[SystemSafety] Safety and Cybersecurity. Again.

Mike Ellims michael.ellims at tesco.net
Mon May 15 11:46:39 CEST 2017


These are probably relevant...

Today: Jeremy Hunt was warned last summer that the NHS was failing to prioritise cybersecurity and continued to use obsolete computer systems, the Times reported.

The Care Quality Commission and Dame Fiona Caldicott, the national data guardian, wrote to the health secretary to point out a worrying “lack of understanding of security issues” and that “the external cyberthreat is becoming a bigger consideration”.

>From https://www.theguardian.com/technology/live/2017/may/15/ransomware-attacks-uk-government-defends-investment-in-security-live


And from 2010:

The Department of Health is ending the £500m deal between Microsoft and the health service in England
A DoH spokesperson confirmed that it will not renew its contract with the software firm for 900,000 licences for Microsoft's PC software, which was due for renewal this year. "The Department of Health has already invested so that NHS trusts are able to have access to the latest versions of Microsoft desktop software," the spokesperson told SmartHealthcare.com on 15 July 2010. "Future investment decisions will be taken at a local level, in line with the proposals set out in the white paper published this week."

https://www.theguardian.com/government-computing-network/2010/jul/15/doh-axes-nhs-wide-microsoft-contract-15jul10


Which was updated in an article today...

The government made the decision not to extend the deal, but instead pay £5.5m for support from Microsoft for the old operating systems. That deal ended a year ago and hospital trusts were advised to move to a more up-to-date system, which would have the latest security updates. Perhaps if health secretary Jeremy Hunt understood tech better – he says he does – last week’s ransomware attack might have been averted. Updating systems would not have been a choice for trusts, but something mandated by central government. One would hope Hunt has aides more computer-savvy than he – but I’m not entirely sure he does. The Tories used to have an expert in Rohan Silva, but not even he is around anymore.

https://www.theguardian.com/commentisfree/2017/may/15/prevent-cyberattacks-tech-experts-nhs-ransomware-attack

And some more background here...

https://www.theguardian.com/commentisfree/2017/may/13/nhs-computer-systems-insufficient-funding


-----Original Message-----
From: systemsafety [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of Peter Bernard Ladkin
Sent: 15 May 2017 07:45
To: The System Safety List
Subject: [SystemSafety] Safety and Cybersecurity. Again.

IEC 61508:2010 is the latest edition of the general functional safety standard for E/E/PE systems.
IEC 61511:2016 is the latest edition of the functional safety standard for E/E/PE systems in IACS.

Last Thursday I gave a short talk (twice) to the German electrotechnical standardisation organisation DKE's annual one-day get-together event, now called the Innovation Campus. The theme of the Campus was, amongst other things, functional safety and cybersecurity.

It turns out you can put the *entire* collection of clauses in IEC 61508:2010 in which cybersecurity is mentioned on 5 easily-readable slides, and those in IEC 61511:2016 on 6 slides.

Then I listed 10 cybersecurity vulnerabilities that have occurred in incidents in nuclear power plants, as noted in the Chatham House report of October 2015. They are all observations of behaviour by means of which malware could easily enter (in some cases, did enter) the IACS. Some of them go back decades.

I asked the rhetorical question: which of these incidents would have been avoided by following the current guidance in IEC 61508 and IEC 61511? The answer is: none.

Concerning the current brouhaha about WannaCry and the UK National Health Service, many systems in the NHS are still running Windows XP, which Microsoft stopped supporting in 2014, and which is vulnerable to the malware. On 6 July, 2016 the Care Quality Commission and the UK National Data Guardian published a report on data security within the NHS. In their letter to the Secretary of State for Health, Jeremy Hunt, they made inter alia 13 recommendations on data security. The 4th
was: "Computer hardware and software that can no longer be supported should be replaced as a matter of urgency. [CQC]" (The acronym in brackets indicates that this derives from the Care Quality
Commission.)
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/534790/CQC-NDG-data-security-letter.pdf

Over the winter and continuing, there have been and are constant reports that the NHS is unusually strapped for cash. Replacing computer systems of course costs money.

How does this concern E/E/PE system safety professionals? Pervasive ransomware and critical-care systems is obviously a safety issue. Estimates will likely be derived of how many people died or suffered because of this WannaCry/NHS incident, although they will mostly rely on indirect inference.

In case people haven't yet noticed, cybersecurity is the elephant in the room. I'd like to say that E/E/PE safety assessors who don't assess systems according to the basics of cybersecurity are performing an inadequate job. But the standards to which they are assessing conformance don't say that, as I pointed out last Thursday.

In any case, what are the "basics" of cybersecurity? In the UK, it used to be the Cyberessentials program. It was supposed to be something quick and easy for SMEs. But last October the first large UK defence supplier to qualify in the program gave me an indication of how much effort was required.
It was enormous. Consider the supply-chain assurance alone, when you have over 100,000 suppliers and a chain of length at least 15 (I understood I could use such example figures). A colleague who is a one-person cybersecurity consultant took months to figure out what he needed to do and how. I don't think that is what the program was conceived to do.

But at least it was a program, an attempt to get everyone pervasively "clean" on the "basics", whatever they may be. In Germany, there is guidance through the BSI, lots of it, documents without end, but there has not yet been an attempt to get the ducks all in the one and same row, as in the UK.

One may well ask what the point of a Cyberessentials program is, when government suppliers must conform but major government-funded organisations such as the NHS do not have to do so.

It's time for Bruce Schneier's monthly Crypto-Gram newsletter. Schneier has been complaining regularly about the practice of government cybersecurity agencies in hoarding vulnerabilities for future use and deriving exploits for them (so-called zero-day exploits). Apparently WannaCry was one of the devices in the Shadow Brokers' recent publication of NSA-hoarded exploits. I'm sure May's Crypto-Gram will include an "I told you so" note.

Microsoft issued a patch for supported systems already in March. In case you haven't heard and come across Windows XP systems, Microsoft has published a patch now also for Windows XP.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany MoreInCommon Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de







---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



More information about the systemsafety mailing list