Review – NSF Publishes RFI for Cyber-Physical Resilience Research

Today, the National Science Foundation (NSF) published a request for information in the Federal Register (89 FR 78915-78916) for “Networking and Information Technology Research and Development Request for Information on a National Plan for Cyber-Physical Systems Resilience”. The notice reports that: “The goal of the plan is to shape a whole-of-government research and development (R&D) plan related to cyber-physical resilience across systems that may be local, regional, or national in scope.”

The proposed research plan would be based, at least in part, on the following documents:

• PCAST Releases Report on Strategy for Cyber-Physical Resilience,

• Strategy for Cyber-Physical Resilience: Fortifying Our Critical Infrastructure for a Digital World, and

• Cyber-Physical Systems Resilience—The Networking and Information Technology Research and Development (NITRD) Program.

The NSF is soliciting comments that “address the topics of this RFI clearly and concisely”. Comments should be emailed to CPSR-ftacRFI@nitrd.gov. Comments should be submitted by October 26^th, 2024.

 

For more information about the RFI, including a brief description of the scope of the information requested, see my article a CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/nsf-publishes-rfi-for-cyber-physical - subscription required.

HR 5312 Passes in House – Cybersecurity Research

Yesterday the House passed HR 5312, the Networking and Information Technology Research and Development Modernization Act of 2016. The bill was ‘debated’ for twenty minutes, but nary a negative word was heard. The final vote was a strongly bipartisan 385-7, with most of the negative votes coming from Republicans.

The bill does add the term ‘cyber-physical system’ to the definition to the High-Performance Computing Act of 1991 (15 USC Chapter 81), but it limits it to large, complex systems “whose networking and information technology functions and physical elements are deeply integrated”. No additional funding is provided for the research that this bill supports. This means that the existing funding is being diluted by expanding the areas of research authorized.

With no serious opposition to the bill, it is likely that, if the bill is considered in the Senate (not a forgone conclusion by any means), it would likely be considered under the unanimous consent process.

HR 5312 Introduced – Cyber Research

Last week Rep. LaHood (R,IL) introduced HR 5312, the Networking and Information Technology Research and Development Modernization Act of 2016. The bill would make a number of amendments to the High-Performance Computing Act of 1991 (15 USC Chapter 81); mostly replacing the words ‘high-performance computing’ with ‘networking and information technology’ which changes the focus of this federal research and development program. There are some changes, however, that may be of specific interest to readers of this blog.

Cyber-Physical Systems and Security

The bill would add two new definitions to §5503:

‘Cyber-physical systems’ means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions;

‘Networking and information technology’ means high-end computing, communications, and information technologies, high-capacity and high-speed networks, special purpose and experimental systems, high-end computing systems software and applications software, and the management of large data sets;

The failure to include ‘cyber-physical systems’ in the definition of ‘networking and information technology’ means that most of the remainder of this bill remains focused on IT systems not control systems. There are, however, two places in the newly renamed ‘Networking and Information Technology section (§5511) where cyber-physical systems are specifically addressed in the outline of an on-going federal research program.

First it calls for research on increasing the “understanding of the scientific principles of cyber-physical systems and improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security” {new §5511(a)(1)(J)}. This would be basic research on cyber-physical systems.

Next, the bill would expand that level of research into applications by calling for “a research framework to leverage cyber-physical systems, high capacity and high speed communication networks, and large-scale data analytics to integrate city-scale information technology and physical infrastructures” {new §5511(a)(1)(M)}.

Moving Forward

While LaHood is not a member of the House Science, Space, and Technology Committee, most of his seven co-sponsors are (including both the Chair and Ranking Member) so this bill will have no problem moving forward in Committee. In fact, the first markup of the bill was held before it was introduced.

Similar versions of this bill (HR 967 and HR 3834) were introduced in the last two Congresses and were passed out of Committee. Neither ever made it to the floor of the House for consideration. I do not see anything that would indicate that this bill has any better chance, particularly since it was introduced so late in the Session.

Commentary

There are two interesting things in this bill. The first is that the definition of ‘cyber-physical systems’ is written so that it is specifically not the same as the definition of an industrial control system. This definition encompasses a small subset of ICS that incorporate such a large number of sensors and actuators that a large-scale data processing operation is required for successful operation. I do not think that any system in use today qualifies. Rather we are looking at the type system that would be employed for autonomous transportation systems or true smart-grid operations.

The second item of interest here is that the bill would remove §5543 that authorizes separate spending for the program. That section has not been updated since 2004 and thus no spending authorized since 2007, but it at least provided some sort of basis for funding the program. Without that provision we are left with the §5511(c) requirement that the individual agencies in the federal government that have responsibilities under the program provide for their funding out of otherwise appropriated monies. So much for this being an important program.

Bills Introduced – 05-24-16

With both the House and Senate in session yesterday there were 17 bills introduced. Of those one may be of specific interest to readers of this blog:

HR 5312 To amend the High-Performance Computing Act of 1991 to authorize activities for support of networking and information technology research, and for other purposes. Rep. Duffy, Sean P. [R-WI-7]

It is interesting that a bill of this name was marked up yesterday in the House Science, Space and Technology Committee and then this bill is supposed to be marked up today by the same Committee. The bill that was marked up yesterday contained provisions concerning research and development efforts on ‘cyber-physical systems’. 

CG - Application of Cybersecurity Principles

Yesterday the Coast Guard published a copy of “The Application of Cybersecurity Principles to Marine and Offshore Operations” on their Homeport web site (sorry the CG does not use real links on Homeport – You can find this under the Cybersecurity tab). The publication is apparently the first volume in a series of publications on maritime cybersecurity being published by the American Bureau of Shipping.

A quick look at the table of contents looks like the 35-page publication covers the basics of cybersecurity (both IT and OT). It will be interesting to see what specific changes are being recommended for the maritime environment.

There is a nice brief discussion about cybersecurity in general in the first section of the publication. It makes a significant comment that applies to a variety of environments beyond just the maritime (pg 2):

“Most organizations arguably understand the need for protecting and monitoring cyber-linked business support and control systems. Even so, the breadth and complexity of protecting such systems may present a daunting challenge to many organizations that do not have a comprehensive picture of cybersecurity.”

There is also an important discussion of how cybersecurity and safety intersect, particularly in cyber-physical systems (CPS). The authors make an important point (pg 3):

“A cybersecurity incident on a ship, on a platform, or within a facility, might result from system fault or failure, operator error or inaction, inadvertent conflicts in incompatible software, or deliberate malfeasance or malice. Any such incident may result in intrusion or malfunction in a general purpose network, resulting in a cascading failure that can spread into ship or platform CPS to cause unexpected consequences for any number of systems.”

This looks like a document that will be well worth reading by anyone in control system management as well as cybersecurity professionals. Certainly the maritime community should, as the Coast Guard intended, take a specific interest in this publication and the remainder of the series as it becomes available.

NIST Announces SGAC Meeting – 06-03-14

Today the DOC’s National Institute of Standards and Technology (NIST) published a meeting notice in the Federal Register (79 FR 28484-28485) concerning a meeting of the Smart Grid Advisory Committee (SGAC) in Washington, DC on June 3^rd, 2014. The meeting is open to the public.

According to the notice the preliminary agenda includes:

• The updated NIST Framework and Roadmap for Smart Grid Interoperability Standards;

• The updated Guidelines for Smart Grid Cyber Security (NISTIR 7628)

• The NIST Smart Grid Testbed activities; and

• The interaction between Cyber-Physical System and Smart Grid.

The final agenda will be published on the NIST Smart Grid web site.

Entrance into the NIST facility requires pre-registration. The required pre-registration information may be submitted via email (cuong.nguyen@nist.gov). Up to 30 minutes has been set aside for public comments. Personnel wishing to make oral presentations can register their intent via the same email address. Written comments may be submitted in the same way.

Subcommittee Amends and Approves HR 4186

This morning the Research and Technology Subcommittee of the House Science, Space, and Technology Committee held a markup hearing on HR 4186, the Frontiers in Innovation, Research, Science, and Technology (FIRST) Act of 2014. The Subcommittee adopted a number of amendments, rejected a few, and adopted the amended version of the bill by a voice vote.

This bill is essentially an authorization bill for a variety of federal science and technology programs, including:

• The National Science Foundation (Title I)

• The Office of Science and Technology Policy (Title III)

• National Institute of Standards and Technology (Title IV)

The only area of this bill that might be of specific interest to the readers of this blog would be §504, Cyber-physical systems. Actually §502 of the bill defined ‘cyber-physical systems’ with a definition added to 15 USC 5503. It defines them as “physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions” {§502(f)(2)}

Section 504 then goes on to amend 15 USC 5511(a)(1)(I) to modify the current focus of research on cyber-physical systems from ‘improving the security’ to ‘improving the security, reliability, and resilience’ of those systems. It then goes on to add an additional focus {§5511(a)(1)(K)} on increasing the understanding of the ‘scientific principles of cyber-physical systems’ to improve the methods for the design, development and operation of those systems.

So much for any real mention of control system security in this bill. None of the amendments considered (either adopted or rejected) would do anything to further cybersecurity of control systems.

Moving Forward

As I noted in an earlier post about this bill, the Committee leadership certainly wants this bill to move forward. We will see a full committee markup within a couple of weeks. I also suspect that this bill will get to the floor of the House before the summer recess. I expect, though, that that will be as far as it gets. It won’t be because of any specific opposition to this bill, it will just get caught in the election year summer log jam.

HR 4186 Documents Added to Hearing Docket

This morning the House Science, Space, and Technology Committee added a number of documents to the page for the markup hearing on HR 4186 that will be held tomorrow morning. That hearing will be convened by the Subcommittee on Research and Technology.

The documents linked to the hearing web page include:

• A committee draft of HR 4186 (GPO still does not have official version);

• The Staff Markup Memo providing background on the proposed bill; and

• A Section-by-Section review of the proposed bill.

I have not had a chance to do more than skim these documents at this point, but it is clear that there will be at least one section of the bill that will probably be of interest to readers of this blog. Section 504 deals with research on Cyber-Physical Systems.

More information to come in future posts.

HR 967 Ordered Reported – Cybersecurity Research

Last week the House Science, Space and Technology Committee marked-up HR 967, the Advancing America’s Networking and Information Technology Research and Development Act of 2013 and ordered it reported favorably by a voice vote, generally a sign of bipartisan support. This bill is very similar to HR 3834 introduced in the 112^th Congress and passed in the House.

Cyber-Physical Systems

As I noted when the earlier version of the bill was introduced, this bill is significant for the control system community because it introduces the term ‘cyber-physical systems’ to the federal lexicon. The term is defined this way {§2(f) adds 55 USC 5503(1)}:

“‘[C]yber-physical systems’ means physical or engineered systems whose networking and information technology functions and physical elements are deeply integrated and are actively connected to the physical world through sensors, actuators, or other means to perform monitoring and control functions”.

Section 4(a) of the bill goes on to amend 55 USC 5511(a)(1) by adding a paragraph of R&D requirements for cyber-physical systems. The new 55 USC 5511(a)(1)(J) provides for research that would provide for research on the scientific principles of cyber-physical systems and “improve the methods available for the design, development, and operation of cyber-physical systems that are characterized by high reliability, safety, and security”.

Section 4(b) would amend 55 USC 5503 to require the establishment of a University/Industry Task Force to “explore mechanisms for carrying out collaborative research and development activities for cyber-physical systems, including the related technologies required to enable these systems” {§105(a)}. The task force would consist of “participants from institutions of higher education, Federal laboratories, and industry”. The Task Force would have one year to complete their work and issue a report to Congress. Unfortunately, there is nothing that mentions ‘security’ in the description of the function or scope of the Task Force.

Committee Mark-up

Four amendments were offered on the bill and all four were adopted by voice votes. Only one of the amendments (Johnson Amendment 440) was significant from a control system or cyber-physical system point of view.

The Johnson amendment would replace the Cyber-Physical task force outlined in Section 4(b) of the bill with a University/Industry Workshop, again my amending 55 USC 5503. In many ways this would be similar to the replaced Task Force, but in addition to the ‘exploring mechanisms’ task it would also be charged with developing “grand challenges in cyber-physical systems research and development” {§105(a)}.

One would think that the reason for calling for a workshop instead of a task force would be the shorter time needed to obtain results from a more concentrated work period. That isn’t the case here. Instead of the one-year reporting period found in the original bill, Johnson’s amendment would give the Director of the National Coordination Office 18 months to prepare a report on the findings and recommendations of the workshop.

Moving Forward

While the Committee voted to report the bill favorably on Thursday, there is no telling how soon the actual committee report will be filed. Generally speaking the House won’t take up a bill until the report has been filed. There is little doubt that this bill will easily pass muster on the House floor and probably the Senate floor as well. The problem will be seeing if or how soon the leadership will bring the bill to the floor.

Because the President’s cybersecurity executive order has taken off some of the political pressure to produce comprehensive cybersecurity legislation, this bill may make it through the legislative process during this session.