Cyber security: Building awareness and resilience
A cyber security expert believes improving global resilience will require all stakeholders to act together at scale and in a coordinated way.
The integration of physical and digital systems creates many opportunities for improved performance and innovation in the systems that support a modern economy, generating economic value and creating social and environment benefits.
Such systems and their underpinning digital technologies – data analytics, artificial intelligence, autonomous systems, advanced connectivity and the Internet of Things (IoT) – will provide myriad opportunities across all sectors of the economy. This has been recognised in the UK government’s Industrial Strategy, with “artificial intelligence and the data-driven economy” named as one of four “Grand Challenges”. Digital technologies will also support the success of the other three grand challenges: clean growth, mobility and an ageing society.
However, there is growing awareness that integrating physical and digital systems to create complex and interdependent systems increases risk and vulnerability. Physical systems that are digitally connected include industrial control systems used in critical infrastructure, chemical processes, oil refining and other manufacturing processes. Rapid adoption of the Internet of Things – used in consumer applications such as smart home devices or connected health devices, as well as public space and industrial applications – is increasing the level of connectivity, and will continue to do so as more devices are deployed.
Systems may be controlled by different organisations, with differing objectives that may not be aligned. Systems can also span nations across the globe. For example, multinational companies may monitor sites remotely, or even control them, from a different country.
A report by the Royal Academy of Engineering (RAE), ‘Cyber safety and resilience: strengthening the digital systems that support the modern economy’, describes the new systems and their vulnerabilities, and discusses what actions need to be taken by government, industry, regulators and other stakeholders to improve their cyber safety and resilience.
Systems need to be designed so they can maintain adequate levels of safety during operation, including in the event of a cyber-attack or accidental event, to protect life and property. They also need to be resilient so that they can prepare for, withstand and recover from deliberate attacks or accidental events. The rapid evolution of technology and changing nature of threats means that existing safety regulations across sectors and domains must be revisited to ensure that they integrate safety, security and resilience. Risk management processes used during the design, operation and maintenance, need to be updated and adopted quickly.
The reality of the threat was illustrated in December 2016 when a power distribution station near Kiev in Ukraine was switched off by a cyber-attack, causing the loss of 200 megawatts of capacity and causing a blackout that lasted an hour. Twelve months earlier, a similar attack had disrupted power to more than 200,000 homes in Western Ukraine.
Many systems are dependent on the electricity system, as shown by a flood at an electricity substation in the city of Lancaster in December 2015. The flood caused a 24-hour blackout over the city affecting more than 100,000 people who lost their electricity supply and also the use of the internet, mobile phones, contactless payment, lifts and petrol pumps. A further example is the failure of the baggage-handling system at Heathrow Airport in May 2017. The problem began with a power outage in a data centre, followed by damage to equipment when power was reinstated in an uncontrolled way, resulting in massive disruption to passengers and cost to British Airways.
Large-scale cyber-attacks that take advantage of interconnectedness, such as Wannacry, impact organisations globally. In the UK, the attack caused huge disruption to the operation of the National Health Service (NHS), resulting in 20,000 cancelled appointments and operations. Restoring data and systems affected by the attack incurred considerable cost. The attack also affected logistics companies and companies operating industrial control systems even though the malware was not targeted specifically at them. India was quite badly affected: a newspaper report claims that official statistics underestimate the actual impact.
Privacy, safety and security risks to individuals have increased as IoT devices and systems have become common in the home, workplace and in public spaces. In the health sector, network-connected healthcare devices include implantable devices like pacemakers, wearable technology for monitoring health or levels of activity and large-scale medical equipment like scanners. The risks associated with connected health devices is growing, especially as disruption to their operation could have a serious impact on patient safety and privacy, but there remains a lack of awareness in the sector of the cyber risks and how to manage them.
Many of the vulnerabilities in current systems result from poor quality software, hardware and systems with inadequate security functionality. There is no simple remedy and a combination of measures is required, both regulatory and non-regulatory, proportionate to the criticality of the application. Higher levels of protection are clearly needed for systems that are part of critical national infrastructure or safety-critical systems and the UK Health and Safety Executive has recently published guidance on Cyber Security for Industrial Automation and Control Systems.
Cyber challenges cut across international boundaries. There is a very strong case for bringing together world experts to help develop measures to improve practice. Hardware and software solutions are shaped by market forces in combination with international regulation, and are dominated by big technology multinationals. As yet, there is no consistent international approach on how best to address the regulatory challenges around cybersecurity. Governments, regulators, cybersecurity agencies and industry need to work with their international counterparts to ensure that international standards are sufficiently robust to help deliver safe and resilient systems. Consolidation of national and international knowledge and forums for sharing best practice will help both policymakers and those developing and operating systems.
Improving cyber safety and resilience requires all stakeholders to act together at scale and in a coordinated way, including governments, the engineering profession, operators of critical infrastructure and other systems, and developers of products and components. The evolving nature of the challenges will require continual responsiveness and agility by governments and other stakeholders.
Professor Martyn Thomas is an expert in software engineering and cyber-security and Professor of Information Technology at Gresham College and a Visiting Professor in Software Engineering at the Universities of Manchester, Aberystwyth and Bristol. He is a Fellow of the Royal Academy of Engineering and the Institution of Engineering and Technology.