[SystemSafety] Partly Off Topic: What Happens in October [No Classification]

Barnes, Robert A (NNPPI) Robert.Barnes2 at rolls-royce.com
Tue Oct 18 15:41:05 CEST 2016


This message has been marked as No Classification by Barnes, Robert A (NNPPI)


Peter, I'm afraid that the answer is: "It's complicated."

Without detailed knowledge of the system, it's not possible to give any sound advice on compensating controls.  Should you stop all trains that rely on the system?  Well, that will depend on the risk.  If the system cannot be operated with an acceptable level of risk to safety, and there are no alternative or compensating safety or security controls that would allow for continued operation, then the only sane thing to do would be to shut it down.  However, that's really going to be an option of last resort after all the other alternatives (including falling back to line-side signalling or other degraded modes of operation) have been carefully considered with input from all stakeholders.  Basically, let's not run around with our hair on fire every time we find a vulnerability.

I have the Chatham House report in front of me on my desk right now and I do not feel that it accurately reflects the situation in the UK civil nuclear industry.  I don’t believe that situation that we have is perfect either, but I am content that it is as good as can be expected given the conservatism and relatively slow pace of change within the industry (apologist, I know!).  The same conservatism may have also helped to prevent some of the more significant blunders that we've seen elsewhere eg safety systems connected to the Internet (!).

The situation elsewhere is obviously different, where there have been some serious gaffs on the part of NPP operators.  These should stand as lessons-learned, especially around the limitations of the air-gap, which has been the traditional defence of I&C.  Ian Levy was right to poke fun at air-gaps last week: the definition of foolishness is doing the same thing and expecting the results to be different.  Experience has taught us that air-gaps get bridged for operational and maintenance reasons all the time, so if that's your one and only line of defence then you deserve all you get, really.

-Rob

I should point out that the opinions expressed here are my own and not that of my employer.

-----Original Message-----
From: Peter Bernard Ladkin [mailto:ladkin at causalis.com]
Sent: 18 October 2016 13:04
To: Barnes, Robert A (NNPPI); The System Safety List
Subject: Re: [SystemSafety] Partly Off Topic: What Happens in October [No Classification]



On 2016-10-18 13:11 , Barnes, Robert A (NNPPI) wrote:
> This is quite a specific example and I'd argue that, if the security 
> case rests on a single point of failure in non-assured software, 
> something has gone horribly wrong in the design and development of this system!

Well, sure. I'm sure Apple would agree. That observed, what's the answer to my question?

Supply chain assurance is one of the three biggies in HMG's cybersecurity program, according to the Chief Scientific Advisor, Anthony Finkelstein (the other two are physics of computation, and behavioural science). Part of that - most of that - is ensuring you don't assure inadequate SW.

The reality in IACS is more like what was described for NPPs in last October's Chatham House report which I referenced earlier this year.

> Defence in depth has become an accepted principle in safety 
> engineering, and it is just as valid in security.

And it's been a overt principle of NPPs since the beginning. It still doesn't hinder situations such as described in the Chatham House report.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany MoreInCommon Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de






The following attachments and classifications have been attached:
The data contained in, or attached to, this e-mail, may contain confidential information. If you have received it in error you should notify the sender immediately by reply e-mail, delete the message from your system and contact +44 (0) 3301235850 (Security Operations Centre) if you need assistance. Please do not copy it for any purpose, or disclose its contents to any other person.

An e-mail response to this address may be subject to interception or monitoring for operational reasons or for lawful business practices.

(c) 2016 Rolls-Royce plc

Registered office: 62 Buckingham Gate, London SW1E 6AT Company number: 1003142. Registered in England.


More information about the systemsafety mailing list