The UK government recently unveiled its proposed vision for how national cyber-physical infrastructure could accelerate innovation across the UK: “Enabling a National Cyber-Physical Infrastructure to Catalyze Innovation”.
She welcomes views on these proposals from industry, research organizations and the broader public sector, and hopes to understand the “impact and opportunities” for cyber-physical systems and “advance our collective understanding of the… options.” [to use these systems] unleashing innovation”. It recognizes that “there are a number of risks posed by increasingly connected cyber-physical systems” and that steps need to be taken to ensure they are secure and resilient.
It follows proposals to improve the UK’s cyber resilience announced in January, including the need to future-proof Network and Information Systems (NIS) regulations by introducing new powers for government to extend their scope extend.
In response to this recent government focus, Charly Davis, Head of Industrials at NCC Group, shares thoughts on some of the key areas of concern.
The focus on using cyber-physical infrastructure in this way is to be welcomed and follows the government’s recent push to strengthen regulatory oversight of critical infrastructure.
We are increasingly seeing the convergence of cybersecurity and security in our always-connected world, and this must also apply to cyber-physical systems given the real security implications that these can have. The proposals are a positive step in that direction, although there are aspects of the paper that require particular attention to ensure the recommendations are fit for purpose over the long term.
Some of the main areas of interest are:
Limiting the Scope
The current proposal definition of “cyber-physical systems” requires narrowing to capture only those computing systems with actuators that can affect their operating environment through physical effects including, but not necessarily limited to: momentum, motion, heat, light, sound, senses, chemical reaction, or electromagnetic outputs.
There are numerous systems that can monitor, but not necessarily affect, the physical world, and the current definition captures these. The exclusive focus on digital systems that affect the physical – for example a weather control system that sprays silver iodide into the clouds based on sensor data to make it rain – will support a more targeted approach to the proposal.
Promote a holistic approach to safety and risk management
Building a national cyber-physical infrastructure must focus on secure and resilient systems. The government needs to work closely with sectoral regulators, centers of excellence and international partners to promote a holistic, proportionate approach to safety and risk management.
This must recognize the convergence of security and safety – with cyber resilience being seen as a prerequisite for safety. Security risks will of course differ depending on the application of the system and this must be taken into account as part of proper risk management. While many OT, ICS, and SCADA environments and their assets lack comprehensive monitoring, implementing cross-domain solutions to provide hardened network security control points is critical for absolute threat prevention and secure data availability.
It should also establish clear roles and responsibilities of different actors involved in cyber-physical systems supply chains. Both the physical and the digital will put multiple manufacturers, developers, system owners and operators at risk. When the two come together, it must be clear who is responsible for ensuring the security and cyber resilience of key components.
Proposals must take organizations beyond a “checkbox” approach to compliance and embed a true understanding of the risks associated with cyber-physical systems, in line with the Department for Digital, Culture, Media and Sport (DCMS) “Secure by Design “. principles. While the exact approach will vary by sector, a principles-based framework applied by sectoral regulators is at play. As recognized by the government, there are already numerous existing standards and frameworks that could be built upon (including IEC 62443 for industrial control systems or ISO/SAE 21434 for on-road vehicle cybersecurity technology).
Many cyber-physical systems are underpinned by algorithmic autonomy, often of a “black box” nature. Placed on networks and configured to consume and process data and make exit decisions without humans knowing much about what is happening, attackers have several exploitable vectors that could disrupt operations. Therefore, it is important that clear processes are in place to review technologies before they are deployed and mechanisms are in place to ensure their performance is continuously evaluated.
To ensure that these proposals include a truly holistic approach to cyber security and risks, government must be willing to engage regularly and systematically with academics and industry. There is a wealth of expertise in this area that could be achieved through secondments to the National Cybersecurity Center’s Industry 100 (i100), government consultations and calls for evidence, or advisory groups and councils.
As well as outlining and controlling risks associated with cyber-physical systems, if the UK is to truly pioneer this area, we must also define our risk appetite – drawing the red lines in terms of security and resilience.
Starting from the need to make cyber-physical systems secure by design, we need to consider the skills of those working across the supply chain – from engineering to software development. As a minimum, relevant engineering and software development education programs should reflect cybersecurity as part of the systems development process.
Targeted investments in AI and machine learning skills are also needed to address the lack of experts with deep technical understanding of algorithmic tools. There is also a need to develop specialists capable of bridging the gap between the design and development of a cyber-physical system and cyber security good practice. This should be done through one or more appropriate government appointed bodies such as the Engineering Council and the UK Cyber Security Council – the new standard setting body for the cybersecurity industry developing cyber career specializations as part of its approach to bridging the skills gap in the industry cyber security area.
The need for thoughtful training would also protect the UK’s global standing on cyber-physical systems issues. There is a risk that as a nation we will use frameworks developed by other nations and rely on the assurances they give regarding the security of those frameworks. Of course, a globally harmonized approach would be the best outcome for industry; In addition, pushing global standards creates opportunities for the adoption of UK-developed and proprietary IP and ensures interoperability across the global supply chain. But that aside, a position where the UK is the producer of core frames (which others could then use) would be preferable to depending on other nations.
Technical research, development and infrastructure
A cyber-physical systems framework must also address the challenges posed by legacy operational technology (OT). There is a danger that current approaches to cyber-physical infrastructures will see digital transformation simply as a layering of IT over OT, which was never designed with intelligent functionality in mind. OT assets are more likely to contain components that use older, less secure software that may no longer be supported. The eagerness to sweat and the reluctance to replace must be addressed, and the government must take steps to identify obsolete technologies that cannot mitigate these cyber risks and establish a timeline for their phase-out.
Also, it is often difficult to quantify the risks associated with legacy OT. It is almost impossible to make informed decisions about which OT systems pose the greatest security risk and should therefore be prioritized when investing in cybersecurity measures. To address this, government, industry and academia must work together to embrace and promote the concept of cyber as a science. This includes the development of cyber metrics and risk quantification from an established baseline so that risks can be measured reliably and expressed in an informed manner. A data and evidence-based approach should also be adopted, ensuring that products and services can demonstrate their effectiveness in reducing cyber risk and helping organizations to assess whether their actions are enhancing a system’s cyber resilience improve significantly.
Therefore, considering the above factors to clearly define and establish a strategy for cyber-physical systems in the long-term will support real innovations in this field in the long-term.