Cyber-physical systems are attracting a lot of attention: attacks on connected cars received a lot of media exposure, as did attacks on industrial control systems, airplanes or medical devices.
A lot of this interest is driven by vulnerability research (often in the form of “stunt hacking”). While engaging and attractive, does this research really help to answer the fundamental question of how to embed security analysis in design?
Why are we failing? What are the root causes? How do we do better and move beyond instilling fear? Walk with me in reviewing recent research, and in trying to find a way forward.