Securing cyber-physical infrastructure

The UK Government recently presented its proposed vision for how national cyber-physical infrastructure could accelerate innovation across the UK: ‘Enabling a National Cyber-Physical Infrastructure to Catalyse Innovation’.

Welcoming views on these proposals from industry, research institutions and the wider public sector, it hopes to understand the “impact and opportunities” for cyber-physical systems, and “advance our collective understanding of the…options [to use these systems] to unleash innovation”. In doing so, it recognises that “there are a range of risks that come from increasingly connected cyber-physical systems” and that steps need to be taken to ensure they are secure and resilient.

It follows proposals to improve the UK’s cyber resilience, announced in January, which included the need to future-proof the Network and Information Systems (NIS) Regulations by introducing new powers for the government to expand its scope.

Responding to this latest focus from the Government, Charly Davis, Head of Industrials at NCC Group shares thoughts on some of the key areas of interest.

The focus on utilising cyber-physical infrastructure in this way is a welcome one, and follows the government’s recent push to strengthen regulatory oversight of critical infrastructure.

We’re increasingly seeing the convergence of cyber security and safety in our ever-connected world, and this must apply to cyber-physical systems given the real-world safety implications these can have. The proposals are a positive step forward to this, though there are aspects of the paper that require keen attention to ensure the recommendations are fit for purpose, for the long-term.

Some of the key areas of interest are:

Narrowing the scope

The proposal’s current definition of ‘cyber-physical systems’ requires narrowing, to capture only those computer systems with actuators that can affect their operating environment through physical effects including, but not necessarily limited to: momentum, movement, heat, light, sound, sense, chemical reaction or electro-magnetic outputs.

There are numerous systems that may monitor the physical world though not necessarily affect it, and the current definition captures those. Focusing solely on digital systems that influence the physical – for example, a weather control system that, based on data provided by sensors, sprays silver iodide into clouds to make it rain – will aid a more targeted approach for the proposal.

Promoting a holistic approach to security & risk management

Establishing a national cyber-physical infrastructure must have secure and resilient systems at its heart. The government must work closely with sectorial regulators, centres of excellence and international partners to promote a holistic, proportionate approach to security and risk management.

This must recognize the convergence of security and safety – with cyber resilience being seen as a prerequisite to safety. Safety risks will, of course, differ depending on the application of the system and this must be reflected as part of proportionate risk management. While many OT, ICS and SCADA environments and their assets lack comprehensive monitoring the implementation of cross domain solutions to provide hardened network security checkpoints for absolute threat prevention and secure data availability are vital.

It should also establish clear roles and responsibilities of various actors involved in cyber-physical system supply chains. Both the physical and the digital will compromise multiple manufacturers, developers, system owners and operators. When the two converge, there must be clarity on who is responsible for ensuring the security and cyber resilience of key components.

The proposals must move organisations beyond a ‘tick box’ approach to compliance, embedding a true understanding of the risks associated with cyber-physical systems, in line with the Department for Digital, Culture, Media & Sport (DCMS) ‘Secure by Design’ principles. While the exact approach will differ by sector, there is a role for a principles-based framework, applied by sectoral regulators. As the Government recognises, there are already numerous existing standards and frameworks this could be built upon (including IEC 62443 for industrial control systems, or ISO/SAE 21434 for road vehicle cybersecurity engineering).

Many cyber-physical systems are underpinned by algorithmic autonomy, often ‘black box’ in nature. Placed onto networks and configured to consume and process data, producing output decisions without humans having much knowledge of what’s happening, it gives adversaries multiple exploitable vectors that could disrupt operations. It is therefore vital that clear processes are established to vet technologies before they are deployed, and mechanisms are in place to ensure their performance is continuously evaluated.

To ensure these proposals embed a truly holistic approach to cyber security and risk, the Government must be prepared to regularly, systematically engage with academics and industry. There is a wealth of expertise in this space, and could be done through secondments to the National Cyber Security Centre’s Industry100 (i100), government consultations and call for evidence, or advisory groups and councils.

Alongside outlining and controlling for risks associated with cyber-physical systems, if the UK is to truly pioneer in this area, we must also define our risk appetite – drawing the red lines with regard to security, safety and resilience.

Upskilling

Drawing from the need to make cyber-physical systems secure by design, we must consider the skill set of those working across the supply chain – from engineering to software development. As a minimum, relevant engineering and software development educational programmes should reflect cyber security as part of the system development process.

Focused skills investment in AI and machine learning is also needed to address the shortage of experts with deep technical understanding of algorithmic tools. There is also a need to develop specialists who are able bridge the gap between the design and development of a cyber-physical system and good cyber security practice. This should be pursued through one or more appropriate Government-appointed bodies, such as the Engineering Council and the UK Cyber Security Council - the new standards-setting body for the cyber security industry which is developing cyber career specialisms as part of its approach to taking the cyber security skills gap.

Working globally

The need for considered upskilling would also protect the UK’s global standing on matters of cyber-physical systems. There is a risk that, as a nation, we will be using frameworks developed by other nations, reliant on the assurances that they provide in the security of those frameworks. Of course, a globally harmonised approach would be the most preferable outcome for industry; in addition, driving global standards creates opportunities for UK-developed and protected intellectual property to be adopted, and ensures interoperability across the global supply chain. However, stopping short of that, a position where the UK is the producer of core frameworks (that others might then use) would be preferable to a reliance on other nations.

Technical research, development and infrastructure

A framework for cyber-physical systems must also account for the challenges presented by legacy operational technology (OT). There is a danger that current approaches to cyber-physical infrastructure see digital transformation as simply layering IT over OT that was never built with smart functionality in mind. OT assets are more likely to include components that use older, less secure software that may no longer be supported. The eagerness to sweat and reluctance to replace must be addressed, and the Government needs to take steps to identify legacy technologies where these cyber risks cannot be reduced and introduce a timeline to phase them out.

It is also often difficult to quantify the risks associated with legacy OT. It is almost impossible to make informed decisions about which OT systems pose the biggest security risk, and should therefore be prioritised for investment in cyber security measures. To tackle this, Government, industry and academia must work together to embrace and promote the concept of “cyber as a science”. This includes developing cyber metrics and risk quantification, from an established baseline, to allow risk to be reliably measured and expressed in an informed way. A data and evidence-based approach should also be adopted, ensuring that products and services can demonstrate their efficacy in reducing cyber risk, helping organisations to assess that what they are doing materially improves a system’s cyber resilience posture.

Consideration of the above factors, to clearly define and establish a strategy for cyber-physical systems in the long term, will therefore support true innovation in the field for the long-term.