engineering safety and security in the era of the ...safety.addalot.se/upload/2017/1-2 oates.pdf ·...
TRANSCRIPT
![Page 1: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/1.jpg)
Trusted to deliver excellence
© 2017 Rolls-Royce plc
The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other
than that for which it is supplied without the express written consent of Rolls-Royce plc.
This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning
such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or
associated companies.
Engineering Safety and Security in
the era of the Industrial Internet of
Things
Dr Robert Oates
Private – Rolls-Royce Proprietary Information
![Page 2: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/2.jpg)
Talk Structure
- Who am I?
- What is Product Cyber Security?
- Why is it important to understand the interactions between safety and security?
- How do safety and security interact?
Private – Rolls-Royce Proprietary Information
2
![Page 3: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/3.jpg)
Private – Rolls-Royce Proprietary Information
Product Cyber Security Team3
Civil Aerospace
Defence Aerospace
Marine NuclearPower
Systems
Product Cyber Security Team
ProcessImprovement
Auditing Standardisation&
Best Practice
Project Support
Tooling
![Page 4: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/4.jpg)
![Page 5: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/5.jpg)
Sources of Product Cyber Security Risk5
Private – Rolls-Royce Proprietary Information
Attacker Capability / Motivation
Technical Sources
Cultural Sources
![Page 6: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/6.jpg)
Technical Sources of Risk
Private – Rolls-Royce Proprietary Information
6
Higher Performance Systems
Hyperconnectivity
COTS
Big Data
Technical CyberRisk
![Page 7: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/7.jpg)
Example: Maritime Sector
Private – Rolls-Royce Proprietary Information
7
ThrustHeading
Organisation
Automation FunctionsAutomation
FunctionsAutomation Functions
Monitoring Functions
Remote OperationLikelihood
Impact
• Data driven services
• Automation and remote access
• Wireless sensor networks
• Internet of Things
Vessel
Crew
Automation FunctionsAutomation
FunctionsIoTComponents
IoT Services
Organisation
![Page 8: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/8.jpg)
Attacker Capability – Who is attacking?
CNI Attackers (From GAO):
• Nation states
• Terrorists
• Industrial spies and organised crime
• Hacktivists
• Hackers
8
Private – Rolls-Royce Proprietary Information
![Page 9: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/9.jpg)
Attacker resources9
AttackerCapability
/Motivation
Private – Rolls-Royce Proprietary Information
![Page 10: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/10.jpg)
What can we do about PCS Risk?
Private – Rolls-Royce Proprietary Information
12
People
Process Technology
![Page 11: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/11.jpg)
Risk Driven Design Processes13
Private - Rolls-Royce Proprietary Information
Technical Risk Assessment
Risk Treatment
Plan
Are risks acceptable?
Identify Mitigations
Update Design
Initial Design to Design Principles
Inputs:
i) Organisation:
->What’s our risk appetite?
ii) Functional Requirements
-> What are we making?
Next phaseyes
no
![Page 12: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/12.jpg)
Secure Development Objectives
Private – Rolls-Royce Proprietary Information
14
Innate Security
Reactive Security
Security requirements across all sub systems to ensure that the system is secure at the system level
Active security features/subsystems that detect and react to intrusions
Information Assurance
The argument that the system is secure, through life
![Page 13: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/13.jpg)
Changing Cultures
Security is everybody’s responsibility
Private – Rolls-Royce Proprietary Information
15
Training
Routes to escalation
Incident response planning
Security Champions
Communication
![Page 14: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/14.jpg)
Changing Cultures
Proportionate, risk-based controls
Private – Rolls-Royce Proprietary Information
16
Keep costs down
Keep risks down
Understand risk
![Page 15: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/15.jpg)
Risk Sources
Risk
Cyber Security
Attacks
Safety
Accidents
Economic
Financial Loss
17
Private – Rolls-Royce Proprietary Information
![Page 16: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/16.jpg)
Statement 1
Product cyber security is a risk source that needs
to be addressed
18
Private – Rolls-Royce Proprietary Information
![Page 17: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/17.jpg)
Fundamental Question
Can a software intensive system be
deemed safe if it isn’t secure?
19
Private – Rolls-Royce Proprietary Information
![Page 18: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/18.jpg)
The Enemies of Safety / The Results of Attacks
Non-determinism
Uncontrolled change
Poor communication/understanding
Private – Rolls-Royce Proprietary Information
20
![Page 19: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/19.jpg)
Private - Rolls-Royce Proprietary Information
SECURITY
SAFETY
CRYPTO
≠
![Page 20: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/20.jpg)
Risk Driven Design Processes22
Private - Rolls-Royce Proprietary Information
![Page 21: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/21.jpg)
Statement 2
Understanding the link to safety can make things
1. Safer
2. More secure
3. Cheaper
23
Private – Rolls-Royce Proprietary Information
![Page 22: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/22.jpg)
![Page 23: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/23.jpg)
Risk Direction: Safety
Private – Rolls-Royce Proprietary Information
25
Supplier Customer
Safety Risk
Financial Risk
Recompense
![Page 24: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/24.jpg)
Risk Direction: Security
Private – Rolls-Royce Proprietary Information
26
Supplier
Customer
Security Risk
Legal Risk
Recompense
Attacker
![Page 25: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/25.jpg)
Patching safety critical systems
Vulnerability
Researcher
Supplier
Malicious
Actors
System
Integrator
Discovery
Research
?
Exploitation
Research
?Remedial
actionsPatch application
Testing
and
recertification
Patch creation
Private – Rolls-Royce Proprietary Information
![Page 26: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/26.jpg)
Patching safety critical systemsDiscovery
Patch application
Testing
and recertification
Discovery Discovery
. . .
. . .
. . .
Vulnerability
Researcher
Supplier
Malicious
Actors
System
Integrator
Response
cycleResponse
cycleResponse
cycle
Private – Rolls-Royce Proprietary Information
![Page 27: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/27.jpg)
Design Principles in Opposition: Diversity
Private - Rolls-Royce Proprietary Information
Inputs
Outputs
System
Safety Security
P(failure) = 0.0001 Likelihood of attack?P(failure) = (0.0001)2
Implementation specific vulnerabilities
Specification vulnerabilities
Component vulnerabilities
Uncertainty: Low, de-risked from extensive testing and well established process
Low risk system Risky system!
System B
System A
Inputs Inputs
X
Extremely
![Page 28: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/28.jpg)
Understanding Risk
Private – Rolls-Royce Proprietary Information
30
SafetySecurity
Data SafetyCyber
Security
• System level quality factors• Through life quality factors• Preventing harm• Design principles• Risk driven design change• Controls that are proportionate to risks
![Page 29: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/29.jpg)
Technology
Private – Rolls-Royce Proprietary Information
31
Resist Detect and React
Network architecture• Interface control• Firewalls• Data diodes• Segregation
Protocol Selection
Cryptographic techniques• Cryptographic agility – quantum!• Legal issues
Multi-source localisation
Manual override
IDS• What is normal?• Interaction with watchdogs• Does “Adaptive” = “Non-deterministic” ?
Logging• Review processes
Reactions• Security responses shouldn’t
compromise safety• Safety responses shouldn’t
compromise security
![Page 30: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/30.jpg)
…but there are things missing.
Systems Engineering for Safety and Security
• Is a truly common risk model possible?
Efficient Incident Response
• Design for Forensics
• Team members
Intelligence Focus
• Where do you get threat intelligence from?
• How do you embed live intelligence into an engineering/maintainance process?
32
Private – Rolls-Royce Proprietary Information
![Page 31: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/31.jpg)
Statement 3
The interactions are complex. Some solutions exist,
but there is a way to go
33
Private – Rolls-Royce Proprietary Information
![Page 32: Engineering Safety and Security in the era of the ...safety.addalot.se/upload/2017/1-2 Oates.pdf · 1. Product cyber security is a risk source that needs to be addressed 2. Understanding](https://reader034.vdocuments.us/reader034/viewer/2022042316/5f05592c7e708231d412856c/html5/thumbnails/32.jpg)
In Conclusion
1. Product cyber security is a risk source that
needs to be addressed
2. Understanding the link to safety can make
things
1. Safer
2. More secure
3. Cheaper
3. The interactions are complex, solutions exist
but there is a way to go
34
Private – Rolls-Royce Proprietary Information