CCC Council Member Kevin Fu from the University of Michigan contributed to this post.
On April 12th, the Computing Community Consortium (CCC) and MForesight: Alliance for Manufacturing Foresight (MForesight), in conjunction with the House Manufacturing Caucus, held a Congressional briefing on Cybersecurity for Manufacturers that highlighted the outcomes of the March workshop of the same name and discussed the challenges to cybersecurity and potential next steps for its improvement in the U.S. manufacturing space.
The briefing featured members of the CCC and MForesight, as well as experts from government, academia, and the private sector:
- Ann Drobnis, CCC Director
- Robert Frazier, Lockheed Martin
- Kevin Fu, University of Michigan/CCC Council Member
- Sridhar Kota, University of Michigan/MForesight Director
- Kirk McConnell, Senate Armed Services Committee
- Michael Russo, GLOBALFOUNDRIES/MForesight Chair of Executive Committee
The panel stressed the need for a national initiative to address R&D challenges and opportunities, technology implementation across the supply chain, and policy considerations. The R&D section offers a research agenda to develop computational tools and testbeds for cyber security assessment, validation, verification and threat prevention in seven areas:
- Automated risk assessment and detection tools
- Robust part validation technology
- Tools to audit the extent of attack
- Testbeds to safely prototype and test new IT and OT
- Development of a reference architecture with cross-cutting applicability
- Cyber range to test component and system level vulnerabilities, train teams, act as a sandbox for new ideas and provide a “cyber autopsy” capability
- Decoys for intelligence gathering; Prioritizing and Sharing Intelligence
The NIST cybersecurity framework explains that one cannot effectively control cybersecurity risks until after establishing a way to safely assess risk and detect threats in an automated fashion. The old way of conducting assessment involves the art form of penetration testing. This does not scale, depends on human labor, and does not provide continuous assessment. Research and development is needed to create technology that can replace penetration testing with continuous, automated assessment that is safe when used on Operational Technology.
One of the greatest challenges to cybersecurity of manufacturing is the lack of testability. The problem is that many security issues arise at interfaces of interoperable components, often from different manufacturers. Whereas the National Highway Traffic Safety Administration (NHTSA) and the Nevada National Security Test Site have end-to-end facilities for testing crashworthiness of vehicles and survivability of systems, respectively, there is no analogue for cybersecurity of manufacturing. Large OEMs have the means to create entire test factory floors, but even such a facility will not suffice to gain reasonable cybersecurity assurance of the interoperable components in a realistic, messy environment. The federal government can play an important role in coordinating the construction of infrastructure for testing facilities that span multiple manufacturers and universities.
To learn more about the briefing, view the summary here. Video recordings coming soon!