Navy-funded research to integrate security and real-time embedded systems

ITI Research Scientist Sibin Mohan was recently awarded a three-year, $600,000 grant from the Office of Naval Research to work on integrating security into embedded real-time systems in a fundamental way.

Both of these fields, security and real-time systems, have been quite disjointed for a long time, Mohan said. Too few people have looked at integrating security into real time systems. People usually try to take existing security systems and retrofit it into whatever domain they're working in.

Embedded real-time systems are used for the monitoring and control of physical systems and processes in a variety of areas, including aircrafts, vehicles, power plants, submarines, water systems or industrial plants. Previously, these systems were isolated and not connected to each other, which protected them from cyber attacks. However, such systems are becoming increasingly interconnected, sometimes through the use of unsecured networks, such as the Internet.

About 10 years ago, nobody really cared if real-time systems were secure or not because they were quite limited in what they could do, Mohan said. These days, you open the hood of a car and it's very complicated and there's increased capabilities and more interconnections between the systems. For instance, your car is connected to your phone, which is connected to the Internet and the car itself has numerous network connections like GPS and Bluetooth. This means there is a lot more potential for people to attack real-time systems and attackers can gain a lot from hacking into them.

The danger with lax security in these systems is that if someone hacks into a real-time system, it can potentially result in a lot of real damage. For example, someone hacking into a car's braking or engine system could cause a high-speed car accident on the highway, while a power plant hacker could instigate a large-scale grid failure or meltdown.

According to Mohan, the problem is that each of these real-time systems, whether in an airplane or a water treatment plant, are specialized and have their own set of constraints, so existing security systems don't always work effectively.

Mohan will be focusing on studying the threat landscapes for real-time systems to see what potential security problems exist and then work to gain an understanding of the underlying nature of such problems across domains. Mohan is aiming to incorporate security into the design of these systems at a fundamental level.

We want to know enough about the different landscapes, so that we can give people ideas about how to approach this problem, Mohan said. We won't be able to solve all the problems or develop all the solutions in three years, but hopefully we can use this as a model to do further development.

Mohan is working with ITI researcher and CSL faculty member Rakesh Bobba and ITI Director David Nicol on this project, along with Rodolfo Pellizzoni of the University of Waterloo.

The team will first work to understand and classify current and emerging threat landscapes for such systems, as well as develop algorithms and appropriate security mechanisms. They will also analyze and evaluate the effectiveness of the proposed mechanisms.

Their colleagues at the University of Waterloo will put together a demonstration platform to show how the attacks can happen on, for example, a UAV, and will build demos with the team's newly developed security measures in place to show how their algorithms and models could help prevent attacks.

The team that we have has a really good set of complementary expertise, Mohan said. With our complementary skills, I think we can tackle this problem better because when you want to design a system from the ground up to be real time and security aware, you can't just say ‘I'll do one and someone else will do the other later.' We're trying to actually work on the two sides in a more cohesive fashion.