[SystemSafety] Safety and Cybersecurity. Again.

Peter Bernard Ladkin ladkin at causalis.com
Mon May 15 08:44:54 CEST 2017


IEC 61508:2010 is the latest edition of the general functional safety standard for E/E/PE systems.
IEC 61511:2016 is the latest edition of the functional safety standard for E/E/PE systems in IACS.

Last Thursday I gave a short talk (twice) to the German electrotechnical standardisation
organisation DKE's annual one-day get-together event, now called the Innovation Campus. The theme of
the Campus was, amongst other things, functional safety and cybersecurity.

It turns out you can put the *entire* collection of clauses in IEC 61508:2010 in which cybersecurity
is mentioned on 5 easily-readable slides, and those in IEC 61511:2016 on 6 slides.

Then I listed 10 cybersecurity vulnerabilities that have occurred in incidents in nuclear power
plants, as noted in the Chatham House report of October 2015. They are all observations of behaviour
by means of which malware could easily enter (in some cases, did enter) the IACS. Some of them go
back decades.

I asked the rhetorical question: which of these incidents would have been avoided by following the
current guidance in IEC 61508 and IEC 61511? The answer is: none.

Concerning the current brouhaha about WannaCry and the UK National Health Service, many systems in
the NHS are still running Windows XP, which Microsoft stopped supporting in 2014, and which is
vulnerable to the malware. On 6 July, 2016 the Care Quality Commission and the UK National Data
Guardian published a report on data security within the NHS. In their letter to the Secretary of
State for Health, Jeremy Hunt, they made inter alia 13 recommendations on data security. The 4th
was: "Computer hardware and software that can no longer be supported should be replaced as a matter
of urgency. [CQC]" (The acronym in brackets indicates that this derives from the Care Quality
Commission.)
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/534790/CQC-NDG-data-security-letter.pdf

Over the winter and continuing, there have been and are constant reports that the NHS is unusually
strapped for cash. Replacing computer systems of course costs money.

How does this concern E/E/PE system safety professionals? Pervasive ransomware and critical-care
systems is obviously a safety issue. Estimates will likely be derived of how many people died or
suffered because of this WannaCry/NHS incident, although they will mostly rely on indirect inference.

In case people haven't yet noticed, cybersecurity is the elephant in the room. I'd like to say that
E/E/PE safety assessors who don't assess systems according to the basics of cybersecurity are
performing an inadequate job. But the standards to which they are assessing conformance don't say
that, as I pointed out last Thursday.

In any case, what are the "basics" of cybersecurity? In the UK, it used to be the Cyberessentials
program. It was supposed to be something quick and easy for SMEs. But last October the first large
UK defence supplier to qualify in the program gave me an indication of how much effort was required.
It was enormous. Consider the supply-chain assurance alone, when you have over 100,000 suppliers and
a chain of length at least 15 (I understood I could use such example figures). A colleague who is a
one-person cybersecurity consultant took months to figure out what he needed to do and how. I don't
think that is what the program was conceived to do.

But at least it was a program, an attempt to get everyone pervasively "clean" on the "basics",
whatever they may be. In Germany, there is guidance through the BSI, lots of it, documents without
end, but there has not yet been an attempt to get the ducks all in the one and same row, as in the UK.

One may well ask what the point of a Cyberessentials program is, when government suppliers must
conform but major government-funded organisations such as the NHS do not have to do so.

It's time for Bruce Schneier's monthly Crypto-Gram newsletter. Schneier has been complaining
regularly about the practice of government cybersecurity agencies in hoarding vulnerabilities for
future use and deriving exploits for them (so-called zero-day exploits). Apparently WannaCry was one
of the devices in the Shadow Brokers' recent publication of NSA-hoarded exploits. I'm sure May's
Crypto-Gram will include an "I told you so" note.

Microsoft issued a patch for supported systems already in March. In case you haven't heard and come
across Windows XP systems, Microsoft has published a patch now also for Windows XP.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20170515/14955bfe/attachment.sig>


More information about the systemsafety mailing list