Zero Trust Design and Assurance Patterns for Cyber-Physical Systems

Saqib Hasan, Isaac Amundson, and David Hardin (Collins Aerospace)

Open-source software (OSS) provides numerous benefits, but also presents significant security challenges. With the use of OSS increasing in high-assurance cyber-physical systems (CPS), addressing these challenges is critical. Zero trust is an emerging initiative through joint efforts between the National Security Agency (NSA), DoD CIO, US Cyber Command (USCYBERCOM), and DISA. According to NIST 800-207, “Zero trust is a cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated”. Zero trust focuses on moving from a traditional perimeter-based infrastructure to a perimeter-less design and is therefore well-suited to systems containing OSS. To achieve this, zero trust relies on basic core tenets, namely, (1) presume a breach; (2) never trust, always verify; (3) assume a hostile environment; (4) apply unified analytics; and (5) scrutinize explicitly. 

Although zero trust has proven effective in improving the security posture of enterprise systems, its feasibility and applicability has not been fully explored in CPS. Towards this objective, our work focuses on two challenges for CPS zero trust: design and assurance. We have defined an initial set of zero trust architecture design patterns, specified using the Architecture Analysis and Design Language (AADL), that include relevant details such as component types, properties, and interfaces. Engineers can use these zero trust patterns to either construct secure architectures manually or utilize a tool like BriefCASE to automatically transform unhardened models into zero trust enabled systems. 

We have also created assurance patterns corresponding to our design patterns that specify arguments, including required evidence, for confidence that the design in truly zero trust secure. The assurance patterns are implemented in Resolute, a language and tool for specifying and evaluating system assurance, enabling on-demand evaluation of the system design at any time during development. This mechanism provides guidance to engineers if the design violates any zero trust requirements. The assurance patterns are implemented as argument fragments, which are made available in a pattern library to system engineers. Engineers can model systems and utilize one or more of these patterns to provide design assurance based on individual requirements. 

We have demonstrated our approach on an unmanned aerial vehicle (UAV) surveillance application, in which we explored several scenarios where security vulnerabilities can be mitigated using our zero trust design patterns. In addition, we have also shown the use of assurance patterns that argue the correctness of the zero-trust architecture. These assurance patterns further enable engineers to identify any design flaws and correct them during the initial system design phase, potentially saving development time, effort, and cost. We have identified scenarios where design flaws were easily captured and presented to engineers on demand, and necessary information to rectify the design was obtained post analysis. As a result, the overall approach is utilized in designing effective system architectures with specific zero trust security requirements to improve the security posture of a CPS.

Saqib Hasan is a Sr. Systems Research Engineer at Collins Aerospace. He has been working on various programs at Collins Aerospace. Some of them include automated certification and assurance, assurance of ML models, and design of zero trust technologies targeted specifically to aviation systems. Prior to Collins Aerospace he worked as a Research Scientist and won an SBIR award to demonstrate the application of blockchain technologies in improving security of power grids. He completed his Ph.D. in Electrical Engineering from Vanderbilt University in 2019. His research was focused on improving resilience in Cyber-Physical Systems. During his Ph.D., he utilized several approaches including heuristics algorithms, game-theory, artificial intelligence, model-based engineering and others to demonstrate his research. Before pursuing his Ph.D. he worked as a Research Engineer for 4 years at Emerson Network Power.