, such as sensors and actuators. Coordinating these devices are multiple layers of systems, which gather and analyze data, coordinate the activities of various devices, and manage the operation of entire systems. For example, a self-driving car is an individual device. But it is also a collection of sensors and systems that allow it to move autonomously, as well as an individual unit of a larger system: perhaps a smart traffic grid that senses local traffic patterns and controls traffic signals to optimize the flow of cars.
  • Facets: the functional requirements that allow CPS to operate. The draft defines three facets. “System” describes what things are supposed to do and how they should work. “Engineering” describes how things should be made and how they should operate. “Assurance” describes how to prove that things work the way that they are intended.
  • Aspects: the cross-cutting concerns that apply to all facets and all domains of CPS. The preliminary discussion draft identifies six aspects: performance, risk, timing and synchronization, data interoperability, life cycle, and topology. These common aspects are designed to highlight the interrelationships between different characteristics of devices, such as cybersecurity, privacy, safety, and reliability. The authors hope that this will allow designers to implement a risk management approach that emphasizes these complex interactions, while allowing them the freedom to customize devices to the specific needs of a particular environment.

In the coming weeks, CPS PWG subgroups will hold a series of virtual meetings in advance of the group’s second in-person meeting, which will take place on April 7–8 in Gaithersburg, MD. The group will continue to refine the discussion draft, building on input from public stakeholders, and will begin to develop a roadmap for finalizing the current draft. The CPS PWG aims to release a completed framework and roadmap sometime in 2016.

NIST’s efforts come amid growing attention from policymakers to the Internet of Things. Earlier this year, the FTC released a staff report on the Internet of Things, providing guidance for industry on privacy, security, and consumer protection principles. On Capitol Hill, the Senate Committee on Commerce, Science, and Transportation held its first hearing on the subject in February.