I must unfortunately disagree with parts of Bruce Schneier’s recent post. His subject is cyber-physical systems although he doesn’t seem to use that term. His point of view is firmly rooted in information technology (IT). As I have said before, that approach is inadequate to create and maintain safe and secure cyber-physical and IoT systems. He characterizes computational control of physical systems as new; in fact, embedded control was an early application of computers. He also characterizes embedded devices as inexpensive; not so when car engines are operated by vector multiprocessors. And cost is not the causal factor for insecurity—we have plenty of very expensive IT systems that embody security flaws.
As one example, he praises NIST’s cybersecurity guidelines. NIST’s approach can be summarized as treating sensors and actuators as I/O devices attached to a traditional IT system. NIST and Mr. Schneier don’t take into account that these systems are real-time distributed computing systems. Security mechanisms designed for transaction-oriented IT are inadequate for timing-critical control systems.
In order to make CPS and IoT systems safe and secure, we need to consistently apply what we already know and develop new methods. CPS and IoT can no longer treat safety and security as separate concerns. Safety people need to learn more about computer security; security folks need to learn more about safety. Mr. Schneier is firmly planted in the security side. I hope that he continues to expand his knowledge base.