Systems engineering researchers receive DARPA grant to evaluate micropatching for improved cybersecurity

CyberTruck Challenge 2019 participants stand in front of a semi-trailer truck (photo taken Summer 2019).
CyberTruck Challenge 2019 participants stand in front of a semi-trailer truck (photo taken Summer 2019).

If you have an iPhone, you are likely aware that Apple just released iOS 14. To install these upgrades, all you have to do is download the update, install it and enjoy the new features. Now, imagine instead of a new iPhone, you have a decades-old defense system you need to update. How do you send these updates and ensure they work reliably? Three systems engineering faculty are working to answer that question.

Systems engineering department head and Woodward professor Thomas Bradley, associate professor Jeremy Daily and professor Steve Simske, received a $2.6 million grant from the Defense Advanced Research Projects Agency (DARPA) to test micropatches for defense systems.

These updates are “micro” in the sense that they don’t typically replace the entire operating system in your phone or laptop. Instead, these updates repair, or “patch,” parts of its operating system. We benefit from micropatches in our everyday lives, often with new updates to your phone or laptop.

“For a phone, if you apply a patch incorrectly, you can just apply a different one,” Daily said. “However, for weapons systems, nuclear plants, or gas transmission pipelines, the consequence for failure could be quite drastic.”

Creating tests for other research teams

Bradley, Daily and Simske’s research is part of the evaluation technical area within the larger, Assured Micropatching Program. They are working alongside industry partners including Assured Information Security, GRIMM, and Cummins. The grant provides funding for at least four years and has three sub-phases.

Phase one of the CSU research will test and improve the ability of other research teams, or performers, to create patches that work across multiple system architectures. Phase two involves sending specific challenges to apply to actual vehicle systems. Phase three includes networking together truck-like systems that the performers will have to patch.

Heavy vehicle electronic control units (ECUs) sitting on the desk of CSU associate professor in systems engineering Jeremy Daily.
Heavy vehicle electronic control units (ECUs) sitting on the desk of CSU associate professor in systems engineering Jeremy Daily.

“What we do is come up with the challenges and test problems that we give to the other performers to try to solve,” Daily said.

Currently, the team is developing problems for the performers that will help to diversify their architecture capabilities. These test problems ensure that performers will be able to develop patches for different machines regardless of the system it is applied to.

Micropatching and heavy vehicle cybersecurity

The CSU research team is going to test these problems by applying them to heavy vehicles, an area of expertise for Daily. Heavy vehicles are often operated by electronic control units (ECUs), which may require micropatching.

“If you take away the screen and user interface [of a phone], you have something like an ECU that is operating your big diesel engine,” Daily said. “These engine controllers need to be updated for a number of reasons, like increasing fuel efficiency or improving cybersecurity.”

Other performers will come to Daily’s lab at the CSU Powerhouse Energy campus to test out their solutions on actual truck-like systems, part of Daily’s heavy vehicle cybersecurity research.

“The various performers will come to us when they think they have figured out the problem and they will be able to test it,” Bradley said. “We have a menu of test problems for them to work through.”