The University of Sheffield
Department of Computer Science

COM6017 Security of Control and Embedded Systems

Summary This module will explore security issues in systems where computation is carried out to sense, analyse, and control physical system elements. These systems typically react in real time to external events. Examples include washing machines, autonomous vehicles and traffic management systems, power distribution systems, automated manufacturing systems, robotic applications, and web-enabled toys. Many now, or will, operate as part of the "Internet of Things". A breach in the security of the systems of interest could also have catastrophic safety consequences. Complications arise when intrusions are detected, e.g. closing down a system may simply not be possible.
Session Spring 2021/22
Credits 15
Assessment
  • Group Report
  • Individual poster
Lecturer(s) Prof. John Clark & Dr Benjamin Dowling
Resources
Aims

This unit aims to:

  • A1 develop understanding of the fundamental security issues facing modern critical control and embedded architectures and of the techniques and mechanisms to address them;
  • A2 develop knowledge and understanding of the constraints under which embedded and control systems operate and how these affect how security may be provided, e.g., how resources can be traded against security and what technologies are available for providing security in low resource environments;
  • A3 develop the student's ability to analyse the risks of specific embedded systems and to determine (synthesise) appropriate risk reduction measures for a variety of embedded and control systems;
  • A4 develop the student's team working and collaboration skills;
  • A5 develop the ability to research a security topic and communicate findings to a security audience.
Objectives

By the end of the unit, a candidate will be able to:

  • LO1 [A1] describe and explain the security properties desired of systems with embedded or control architectures, such as robots, manufacturing control systems, autonomous vehicles, and the Internet of Things, and explain why they are important;
  • LO2 [A2, A3] identify the threats to embedded and control systems, determine what the vulnerabilities of such systems are, and describe and explain what attacks can be used to compromise security;
  • LO3 [A1, A2, A3] identify practical resource constraints that apply, evaluate how these influence the security that can be provided, specify/synthesise appropropriate security requirements, architectures and mechanisms used to uphold desired security properties; and provide justification for choices or proposals made;
  • LO4 [A2, A3] explain how the safety of such systems is critically dependent on security and analyse security and safety with relevant tools;
  • LO5 [A4] experience and appreciate the practical issues faced when working in a team (e.g., how skills and capabilities of team members can be harnessed effectively, how levels of commitment vary, how task work may be allocated fairly, how constructive criticism may be engineered, how tasks may be planned and organised, and how team working can go wrong) and resolve such issues when they arise, including distant working measures in an online setting. The student will be able to critically reflect on their collaborative experience.
  • LO6 [A5] independently research a topic and communicate their findings about it to the general public either in a physical environment or online.
Content

Cyber-physical​ ​systems:

  • SCADA​ ​and​ ​SMART​ ​systems.
  • Robots,​ ​autonomous​ ​vehicles,​ ​​advanced​ ​manufacturing​ ​systems, and ​the Internet​ ​of​ ​Things
    • Threat​ ​models​ ​for​ ​such​ ​systems​ ​and​ ​attacks​ ​on​ ​them
    • Trust​ ​and​ ​reputation​ ​in​ ​these​ ​systems
    • Security​ ​of​ ​operating​ ​systems​ ​and​ ​middleware​ ​(e.g.​ ​for​ ​robot​ ​devices​ ​and​ ​for​ ​IoT middleware)
    • Secure​ ​communications​ ​& ​protocols and​ ​relevant​ ​standards
    • Hardware​ ​assurance​ ​and​ ​trusted​ ​computing
    • Effects​ ​of​ ​limited​ ​resources.​ low​ ​power​ ​design
    • Exemplars:
      • Smart​ ​card​ ​security
      • RFIDs and their security
      • Trojans and IC security
      • Security​ ​of​ ​robot​ ​devices
      • Manufacturing​ ​control​ ​systems
      • Drone​ ​security

Intrusion​ ​handling​ ​and​ ​difficult​ ​issues:

  • Intrusion​ ​detection​ ​in​ ​control​ ​and​ ​embedded​ ​systems and intrusion​ ​responses​ ​in​ ​various​ ​contexts
  • Safety​ ​and​ ​security​ ​considered​ ​together:
  • Analysis​ ​approaches
Teaching Method
  • 10 hours of online materials. (LO1, LO2, LO3 and LO4);
  • 10 hours (5 x 2 hours) practical sessions: Students work individually and also in teams (LO1, LO2, LO3, LO4 and LO5);
  • 10 hours of seminars/discussions by external speakers (LO1, LO2, LO3, and LO4);
  • 70 hours of independent study of supporting referenced material: Wherever possible, referenced materials will be freely-available on the web. Students are expected to read around the subject. Independent study is an important component of the module (LO1, LO2, LO3, LO4 and LO6) [Note that the major assessment is a group project for 30 hours and the minor assessment is an individual element for 20 hours. LO6 is addressed via the creation of an assessed poster and the independent research needed to create it].
Feedback

Assignments marked using published criteria, submission commented and returned by Blackboard within 3 weeks. Students will meet with their supervisors regularly (and, where relevant, external clients) to discuss progress and problems encountered, and to review issues that arise during the project.
Formative feedback will be provided by:
a) online quizzes or multiple choice quizzes, for all lectures and related content,
b) surgery hours by teaching staff,
c) verbal feedback in practical sessions.

Recommended Reading See Blackboard pages. Almost all references are web-sourced.