CISSP: Domain 3 - Security Architecture & Engineering - Module 6
Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems

This course is the final module of Domain 3 of the CISSP, covering security architecture and engineering.

Learning Objectives

The objectives of this course are to provide you with and understanding of:

  • Cyber-physical systems (CPS)
  • Industrial control systems (ICS)
  • How to apply security principles to site and facility design through security surveys, planning, and vulnerability assessments
  • How to design and implement facility security, focusing on data center design and considerations

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


Welcome back. In this particular section, we're going to begin by discussing, assessing and mitigating vulnerabilities in the embedded systems and cyber physical systems. So, we're going to look at CPS, the Cyber-Physical, and the Industrial Control Systems, both of which include a variety of devices that require security, and are becoming more and more of a concern, due to their lack of security. 

So, the Cyber-Physical System, these are typically smart, that smart in quotes, network systems with embedded sensors or processors and actuators, designed to sense and interact with the physical world. And that includes with human users, and support real time, guaranteed performance in safety-critical applications. Some examples of those we find on slide 244. What you're looking at with these eight boxes, transportation, manufacturing, healthcare, energy, emergency response, building controls, defense and agriculture, also represent eight sectors of American critical infrastructure. To look at these particular sectors, with a very close examination, it becomes obvious, very quickly, that each one of these actually possesses a great deal of cyber-physical systems. 

Take transportation, for example. We have commuter trains that run throughout the country. And this, of course, is something that is fairly common in other countries abroad. So, the issue exists there as well. We have switching, we have traffic management, we have crossing gates, we have a wide variety of devices that are controlled electronically and even autonomously. In manufacturing, we have robotic systems that assemble cars, assemble components, even as far back as the late 80s, when Steve Jobs left Apple, and founded next computing, one of his points of pride was that the factory was largely unpopulated with people and most of the assembly took place by automated robotic systems. In healthcare, we have very similar things. We have surgeries that have been performed by robotics. We have various devices, wearable biomedical, implanted into the human body, pacemakers, and other devices that are becoming more and more frequently monitored by WiFi sources. And they can be modified through those same access methods. Energy, of course, has a great deal of this. Dams have all kinds of cyber physical systems in them, energy or oil transmission pipelines, and other kinds of devices that carry these chemicals and substances across great distances are done through autonomous or remotely controlled devices. emergency response systems, same thing, building controls for energy, light, access control, defense, full of them. All different kinds, on jet planes, in naval vessels, all different kinds, not to mention augmentation devices for soldiers and sailors out in the field, and agricultural. All of these have great penetration of cyber-physical systems that extend the human function and automate various kinds of functions, through robotics and artificial intelligence. As such, they need to have security placed in them. Best to be designed in, rather than added on later. 

But the CPS devices in these different sectors are oftentimes small, very limited in their functionality, they're only supposed to do one thing, for example. And they don't tend to have a lot of memory, or even CPU power. So cyber security is difficult to get put into them, because there just isn't enough system resource to handle it. And quite a lot of them are not interoperable with any other far more standardized kinds of systems, something as pervasive as TCP/IP networks. So, we need to consider various types of solutions. We always need to begin with a risk assessment of a given environment or given device or a given application. We need to understand what the risks are in such systems and their environments. And in this particular context, we don't have a lot of mature mitigation responses. In some cases, we have none whatever. In these particular systems, we need to look at bad data. 

There is a lack of integrity validation techniques to ensure that all we get as throughput is legitimate data. We have a tremendous lack of detection mechanisms for malware, as Stuxnet amply proved. In a lot of them, it's a case of a fixed component, that if the component breaks, we simply replace the component. But the systems themselves need to have resiliency, recoverability and survivability built in. It's not that they're poorly manufactured, quite the contrary, they're very high quality devices, but anything made by man will, at some time or another simply fail. We need to examine these for more robust operations, more sustainability, more recoverability, greater survivability. One of the things that's very difficult to design against is physical sabotage. And yet that is too a reality in this particular area. But we need to go through and actually do these to make sure that we understand better, what our risks really are. We have, of course, various forms of industrial control systems. These oftentimes are based on a very standardized embedded platform, They will on occasion use commercial off-the-shelf software. Linux tends to be an operating system frequently used in these, and they're used to control industrial processes, such as opening and closing valves or switches. The types of industrial control systems fall into three broad categories. 

We have the Supervisory Control and Data Acquisition or SCADA systems, we have Distributed Control Systems, and we have Programmable Logic Controllers. Now in SCADA, these typically are an assembly of interconnected equipment used to monitor and control physical equipment in industrial environments. They frequently are used to automate geographically distributed processes. And here are a few examples. The industrial processes where we find SCADA, include manufacturing, process control, power generation, fabricating and refining. So, again, we have manufacturing, we have energy, we have various forms of process control. So, again, the specter of critical infrastructure is raised. We have the infrastructure processes, such as water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power distribution and transmission, and wind farms. So, again, the critical infrastructure is again mentioned. And then we have facility processes that we find in buildings, airports, ships, and space stations, controlling and monitoring heat, ventilation and cooling systems in all of these locations, various forms of access and energy consumption. So now, in addition to critical infrastructure, we have space travel. So, it's plain to see that these kinds of systems are literally everywhere. 

Now, the top 10 threats, as is pictured, are these. And this list, like all of the lists of this kind, will change from time to time. But these 10 are the ones who, that historically, are on this list, and almost never change. We have unauthorized use of remote maintenance access ports. We have online attacks via office or enterprise networks. When these industrial control system networks are joined to the office type of network that we have, our traditional data management that we use in the office as opposed to what's out on the plant floor. Then we have another avenue of attack possible. Attacks on standardized components used in the ICS networks. Since they are all standardize, there may be a very target rich environment. And we have the DoS attacks or distributed denial of service attacks. Inevitably there's going to be an element of human error and sabotage that can be exploited to destroy these systems, or disable some functionality within them. As Stuxnet and Flame proved, malware can be introduced via removable media and external hardware, because there may not be physical control or ports that are not truly necessary left installed on these devices. Reading and writing news and the ICS network may involve bad data, resulting in bad decisions by humans. Unauthorized access to resources is a problem at every computerized environment, attacks on the network components, whether it's logical or physical. And then of course, we have simply, things break, technical malfunctions, possibly due to poor programming techniques, or force majeure, acts of God.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.