Cyber Physical Systems Security

Cyber Physical Systems Security

Cyber Physcial Systems Security: Building in SecurityThe Cyber Physical Systems Security (CPSSEC) project addresses security concerns for Cyber Physical Systems (CPS) and the Internet of Things (IoT). CPS and IoT play an increasingly important role in critical infrastructure, government and everyday life. Automobiles, medical devices, building controls and the smart grid are examples of CPS. Each includes smart networked systems with embedded sensors, processors and actuators that sense and interact with the physical world and support real-time, guaranteed performance in safety-critical applications. The closely related area of IoT continues to emerge and expand as costs drop and the confluence of sensors, platforms and networks increases. Whether referencing the forward collision prevention capability of a car, a medical device’s ability to adapt to circumstances in real-time, or the latest IoT innovation, these systems are a source of competitive advantage in today’s innovation economy and provide vast opportunities for DHS and Homeland Security Enterprise missions. At the same time, CPS and IoT also increase cyber security risks and attack surfaces.  The consequences of unintentional faults or malicious attacks could have severe impact on human lives and the environment. Proactive and coordinated efforts are needed to strengthen security and reliance for CPS and IoT.


This is a critical time in the design and deployment of CPS and IoT.  Advances in networking, computing, sensing and control systems have enabled a broad range of new devices. These systems are being designed and deployed now, however, security often is left for later. Industry is driven by functional requirements and fast-moving markets. Designs are evolving rapidly and standards are only now emerging. Many devices being deployed now have lifespans measured in decades, so current design choices will impact the next several decades in transportation, health care, building controls, emergency response, energy and other sectors.

To understand the scope of the challenge, consider the recent advances in the cars we drive, the medical devices we depend on, the systems that operate our buildings, the power grid and a vast number of new IoT devices. Modern cars can automatically brake to avoid a collision, modern medical devices can monitor conditions in real time and adapt to changes, buildings,and the energy grid are being enhanced with a number of new smart services, and it is anticipated billions of new IoT devices will be connected to the Internet. If security is overlooked, we run the risk of unintentional faults or even malicious attacks changing how cars brake, how medical devices adapt, and how buildings and the smart grid respond to events. Cybersecurity only becomes more challenging if billions of devices with security vulnerabilities are added. Addressing security issues by bolting solutions onto widely deployed systems is not viable. Security issues must be analyzed, understood and addressed in the early stages of design and deployment. 


The overarching objective of the CPSSEC project is to ensure CPS and IoT security vulnerabilities are identified and addressed before system designs are complete and the resulting devices are widely deployed. In other words, the overarching goal is to build security in rather than bolt on it on later. To accomplish this, the project will:


The CPS and IoT space is vast and covers many distinct sectors. The Cyber Physical Systems Vision Statement from the Networking Information Technology Research and Development (NITRD) Program identifies nine areas of critical importance to government: agriculture, building controls, defense, energy, emergency response, health care, manufacturing and industry, society and transportation. Further, these areas share crosscutting issues of cybersecurity, economics, interoperability, privacy, safety and reliability, and social aspects. No single agency can tackle these areas alone.The CPSSEC project is taking a layered approach to these challenges as illustrated in the CPS Security Pyramid. Level 1 at the top Specific Industry: Objective: Enable progress through market-driven requirements. Approach: Industry Consortium Leverages Funds from major Automakers. Coordinate with GSA, NHTSA. Level 2 DHS Focus Areas. Objective: Develop economically feasible mitigations. Approach: Applied research leverages UK, Canada, Israel, and Sweden. Level 3 at the base Cyber Physical Systems Concepts. Objective: Leverage crosscutting CPS research. Approach: Joint Research leverages NSF Funds. Department of Homeland Security Seal.

The CPSSEC project is taking a layered approach to these challenges as illustrated in the CPS Security Pyramid. 

At the pyramid’s base, DHS is working with other agencies such as the National Science Foundation (NSF) to address fundamental and crosscutting challenges. The goal is to ensure the basic building blocks for CPS and IoT security are available and realistically feasible for use in specific systems.

At the core of the pyramid, DHS-funded applied research and development addresses sectors where S&T investments can have maximum impact. These areas are chosen based on a combination of impact delivered to DHS’s homeland security mission, technical readiness, and investments by other federal funding agencies. The CPSSEC project is focused on security for automotive, medical devices and building controls with an increasing interest in IoT security.

At the pyramid’s top, CPSSEC engages through a combination of coordination with the appropriate sector-specific oversight agency, government research agencies, industry engagement and support for sector-focused innovation, small business efforts and technology transition. This work encompasses the development of sector-specific industry consortiums.


Efforts funded through BAA HSHQDC-14-R-B0016

  • Ken Hoyme, Adventium Labs: Intrinsically Secure, Open, and Safe Control of Essential LayErS (ISOSCELES)
  • David Payton, HRL Laboratories: Side-Channel Causal Analysis for Design of Cyber Physical Security
  • Sam Lauzon, University of Michigan Transportation Research Institute (UMTRI): Secure Software Update Over-the-Air for Ground Vehicles Specification and Prototype
  • Justin Cappos, New York University (NYU): Securely Updating Automobiles
  • Dale Nordenberg, Medical Device Innovation Safety and Security (MDISS): Medical Device Risk Assessment Platform
  • Simon Oui, Kansas State University: Modeling Security/Safety Interactions for Buildings for Compositional Safety Control

Jointly funded efforts with the National Science Foundation (NSF) CPS Program

  • Lalitha Sankar, Arizona State University: A Verifiable Framework for Cyber Physical Attacks and Countermeasures in a Resilient Electric Power Grid
  • Manimaran Govindarasu, Iowa State University: PowerCyber: CPS Security Testbed for Smart Grid
  • Christopher Williams, Virginia Tech & Jules White, Vanderbilt University: Securing Manufacturing Systems

Other CPSSEC-Funded Efforts

  • Kevin Harnett, Department of Transportation Volpe Transportation Center: Joint Agency Work on Automotive Cyber Security
  • Sean Warnick, Brigham Young University (BYU): Mission Impact Situational Awareness Tool for Distributed Operations Management of Cyber Physical Human Critical Infrastructures
  • John Larkin, Food Protection Defense Institute (FPDI): Strengthening Food Industry Cybersecurity Capacity


Press Releases

Snapshot Articles


Was this page helpful?

This page was not helpful because the content:
Back to Top