The UK government recently presented its proposed vision for how national cyber physical infrastructure could accelerate innovation across the UK: ‘Enabling a National Cyber Physical Infrastructure to Catalyze Innovation‘.
Welcoming feedback on these proposals from industry, research institutions, and the public sector at large, he hopes to understand the “impact and opportunities” for cyber-physical systems and “advance our collective understanding of…options.” [to use these systems] to unleash innovation. In doing so, he acknowledges that “there are a variety of risks that come from increasingly connected cyber-physical systems” and that steps must be taken to ensure they are secure and resilient.
It follows proposals to improve the UK’s cyber resilience, announced in January, which included the need to future-proof the Network and Information Systems (NIS) Regulations by introducing new powers for the government to extend their reach.
In response to this latest Government focus, Charly Davis, Head of Industrials at NCC Group shares insights on some of the key areas of interest.
The focus on utilizing cyber-physical infrastructure in this way is welcome and follows the government’s recent push to strengthen regulatory oversight of critical infrastructure.
We are increasingly seeing the convergence of cybersecurity and security in our always-connected world, and this needs to apply to cyber-physical systems given the real-world security implications they can have. The proposals are a positive step towards this, although there are aspects of the document that require close attention to ensure that the recommendations are fit for purpose in the long term.
Some of the key areas of interest are:
narrowing the scope
The current proposed definition of ‘cyber-physical systems’ requires narrowing down, to capture only those computer systems with actuators that can affect their operating environment through physical effects including, but not necessarily limited to: momentum, motion, heat, light, sound, sense, chemical reaction or electromagnetic outputs.
There are numerous systems that can monitor but do not necessarily affect the physical world, and the current definition captures them. Focusing solely on digital systems that influence the physical, for example a climate control system that, based on sensor data, sprays silver iodide into clouds to make it rain, will help a more targeted approach for the proposal.
Promoting a holistic approach to security and risk management
The establishment of a national cyber-physical infrastructure must have secure and resilient systems at its core. The government should work closely with industry regulators, centers of excellence and international partners to promote a holistic and proportionate approach to security and risk management.
This must recognize the convergence of safety and security, and cyber resilience is seen as a prerequisite for security. Security risks will, of course, differ depending on the system application and this should be reflected as part of a proportionate risk management. While many OT, ICS, and SCADA environments and their assets lack comprehensive monitoring, implementing cross-domain solutions to provide hardened network security checkpoints for absolute threat prevention and secure data availability is vital.
It should also establish clear roles and responsibilities of various actors involved in cyber-physical system supply chains. Both physical and digital will engage multiple manufacturers, developers, system owners, and operators. When the two converge, there must be clarity about who is responsible for ensuring the security and cyber resiliency of key components.
The proposals should take organizations beyond a ‘tick boxes’ approach to compliance, incorporating a true understanding of the risks associated with cyber-physical systems, in line with the Department for Digital, Culture, Media and Sport (DCMS)’ Secure by Design’ principles While the exact approach will differ by sector, there is a role for a principles-based framework applied by sector regulators. As the Government acknowledges, there are already numerous existing standards and frameworks on which it could build (including IEC 62443 for industrial control systems, or ISO/SAE 21434 for road vehicle cybersecurity engineering).
Many cyber-physical systems are underpinned by algorithmic autonomy, often of a ‘black box’ nature. Placed on networks and configured to consume and process data, producing exit decisions without humans having much knowledge of what is happening, it provides adversaries with multiple exploitable vectors that could disrupt operations. Therefore, it is vital that clear processes are put in place to review technologies before they are implemented, and that mechanisms are in place to ensure their performance is continually assessed.
To ensure that these proposals integrate a truly holistic approach to cyber security and risk, the government must be prepared to regularly and systematically engage with academia and industry. There is a wealth of expertise in this space, and it could be done through Industry100 (i100) affiliations from the National Center for Cyber Security, government consultation and evidence calling, or advisory groups and councils.
As well as outlining and controlling the risks associated with cyber-physical systems, if the UK is to truly pioneer in this area, we must also define our appetite for risk, drawing the red lines with regard to safety, security and resilience.
Building on the need to make cyber-physical systems secure by design, we must consider the skill set of those working in the supply chain, from engineering to software development. At a minimum, relevant software development and engineering educational programs should reflect cybersecurity as part of the system development process.
An investment in focused AI and machine learning skills is also needed to address the shortage of experts with a deep technical understanding of algorithmic tools. There is also a need to develop specialists who can bridge the gap between the design and development of a cyber-physical system and good cyber security practices. This should be done through one or more appropriate government-appointed bodies, such as the UK Engineering Council and Cyber Security Council, the new standards-setting body for the cyber security industry being developed. cyber career specialties as part of their approach to bridging the cyber security skills gap.
The need to upgrade skills would also protect the UK’s global position in cyber-physical systems. There is a risk that, as a nation, we use frameworks developed by other nations, relying on the guarantees they provide on the security of those frameworks. Of course, a globally harmonized approach would be the most preferable outcome for the industry; In addition, driving global standards creates opportunities for UK-developed and protected intellectual property to be adopted, and ensures interoperability across the global supply chain. However, short of that, a position where the UK is the producer of basic frameworks (which could then be used by others) would be preferable to being dependent on other nations.
Technical research, development and infrastructure
A framework for cyber-physical systems must also take into account the challenges presented by operational legacy technology (OT). There is a danger that current approaches to cyber-physical infrastructure see digital transformation as simply layering IT over OT that was never built with intelligent functionality in mind. OT assets are more likely to include components that use older, less secure software that is no longer supported. The sweat sweat and reluctance to replace must be addressed, and the government must take steps to identify legacy technologies where these cyber risks cannot be reduced and introduce a timeline to eliminate them.
It is also often difficult to quantify the risks associated with inherited OT. It is nearly impossible to make informed decisions about which OT systems pose the greatest security risk, and therefore should be prioritized for investment in cyber security measures. To address this, government, industry, and academia must work together to embrace and promote the concept of “cyber as a science.” This includes developing cyber metrics and risk quantification, from an established baseline, to enable risk to be reliably measured and expressed in an informed manner. A data and evidence-driven approach should also be taken, ensuring that products and services can demonstrate their effectiveness in reducing cyber risk, helping organizations assess that what they are doing substantially improves a system’s cyber resilience posture. .
Consideration of the above factors, to clearly define and establish a strategy for cyber-physical systems in the long term, will therefore support true innovation in the field in the long term.