Sitting in his office at the University of Virginia School of Engineering in 2010, professor Barry Horowitz was studying a cybersecurity problem when the thought came to him.
On his own scale of big ideas, this new one was up there. Horowitz, a member of the National Academy of Engineering, has been known to have quite some innovations over his 50-year career, like the one that ended up as the basis for the international system that prevents commercial aircraft from colliding.
Horowitz, the UVA Engineering Munster Professor, was working with Jennifer Bayuk, then a student at the Stevens Institute for Technology, on a project initiated by the relatively new Systems Engineering Research Center. The center was founded under the auspices of the U.S. Department of Defense to develop new systems engineering concepts in areas such as artificial intelligence and cybersecurity to make computer systems less vulnerable to attack.
Horowitz's concept was to bake in system-aware security, as he called it at the time, during design of a computer system, which would allow cyberattacks to happen without the system losing operating functionality or leaking important data by creating an auxiliary pathway that would come online if the system recognized abnormal behavior. Horowitz and Bayuk spent the next year developing this theoretical approach to cybersecurity for the Systems Engineering Resource Center.
During the center's annual research review in October 2011, Bayuk and Horowitz presented a paper on their cyber resilience theory.
Little did anyone know at the time, fate would soon launch Horowitz's big idea in a new direction.
Drone Over Iran
Two months after the presentation, a CIA top-secret, stealthy drone lifted off into the Afghan sky from an undisclosed location. The agency believed its aircraft, designed and constructed in secret by Lockheed Martin, was practically invisible, and the technology inside impenetrable. The RQ-170 Sentinel drone would become known as "The Beast of Kandahar."
Soaring at roughly 50,000 feet, operators flew the drone into eastern Iran, allegedly to surveille Iran's nuclear program.
An explosion the month before at Iran's Shahid Modarres Garrison missile base was believed by some to be evidence of a nuclear testing facility at the site outside Bidganeh, about 25 miles from Tehran. The U.S. government wanted more intelligence.
The desert-colored, bat-winged drone, which had played an important role in the operation that took out Osama Bin Laden, had been specially painted on the outside to avoid radar systems. Inside the drone, state-of-the-art electronics purportedly were capable of detecting minute traces of radioactive isotopes and other chemicals on the ground.
About 140 miles from the Afghan border, over a sparsely populated region in eastern Iran, CIA operators unexpectedly lost control of their $6 million drone.
Iranian military officers alleged that the Islamic Revolutionary Guard Corps cyberwarfare unit hijacked the aircraft near the city of Kashmar by jamming the GPS communications, then safely landed the vehicle at a nearby base.
"Through precise electronic monitoring, it was known that this plane had the objective of penetrating the country's skies for espionage purposes," Brig. Gen. Amir Ali Hajizadeh, commander of Iran's Islamic Revolutionary Guards Corps Aerospace Force, said in a statement at the time. "After entering the country's eastern space, the plane was caught in an electronic ambush by the armed forces, and it was brought down on the land with minimum damage."
Pentagon officials initially denied the Iranian account, saying the vehicle crash-landed on its own - until Iran released photos of the nearly pristine aircraft sitting inside a hanger. Fail-safes that should have returned the craft to its point of origin or destroyed it to keep it out of enemy hands obviously didn't work.
Seven years after the incident, Iran revealed a copycat drone equipped with precision-guided missiles dubbed Saeqeh, or "Thunderbolt." A year later, Israel shot down one of those new Iranian drones over its airspace.
"Allowing fully operational, high-tech spy systems to fall into the hands of an enemy state is a scenario to be avoided, the military told us," said Peter Beling, professor and associate chair for research in the UVA Department of Engineering Systems and Environment.
It wasn't long after Iran captured the CIA's drone that Department of Defense officials approached Horowitz to ask if UVA Engineering's digital security concept could be applied to physical systems such as drones.
The government's request initiated a now decade-long program involving UVA Engineering Systems and Environment researchers, led by Horowitz and Beling, using systems engineering to build resilience into cyber-physical systems. The work has established the school as a leader in the development of resilient systems.
What Matters Most
"Our research aims to offer a solution in terms of resilience, and not just demonstrate that the attacks are possible," Beling said. "We're going to assume that an adversary is going to get at this stuff, because there are numerous ways that attackers can get in. Our resilience solutions respond in a manner that sustains system operation."
Since UVA Engineering first applied Horowitz's top-secret approach to safeguarding drones for the military, UVA Engineering researchers have routinely been tapped to study and develop a number of resilience options for cyber-physical systems. Today, they are working on six related, grant-funded projects with the Department of Defense.
The research has evolved, too, and was shown to be applicable to other physical systems that use digitally connected computer systems, such as warships, cars, 3-D printers and even artificial pancreas devices used by diabetes patients.
The process of developing a resilient system begins by asking the system owners what functions they care about most. In the case of the drone, it wasn't the loss of information the drone captured on its flight that concerned the Pentagon the most; the big problem was an enemy got hold of the drone and the technology on board for collecting sensitive intelligence. That led Horowitz and the UVA team to, as an example, focus on protecting the navigation function of the drone so that it wouldn't be recovered by an adversary in the future.
Beling gave an example of how cyber resilience can work in a situation like the one with Iran: In a drone equipped with multiple GPS devices, deviation among the GPS readings could activate a kill switch and destroy the drone before it could be captured.
Understanding what matters most means that systems engineers, and their collaborators in other engineering disciplines, can design redundant security measures to protect priority functions within a cyber-physical system while the system is on the drawing board.
"Typically, cyber defense is thought of after an entire system has been designed. And since you don't know what an adversary is going to do, it is frequently not done until after you've been successfully attacked, so as to avoid future repeat attacks," Horowitz said.
Since the loss of the Sentinel drone, humans have only become more reliant on smart, digitally connected systems for safety, security and convenience. Thermostats, thermometers, pacemakers, refrigerators, doorbells, dumbbells and dolls - the list of cyber-physical systems grows by the minute, and with each new device, there exists the possibility that these devices can be hacked, potentially with fatal consequences.
"Somewhere out there is an adversary who's become really, really good at hacking into computer networks," Beling said. "There are large numbers of people who spend time doing this. The moment that we start putting these specific resilience mechanisms into something like the drone, then they have to become experts in something totally different, like how a drone works, not from a computer point of view, but from the engineering of its physical components and the control of its navigation. It's a completely different set of skills."
While successful hackers tend to be exceptional at navigating computer code and looking for vulnerabilities to break into systems, the resilience approach developed at UVA Engineering would mean these adversaries would also need to become experts in how the entire physical system they are trying to overcome functions and operates.
"Even if the resilient system is attacked, it is going to keep and preserve its essential functions," Beling said.
When Beling was a UVA undergrad in the early 1980s, he focused on mathematical modeling and operations research. "Technology was the furthest thing from my mind," he said.
He returned to UVA to teach after earning his Ph.D. from the University of California, Berkeley, in 1992. "Barry convinced me to look at systems engineering in terms of it being more than a collection of techniques for analyzing systems, like mathematical modeling. So, I kind of got sucked into the world of technology."
Today Beling serves as a member of the Systems Engineering Research Center's Research Council and directs the Adaptive Decision Systems Laboratory at UVA. The lab is focused on data analytics and decision support in cyber-physical systems.
Together, Beling and Horowitz have built a foundation of institutionalized knowledge around the concept of cyber resilience that led to a patent in 2018 for the development of a cyber-physical defense system and numerous research grants with governmental agencies, including the Department of Defense and the U.S. Navy, for which they explored resilient strategies for protecting shipboard control systems. Teams of UVA researchers and their collaborators have written dozens of well-cited, peer-reviewed papers on topics that run the gamut of resilient approaches for different types of cyber-physical systems - from nuclear reactors to cars.
The research has also spun off a company called Mission Secure Inc., located in Charlottesville. The company, founded in 2014, works primarily in industrial controls, such as protecting oil refineries from cyberattacks - something that has recently plagued Saudi Arabia. The company has an estimated total annual revenue of $5 million.
In 2018, UVA and several other public universities in Virginia entered a partnership with MITRE, a nonprofit based in Massachusetts and Northern Virginia, established in 1958 to provide engineering and technical guidance for the federal government. The partnership is part of MITRE's new University Innovation Exchange.
"We have an opportunity to develop a new innovation construct with this partnership," John Kreger, vice president and COO of MITRE, said. "We'll bring many perspectives to bear to create faster, more cost-efficient solutions for our government sponsors' greatest challenges."
Beling oversees four new University Innovation Exchange collaborations with MITRE and other universities in the program. The projects leverage the historical might of UVA's cyber resilience of physical systems research for smart medical devices and monitoring of devices that use artificial intelligence. Horowitz and other faculty and students from the Department of Engineering Systems and Environment are also part of these projects.
In addition to the formal MITRE collaboration, UVA has a long history with the organization. From 1969 through 1996, Horowitz was employed in a variety of positions at MITRE, including the last five years as president and CEO.
"We have something to offer them," Horowitz said of MITRE. "Even though they are the experts, we have a shortage of [systems engineering] talent in this country. There are only about 75 or so universities in the U.S. that even have systems engineering departments."
Given the sheer volume of smart technology entering the commercial market, the rise in cyber espionage by adversarial governments, and the shortage of systems engineers with expertise in cyber-physical systems resilience, there is plenty of room to expand the UVA Engineering program further. Faculty, students and researchers have a unique opportunity to jump in and make a difference quickly.
Beling said the department is looking for a unique crop of new students and researchers, "ones who know a lot about cybersecurity and maybe have computer science backgrounds, but they should also be a systems engineer, mechanical engineer, electrical engineer, and know a lot about control systems," Beling said.
One of UVA Engineering's core strengths has traditionally been the multidisciplinary collaborations between departments. In 2018, the school opened the Link Lab, a 17,000-square-foot space, focused on development of cyber-physical systems and how to keep them secure from cyberattack. To date, the lab has netted $62 million in research funding.
"As systems engineers, we're interested in taking these technologies that have such high promise and dealing with the kinds of risks and constraints that go with them so that we can maximize the opportunity for getting value out of those technologies," Beling said. "We may do that by advancing the technologies themselves."
