NIST's Cyber-Physical Systems (CPS) Framework: A closer look

May 17, 2018
Digital, analog, physical and human components interact for complete cybersecurity

Any major discussion on cybersecurity over the past five years has cited the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a compendium of standards, guidelines and best practices to manage and mitigate cyber risk. This framework has gone a long way toward how the private sector – including the physical security industry – has worked toward addressing cybersecurity challenges; however, one of its “shortfalls” is that often physical security practitioners are not looking at cybersecurity through an IT-centric lens.

While the IT and physical security communities are working toward the same goals, their approaches, terminology and incentives are often not aligned. NIST addresses much of this misalignment through its new Cyber-Physical Systems (CPS) Framework and will share insights from the framework at the upcoming Cyber:Secured Forum, June 4-6 in Denver. 

CPS comprises interacting digital, analog, physical and human components through integrated logic and physics. Since there are many “standalone” cyber and physical systems, they are more general than what is referred to as Internet of Things – for example, autonomous automobile systems, medical monitoring systems, smart grids and smart cities.

With these examples in mind, it easy to see how video, identity and other traditional physical security disciplines is poised to play a massive role in the increasing adoption of CPS applications. CPS are more than individual devices or systems – they are systems of systems, and physical security integrators will play a key role in deploying security services that fit harmoniously into a CPS approach. 

The point of a CPS approach is to bring various communities who are well versed in their disciplines together in order to improve overall security. The NIST CPS Framework provides a unified cyber-physical approach to security and, more generally, to trustworthiness.

At the Cyber:Secured Forum – presented by the Security Industry Association, PSA Security Network and ISC Security Events with media sponsor SD&I – the NIST Smart Grid and CPS Program Office and other contributors to the CPS Framework, including researchers and partner federal agencies such as the U.S. Department of Homeland Security, will provide the physical security industry with a more robust understanding of the CPS and cybersecurity frameworks, the differences between the two, the role of standards, how to implement a cyber and physical approach to CPS inputs like cameras, video management systems and identity management software, and how to approach unified assurance cases at the device, system and system of systems levels.

The forum is meant to be a two-way conversation: while physical security should “learn” how it fits into the CPS framework, CPS itself faces unique security threats that can be solved through deployment and integration of physical security controls. Prioritization of security signals, for instance, with emphasis on signals and controls geared toward life safety, is an area where physical security has a wealth of knowledge and can contribute to the ever-evolving framework.

Since we also know that many cyber incidents begin with physical breaches, hardening the perimeter of a CPS with surveillance and intrusion sensors fits within the general security ecosystem. Security issues as a whole must be prioritized along with privacy, safety, reliability and resilience.

Joe Gittens is Director of Standards for the Security Industry Association (SIA). Learn more about SIA at www.securityindustry.org. 

About the Author

Joseph Gittens

Joseph Gittens ([email protected]) is director of standards for SIA where he works closely with SIA members who volunteer their expertise to guide OSDP and other standards and technology initiatives.