In the Spring Edition of ITNOW, I wrote an article on why we should be moving away from traditional cyber security and focussing on cyber mission assurance and cyber resiliency techniques. This meant framing cyber security in a manner that focussed on the outcomes the organisation needs to achieve with the preparedness to expect, and the ability to respond and recover in response to an adverse cyber effect.
NIST SP 800-160 defines cyber resiliency as: ‘the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.’
What do we mean by cyber safety?
Cyber Safety is a relatively new term but for this article The Royal Academy of Engineering, in their March 2018 document ‘Cyber Safety and Resilience’, defines cyber safety as ‘the ability of digital systems to maintain adequate levels of safety during operation, including in the event of a cyberattack or accidental event, protecting life and property’.
What this means is we have to understand and incorporate into our risk assessment, a consideration of what the potential impact is of a cyber event on the safe and secure operation of a safety-critical system, and therefore what controls and mitigations we need to introduce to ensure that the risk is as low as reasonably practical (ALARP).
What this approach doesn’t cover is recognising the overlaps between cyber security and Safety. We know all too well that we need to adopt an approach of layered security, or defence-in-depth, to protect and defend our systems; making it hard for our adversaries to achieve their goals. It would be wrong of us, however, to believe that we can stop every single attack. It is for this reason why our systems have to be resilient and have to be able to continue mission-essential functions during periods of attack. This means ensuring that these systems remain safe to operate and can continue their safety-critical functions. Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.
So, what is new?
A key question you might ask is whether there is anything new by considering safety as part of the totality of cyber risk. The answer is quite simple: Yes. My major concern with current cyber security approaches is that they focus almost entirely on the risks to information, and therefore the risks this presents to the organisation (business objectives):
- What is the risk to the confidentiality, integrity, and availability of the information? My perspective is that very few organisations ask the (additional) key questions:
- What is the risk to the system itself and the wider environment? (I.e. Is it the system itself which is the target, rather than it information it processes?)
- What is the risk to the people using the system or those who are reliant on its undisrupted operation?
With the rapidly increasing prevalence of the internet of things and cyber-physical systems, this consideration needs to be considered by all industrial sectors. Let’s not forget that it was the compromise of programmable logic controls by Stuxnet that caused a series of centrifuges to rotate rapidly outside of their set parameters resulting in their physical destruction. If that effect can be achieved on a standalone system, then what can happen on a networked system?
What is important is that I am not suggesting that organisations need to conduct considerably more work to understand the safety considerations of their systems, but instead they need to understand the potential hazards that may be introduced should safety-critical functions be disrupted due to a cyber event. Once these hazards have been identified they can be assured through existing cyber security standards and frameworks. The key is we need to ensure that our cyber systems are not just ‘Secure to Operate’ but also ‘Safe to Operate’.
For the purpose of this article, I’ve made the broad assumption that organisation have taken a system-level approach to understanding the overall threats to the organisation (System) rather than focussing on a component-driven approach and building up (further advice on this is available from the National Cyber Security Centre (NCSC). Starting at the higher level of abstraction makes it easier to spot the similarities of H&S to cyber security and therefore identify cost and resource savings.
Why should an organisation care?
I’d urge you to read a short article written by Nick Richards in Tripwire during 2018 ‘Why Cyber security is the New Health and Safety’ Nick argues that in order to prevent serious damage that could be caused by a cyber-attack, including the risks to individual safety, organisations should pay as much attention to cyber-security as they do to Health and Safety (H&S).
The ultimate aims of cyber-security and H&S are aligned. They are all designed to prevent loss to the organisation, its assets, and its personnel. There is another point to make which is that all assurance teams have an obligation to work together since all are trying to prevent the same types of losses albeit through different causes.
What happens if a building management system is compromised during a period when H&S is vital? The consequences of a ‘hack’ on this system which causes security doors and barriers to fail closed when they should fail open could be catastrophic. Ultimately, the H&S consequences directly relate to IT and mitigations should be employed with the input of both specialist functions.
It wouldn’t be an article on safety without mentioning the HSE
The TRITON malware, designed to disable safety-critical functions within the industrial setting, was discovered during 2017 within a Saudi Arabian petrochemical plant. Although the malware was discovered and contained before it was able to do any actual damage. One aspect which may have enabled this is the convergence of IT and operational technology (OT). I’m not going to speculate on what vulnerabilities may have afforded access to the attackers in this instance, instead I’m going to say something that should be obvious. We need to understand the risks posed by the convergence of these different technologies; that are beyond the scope of this article.
The NCSC recognise that there is a need to apply an integrated approach which adapts and applies best practice from both the safety and security communities. The 14 principles within the NCSC Cyber Assessment Framework (CAF) provides useful guidance for ‘organisations managing cyber-related risks to public safety’ (one of the three broad areas where NCSC believe the guidance is useful).
We can’t talk about safety without mentioning the Health and Safety Executive (HSE). Back in March 2017, the HSE published its guidance OG86 ‘Cyber Security for Industrial Automation and Control Systems (IACS)’. Although this guidance is primarily aimed at HSE Inspectors, particularly around applying a consistent approach to regulation, this document is freely available to all organisations and provides useful guidance on how compliance might be achieved. If you know me, you know how much I hate a compliance-based approach as it encourages a ‘do-minimum’ mentality, but I fully support that this is guidance that takes us in the right direction.
International Maritime Organisation (IMO) resolution on cyber risk management
What has prompted me to write this article is the imminent enforcement of the International Maritime Organisation Resolution MSC.428(98) – ‘Maritime Cyber Risk Management in Safety Management Systems’. If you haven’t guessed from the title, what this resolution requires is that organisations within the maritime industry ensure that cyber risk is appropriately included within their respective safety and environmental management systems (SEMS). I’m not intending to go into the detail of the resolution, it is easily searchable on the IMO website. Instead, I want to focus on the core message.
We need to be able to ensure that we can safeguard shipping from cyber-attacks and have processes in place to improve resiliency for when these are successful. The IMO resolution provides a massive step forward as it allows shipping companies to simply complement existing safety and security management practices already established by the IMO with cyber risk management practices.
What we do need to remember is a ship may be in service for some decades and therefore will have been designed and built during a period when the cyber threat was different. That does not preclude the organisation, however, from having the appropriate policies and processes in place to respond to a cyber-event.
The resolution is an excellent step forward to ensuring that maritime organisations consider the impacts that cyber events could, and would likely have, on safety. The resolution, however, is not prescriptive on how this should be achieved but it does provide guidance on how a maritime organisation should approach the assessment of cyber risk. Interestingly, the supporting document MSC-FAL.1/Circ.3 maps some of the considerations, which are not exhaustive, to the NIST Cyber Security Framework function areas (identify, protect, detect, respond, recover).
You might sense a bit of repetition in this article as this takes me back to an earlier point. I am not suggesting that organisations that already have cyber risk management processes have to conduct a significant amount of further work. Existing methodologies can be used to help assess the impacts that a cyber event can help on safety. This is possible through the use of ISO27001 and the NIST CSF, as well as other frameworks, to ensure that systems are both designed and operate in a manner that is safe and secure. They just have to be conducted and viewed through a safety lens; i.e. what would prevent that system from operating safety?
But another question I have is: Has cyber been considered as apart of the SEMS for the other sectors, namely rail, aviation, automotive? If the answer is they haven’t, then maybe they need to.
What is the takeaway?
Organisations need to ensure that both cyber security and cyber safety risks are understood, documented, and ensure that processes are in place to manage these at a level which is ALARP for both H&S and security. The mitigations should be planned jointly to maximise effectiveness. The message is simple. Gone are the days of considering cyber security and H&S separately. We must ensure that we follow an integrated approach that ensures that our systems are both secure and safe to operate.