[SystemSafety] Partly Off Topic: What Happens in October [No Classification]

Barnes, Robert A (NNPPI) Robert.Barnes2 at rolls-royce.com
Tue Oct 18 12:16:39 CEST 2016 

This message has been marked as No Classification by Barnes, Robert A (NNPPI)


On the SSCS and cyber security:

Yes, cyber security for cyber-physical systems is a bit of a mess.  There are a multitude of reasons for this, and none of them are specific to security engineering.  These are often the "crooked timber" that Les Chambers talked about, amplified by a culture that dumps security risks onto the consumer.  However, if Dr Ian Levy of the new National Cyber Security Centre is to be believed, we're not all doomed; government is going to take a more proactive role, including naming and shaming organisations that consistently fail to live up to expectations.  We're also getting more realistic about the threat to these systems.  Sure, there are nation-state actors out there with expansive resources, but they're exercising vulnerabilities that are years old and it's reasonably practicable to defend systems against this.  Often, the greatest problem facing a security practitioner in an organisation is trying to sell the benefits of security to her superiors and colleagues.  The application of security is a human problem.

On SSCS and updating safety systems:

Firstly, what are we attempting to achieve by patching systems?  Patches are an attempt to rectify deficiencies in a system, whatever the cause or the affected performance attribute.  The reoccurring bone of contention with patching to address security vulnerabilities is safety certification: changing the software changes the system and recertification is therefore necessary.  However, there is always more than one way to skin a cat and patching is just one way of managing a known vulnerability.  Firewall rules can be updated, patterns can be added to intrusion detection systems to recognise when the vulnerability is being exploited.  We go forward with compensating controls, cognisant of the risk, until we reach an opportunity to update the software and clean the slate.  Arguably, the new software version will have unknown vulnerabilities in it, but if the software is from a competent software house, these will be fewer then the version before, and so we progress.

-----Original Message-----
From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Peter Bernard Ladkin
Sent: 18 October 2016 07:29
To: The System Safety List
Subject: [SystemSafety] Partly Off Topic: What Happens in October

Might it more appropriately be parsed as Partly-Off Topic than as Partly Off-Topic?

So what always happens in October? The Nobel Prizes and the SSCS.

First, Nobel.

It's grand to see a bard honored.
https://abnormaldistribution.org/index.php/2016/10/18/a-dylan-encomium/

It's also grand for this Brit, cognisant of the hitherto advantages of British academics, to see five Brits in four of the five science prizes. While the people are deserving, I don't think it's that Brits are smarter. It's that tertiary education allows exceptional talent more easily to develop to the standard of which it is capable.

But then, one notices. One Japanese, in Japan. Two Frenchmen, in France. One Dutchman, in the Netherlands. Five Brits - in the US (along with a Finn.) A half-century ago, we used to call it the brain drain. It hasn't stopped, and all indications are that it's about to get a lot worse.

Some people come back, Fields Medal winner Andrew Wylie, for example. Not a lot.

When I pointed this out, a colleague said "so what?" I think it's a big deal. I don't think either British science or European science is better off for many of its stars leaving. It's not symmetric travel, as it might be in a more balanced world.

It's not even symmetric inside Europe. The Anglo-American penchant for continued productivity even amongst the top research personnel, as well as humane academic career development prospects, have made UK academic careers attractive to Europe's best young scientists (not just scientists). That has put pressure on other national academic systems, such as the one I work in, to improve (that's partly why I'm here - but I think I came thirty years too early......enough said).

That appears about to end with a thud. As yet there aren't even any believable proposals for maintaining the status quo ante for those already in the UK. Sickening, and insulting. I guess it's what happens when you leave politics to politicians.  The rest of Europe is worse off, because the pressure is now off often dysfunctional and non-transparent national research systems to continue to clean up their collective acts in response to more attractive career conditions elsewhere.

Second, SSCS.

First, the non-news. Cybersecurity is a mess. We knew that, but we can divide it more finely.

There is the sociopolitical mess. The IPT has just ruled that GCHQ's data collection for most of the last two decades was illegal https://www.theguardian.com/world/2016/oct/17/uk-security-agencies-unlawfully-collected-data-for-decade
The solution? Make it now legal. That's all right then. I anticipate SSCS will continue to have almost nothing to say about all this. Where do we go for this debate? Chatham House? This shouldn't be left for politicians.

Then there is the technical mess. The good news may be that GCHQ, and now NCSC, has plenty of very smart technical people, one of whom, head of NCSC, gave a scintillating half-keynote following Martyn's first half. A lively and resounding start to the conference of the very first order.
Profuse thanks to both, and kudos to Carl for getting it to happen. This will be on IET.tv at some point. I do recommend people look at the video.

A hint for those concerned with Cyber Essentials, a British government computer security program.
Something I found out Wednesday - if you're one person or a couple of people running a standard OS with the delivered configuration of iptables, you don't leave a machine turned on when you're not using it, and you don't have NAS, then as long as you've changed the default PW on your router you probably qualify for Cyber Essentials. I didn't realise that. But don't quote me on these details - I am not a Cyber Essentials assessor.

The elephant in the room with me is how to reconcile the update cycles for safety and security.
Safety requires careful and thorough impact analysis before updating; security requires one react quickly to zero-day vulnerabilities. Anyone have any ideas about how to reconcile these? Nope. Not even when it's in the title of a talk. (Although Altran seems to have some technology that might help, which they didn't talk about here.)

I did learn something, though. Besides DIS IEC 62859 trying to do safesec for nuclear power plants and the NWIP for safesec of machinery now before the IEC, I learned about ISA 84.00.09-2013
https://www.isa.org/store/products/product-detail/?productId=118130  As usual it costs a lot of money, so I'm now trying to find a version it is within the scope of DKE to let me read.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany MoreInCommon Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de






The following attachments and classifications have been attached:
The data contained in, or attached to, this e-mail, may contain confidential information. If you have received it in error you should notify the sender immediately by reply e-mail, delete the message from your system and contact +44 (0) 3301235850 (Security Operations Centre) if you need assistance. Please do not copy it for any purpose, or disclose its contents to any other person.

An e-mail response to this address may be subject to interception or monitoring for operational reasons or for lawful business practices.

(c) 2016 Rolls-Royce plc

Registered office: 62 Buckingham Gate, London SW1E 6AT Company number: 1003142. Registered in England.

More information about the systemsafety mailing list