Cyber safety and resilience - strengthening the digital systems that support the modern economy - Royal Academy of Engineering
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber safety and resilience strengthening the digital systems that support the modern economy
© Royal Academy of Engineering March 2018 www.raeng.org.uk/cybersafety ISBN: 978-1-909327-38-2 Published by Royal Academy of Engineering Prince Philip House 3 Carlton House Terrace London SW1Y 5DG Tel: 020 7766 0600 www.raeng.org.uk #RAEngDigital Registered Charity Number: 293074 c2 Royal Academy of Engineering
Contents
Foreword. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Executive summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
A sector-specific focus – connected health devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2. The challenges for critical and non-critical infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1 What systems are being created? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2 What vulnerabilities exist?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3. Policy context. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.1 Cyber security – a key component of UK national security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.2 Cyber safety and resilience – the legal and regulatory environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.1 Cyber safety. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2.2 Cyber resilience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
4. Addressing the challenges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.1 Supply chain vulnerabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
4.2 What is the right combination of mechanisms?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.1 Government’s role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.2 Market-led interventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
4.2.3 The role of system operators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.2.4 The role of the engineering profession. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.3 Integrating safety, security and resilience in regulation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
4.4 Strengthening the existing legislative framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.5 Transferring expertise in safety-critical systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.6 Research on systems assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5. Connected health devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.1 Digitalised systems in healthcare – the opportunities and challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.2 The nature of healthcare systems and their vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
5.3 Cyber safety and resilience – the legal and regulatory context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5.4 Improving cyber safety and resilience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
5.5 Conclusions: Applying general principles to the health sector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Acknowledgements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
References and endnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Cyber safety and resilience strengthening the digital systems that support the modern economy 1
Foreword
The world we live in is becoming more connected. Improving cyber safety and resilience requires
Infrastructure and other engineered systems that all stakeholders to act together at scale and in a
support our modern society are increasingly being coordinated way, including government, the engineering
linked together through digital connections. This offers profession, system operators and industry leaders.
great opportunities for both business and individuals. This report will help each of these groups to better
Connected systems underpin improved services, drive understand the new systems that are being created,
innovation, create wealth and help to tackle some of the the emerging vulnerabilities and how to address them.
most pressing social and environmental challenges. This Drawing on the knowledge of Academy Fellows and
was the conclusion of an earlier Academy and IET report other experts in the field, it presents a set of general
Connecting data: driving productivity and innovation. recommendations on how the UK can take a lead on
The report, however, also highlighted that increasing the developing safe and resilient systems. It also recognises
connectivity between physical and digital systems brings that, in many cases, solutions are sector-specific. To
with it increased risks. It recommended that work be done understand this better, it considers the connected
to investigate measures needed to strengthen the safety health devices sector as a specific case study.
and resilience of all connected systems, particularly
In my present position at Imperial College London and
critical infrastructure that society now depends so much
my previous position as the UK Government’s Chief
on. This report takes up that challenge.
Scientific Advisor for National Security I understand very
well the critical importance of the issues addressed in
this report. Digital technologies are innovating fast and
we rely on them more and more. We must work together
to understand the risks and to build and operate safe
and resilient systems that can unlock the benefits digital
technologies offer.
Professor Nick Jennings CB FREng
Chair of the working group
Professor of Artificial Intelligence and Vice-Provost
(Research and Enterprise)
Imperial College London
2 Royal Academy of Engineering
Executive summary
Executive summary
Cyber safety and resilience are essential transport and driving innovations in health and care. The
properties of the increasingly complex and government’s renewed focus on industrial strategy and
interdependent systems that support the modern its recognition of the importance of digital technologies
economy. Cyber safety refers to the ability of is very welcome, but it needs to match the aspirations set
digital systems to maintain adequate levels of out in the strategy with robust oversight, the necessary
safety during operation, including in the event funding and changes to regulatory and legislative
of a cyberattack or accidental event, protecting frameworks to support the strategy’s delivery.
life and property. Safety is a desirable property
of a system during normal operation, whereas There is growing awareness of the risks associated
resilience describes the capacity of a system to with such ‘systems of systems’. Systems may be under
handle disruptions to operation. Cyber resilience the control of different organisations, with differing
refers to the ability of digital systems to prepare objectives that may not be aligned. Systems can also
for, withstand, rapidly recover and learn from span nations across the globe. For example, multinational
deliberate attacks or accidental events. It companies may monitor sites remotely, or even control
encompasses people-centred aspects of resilience them, from another country. It is vital that risks are
such as reporting, crisis management and business addressed so that serious incidents are avoided, trust in
continuity. This report presents the broad such systems is maintained and the potential benefits are
range of challenges that need to be addressed realised. These risks are highlighted in the government’s
to improve the cyber safety and resilience of National Cyber Security Strategy 2016 to 20212 and
systems. The evolving nature of the challenges the National Risk Register of Civil Emergencies 2017 3.
will require continual responsiveness and agility
The National Cyber Security Centre (NCSC) focuses on
by government, regulators, organisations and
addressing such risks.
their supply chains. The report identifies measures
needed to address these challenges across all The potential impact of a cyberattack or accidental
sectors. To help illustrate these general principles, failure determines what combination of measures and
the report shows how they can apply to connected level of resource are appropriate to address cyber safety
health devices in the health sector. and resilience for a particular application. There is a
spectrum of needs according to whether the application
The integration of physical and digital systems creates
is safety-critical, for example, or has less stringent safety
many opportunities for improved performance and
requirements. There are more stringent requirements for
innovation in the supporting systems of a modern
systems that are part of critical national infrastructure.
economy, generating economic value and creating
Cyber safety and resilience of industrial sites that are
social and environmental benefits across all sectors. The
not critical national infrastructure require consideration
government’s industrial strategy White Paper1 recognises
since there is potential to cause significant harm to
the opportunities to exploit underpinning digital
workers and to the public if such sites are subject to
technologies, with ‘artificial intelligence (AI) and the data-
cyberattack or accidental failure. As systems increasingly
driven economy’ named as one of four ‘Grand Challenges’.
interact directly with people’s lives, a focus on the cyber
The new government Office for AI will work initially with
safety and resilience of building management systems
six priority business sectors, including cybersecurity.
and consumer products is also required. The physical
Digital technologies will also underpin the success of
protection of computing and control equipment is a
other Grand Challenges – clean growth, mobility and an
crucial aspect of cyber safety and resilience, although is
ageing society – by enabling smart systems and greater
not addressed in this report4.
resource efficiency, underpinning new business models in
Cyber safety and resilience strengthening the digital systems that support the modern economy 3
ROBUST RISK MANAGEMENT PROCESSES HELP ORGANISATIONS
PRIORITISE THE ‘CYBER HYGIENE’ MEASURES REQUIRED
ACCORDING TO THEIR BUSINESS NEEDS.
An approach that ensures that components and Information Systems (NIS Directive)11, which will come
systems are robust and secure, in proportion to into effect before the UK leaves the EU. The Directive
the requirements of the application, might use a will have a major impact on the UK, regardless of Brexit
combination of regulation and standards alongside arrangements. Although it will only apply to operators
robust engineering methods, as is already done for a of essential services above a certain size and digital
range of safety-critical applications. These methods service providers, it is likely to have a wider impact as
help to ensure that hardware, software and systems requirements are passed down the supply chain. Any
are high quality and have good security functionality. In measures must also work within the existing regulatory
less critical applications, there may not be a sufficiently context for individual sectors, and the global regulatory
strong business case for such methods, and the context. Cyber challenges cut across international
effective use of regulation may be more challenging. boundaries, and large, multinational companies
Furthermore, existing systems such as industrial- develop many of the software and hardware solutions.
based legacy systems may not have been designed There is a very strong case for linking the best minds
with security as a requirement, since they were never internationally to help develop measures to improve
intended to connect to the internet; however, once practice.
connected, vulnerabilities that reside in individual
An understanding of the socio-technical aspects of
components or the systems that are created from these
cyber safety and resilience across different classes of
components may become exploitable in a cyberattack.
user and organisation also informs which measures are
For all applications, robust risk management processes
appropriate, and how they can be made as effective as
help organisations that rely on systems to prioritise
possible. The Academy welcomes NCSC’s focus on this
the ‘cyber hygiene’ measures required according to
area and its support for socio-technical cybersecurity
their business needs: a combination of policies and
research. Socio-technical aspects of security are
procedures; training and skills development; and
examined in Section 4.5 of this report and in a joint
technologies that are tailored to the level of risk.
Academy and PETRAS report, Internet of Things:
Cyber risk management guidance published by NCSC5
realising the potential of a trusted smart world 12, which
is useful here.
is published alongside this report.
Frameworks that are aligned to industry standards
While recognising the multidimensional nature of
and common practices set out guiding principles for
cyber safety and resilience, this report focuses on the
cyber risk management during design, operation
engineering approaches that may be appropriate for
and maintenance. Many critical sectors are already
systems used in critical national infrastructure, or in
developing frameworks and standards, but there
other applications where the impact of cyberattack
is a need to accelerate this process and speed
or accidental failure is high. It raises issues around
up adoption. The mandatory use of frameworks
supply chain vulnerabilities, regulation and legislation,
should be considered for certain critical sectors and
knowledge and skills, and research. Recommendations
applications. Operational frameworks that are risk-
in this report are aimed primarily at policymakers in
based and proportionate are also useful for operators
government, NCSC, regulators and national funding
of non-critical industrial control systems6. Voluntary
bodies. The report also provides information for
frameworks already exist, such as the government’s
managers in industrial organisations that design,
Cyber Essentials7 scheme and the US National Institute
manufacture, procure, operate or maintain systems
of Standards and Technology (NIST) Cybersecurity
or components from both critical and non-critical
Framework 8. These frameworks may need further
sectors. Cybersecurity experts and researchers may
development to ensure that risks associated with the
be interested in non-technical policy issues that the
supply chain are sufficiently addressed 9,10, in addition to
report raises. The report identifies a role for the Royal
internal organisational risks.
Academy of Engineering (the Academy) and professional
The development of an appropriate enabling structure engineering institutions in supporting actions following
– a combination of regulatory and non-regulatory the recommendations.
measures that are suited to the application – would
improve practice, while promoting innovation and
ensuring safety and resilience. It would need to be
developed in the light of the forthcoming European
Union (EU) Directive on security of Networks and
4 Royal Academy of Engineering
Executive summary
The key messages and have considerable experience in addressing the issues
around assuring provenance, such as the nuclear, rail and
recommendations are: aerospace industries.
1. Organisations need to be more aware of the The General Data Protection Regulation (GDPR) and
vulnerabilities in components and other products the forthcoming NIS Directive will help to ensure that
provided by their supply chain and need to demand company boards take security issues more seriously. The
that products are ‘secure by default13’. NIS Directive applies to certain companies, while GDPR
The market is not demanding software, hardware applies to all companies. Companies that fall outside the
and systems with good security functionality and scope of the NIS Directive may still operate devices or
manufacturers are therefore not responding, although systems that are part of larger interconnected systems,
there are exceptions in some areas such as fintech or and it is crucial that they have an awareness of security
the mobile phone industry14. Companies need to better risks in their supply chain and an understanding of how
understand the risks of using products or components to deal with them. SMEs will benefit from an awareness
that have poor levels of security or other weaknesses. of security issues as it will enable them to do business
Companies should make use of the available tools, such with companies that are subject to the NIS Directive. The
as supply chain security guidance15, to address the risks. measures taken should be proportionate to the scale of
Suppliers need ways of demonstrating that components the risks and clearly documented.
and products have adequate security functionality – for Recommendation 1. Every organisation should
example, that they are secure by default. One challenge understand the cybersecurity risks that its suppliers may
is that SME suppliers may not have the capacity or present and ensure that proportionate, auditable controls
incentives to address security and create components are in place that address the particular risks from each
or products with sufficient security functionality, or they supplier. Existing authoritative guidance should be used
may view security as an additional cost. as the benchmark for regulatory compliance. Where no
Companies must develop the capability to assure the suitable guidance exists, regulators, industry associations
identity and provenance of products and components and other organisations should develop it urgently, based
from their supply chain. In this regard, there is much on the generic supply chain guidance from NCSC16.
to learn from safety-critical industries that already
Cyber safety and resilience strengthening the digital systems that support the modern economy 5
2. Stronger mechanisms are needed to ensure stakeholders to tackle the cyber safety and resilience
that cyber safety and resilience is maintained in of key sectors and levels of criticality, and to create
all applications – both critical and non-critical – but a mutually supportive direction of travel. For some
there is no ‘silver bullet’. sectors, it may be more appropriate for NCSC to take
Identifying the best combination of levers is challenging the lead, while in other sectors where the regulator
and will require different solutions for different sectors has deep experience of safety issues, it may be more
and levels of criticality. If regulation is too tight, there is a appropriate for the regulator to take the lead. Ongoing
risk that it restricts innovation; similarly, highly stringent dialogue is needed as threats are evolving over time.
procurement requirements could be challenging for small Recommendation 2b: Where sector-specific
firms in the supply chain. However, tighter regulation frameworks already exist, NCSC and relevant
may be more appropriate for critical applications. In government departments should ensure that they are
safety-critical applications, better application of existing sufficiently robust and are adopted and operationalised
regulation is required. Security is essential in critical across the relevant sector stakeholders. They should
applications, so that systems are built right from the identify where further guidance is needed to allow
bottom up17, with appropriate conditions on whether them to be operationalised. Government and industry
products can be connected. sectors should adapt and operationalise general
All stakeholder organisations should identify which frameworks, tailored to their specific requirements and
tools, for example, risk management frameworks, are developed to include guidance on supply chain risks
the most appropriate to reduce the risk of harm, and where they have not already done so.
review the effectiveness of the tools on an ongoing Recommendation 2c: Government should encourage
basis. Organisations need to be agile and responsive to the adoption of sector-specific frameworks in both
changing threats and risks. Principle-based frameworks the public and private sectors through procurement,
are emerging in the UK and internationally that should by incorporating the use of frameworks in project
ideally work across international borders. The UK can specifications.
provide a leadership role, promulgating frameworks it has
developed so far, for example for the nuclear sector18. Recommendation 2d: The Academy greatly
welcomes the formation of NCSC and the broadening
Government, industry, academia and regulators should of its remit to tackle the cyber security of all digital
work together on a sector-by-sector basis, addressing systems utilised by society for civil, commercial or
different levels of criticality, to debate solutions that personal purposes. NCSC has a leadership role in a
improve cyber safety and resilience, while ensuring broad area and it is likely that its success will bring
that innovation and value generation are not adversely new demands, as will a changing landscape. A periodic
affected in proportion to the risk. Each sector needs review of NCSC’s structure and capacity would ensure
a process that maps the scale of potential impact of a that it is able to address effectively emerging issues in
cyberattack or inadvertent failure against the range of future. The review should consider how cross-cutting
applications, although this is challenging because of issues such as cyber safety are most effectively
the interconnected nature of systems. While a sector addressed between the various agencies and lead
focus is useful, it is also important to identify generic government departments.
approaches to avoid duplication and support multi-sector
supply chains. The Academy will support government 3. Many existing regulations are no longer fit
and industry in tackling these challenges and, as a first for purpose as systems evolve and the threat
step, has convened relevant stakeholders at a workshop level changes. Greater focus is needed on cyber
to debate the cyber safety and resilience of connected safety and resilience. In future, regulations must
health devices (see Section 5). integrate safety, security and resilience and
protect consumers.
Recommendation 2a: There should be a clear owner
of the cyber safety and resilience agenda in government, It will be particularly important to adapt regulations
with oversight of sector-specific and common issues, and to integrate safety, security and resilience in critical
oversight of where the necessary interactions need to sectors that are using increasingly digitalised systems
occur between the different sectors and stakeholders. and Internet of Things (IoT), and to ensure that
Lead government departments, with the support of NCSC regulations are compatible and useable. Some sectors
and Centre for the Protection of National Infrastructure will need new approaches to regulation, as well as
(CPNI), should continue to convene the appropriate greater collaboration between regulatory bodies,
6 Royal Academy of Engineering
Executive summary
GOVERNMENT SHOULD ENSURE THAT THE UK MAINTAINS
ITS INFLUENCE ON THE DEVELOPMENT OF IMPROVED
REGULATION THAT INTEGRATES SAFETY, SECURITY AND
RESILIENCE.
cybersecurity agencies and industry. In addition, the 4. The UK has world-class expertise in safety-
existing legislative frameworks needs strengthening, critical systems that should be transferred to
building on existing legislation such as data protection other sectors and applications.
law, cybercrime legislation and product liability law. The UK has world-class centres of excellence in safety-
The UK must be outward-facing and sensitive to the critical systems and has developed a range of tools and
various international regulatory contexts that vary methods to produce and assure high quality software19.
by sector. It must aim to retain as much influence These include scientific methods such as formal
as possible on the development of regulations and specification and verification, as well as engineering
international standards after the UK exits from the EU. design and development methods, system monitoring,
It will be important to identify what the UK’s niche is and incident investigation, disaster recovery and methods of
where the UK can be a leader. assurance. There is potential to transfer expertise from
the safety-critical software community to other domains
Recommendation 3a: Government should ensure if the benefits can be demonstrated and the approaches
that the UK can maintain its influence on the adapted to the scale and pace demanded by these new
development of improved regulations that integrate application areas. There are emerging examples that
safety, security and resilience, particularly in sectors demonstrate best practice in one part of the solution,
that are important to the UK economy. It should such as in specification, assurance or the use of formal
also maintain an influence on the development of methods. Case studies that illustrate best practice
international standards. It should review and extend applications of IoT and robust approaches to safety and
existing safety regulations to take account of cyber resilience would allow sharing of best practice, as would
safety and resilience. Government, NCSC and regulators sharing learning from problems.
need to work with their international counterparts to
ensure that international standards are sufficiently Recommendation 4: Professional engineering
robust to help deliver safe and resilient systems. institutions, with the support the Academy, should
publish case studies to illustrate robust applications
Recommendation 3b: Government should convene of IoT in which cyber safety and resilience have been
a task force to address how the existing legislative successfully addressed. This would allow best practice to
frameworks can be strengthened, including in the areas be disseminated to other sectors and applications. Case
of product liability and cybercrime. The frameworks studies should identify the technological, business and
should incentivise the production of software, operational practices that contribute to cyber safety and
hardware and systems of higher quality, and ensure resilience including, where relevant, the use of safety-
that accountability lies with those who can make critical systems tools and methods, and the use of IoT
improvements. to monitor safety and security. The case studies should
Recommendation 3c: Government should focus highlight strengths, weaknesses and business benefits
resources on strengthening cybersecurity expertise of such practices.
in regulators, using part of the budget for the UK’s
5. Methods for assuring complex systems of
cybersecurity programme. It should consider how
systems require further research.
regulators can ensure standards and regulations
address cyber safety and resilience as part of their Support for the research ecosystem, including academia,
duties. SMEs and government agencies, will accelerate the
development of solutions for assuring complex systems
Recommendation 3d: Following the introduction and inform policy. Research will enable the development
of the NIS Directive in May 2018, government should of new methods to reduce vulnerabilities, and it will
ensure that expertise and resources are available for need to deal with the challenge of new vulnerabilities
individual government departments taking on the role appearing all the time. The need for new methods
of ‘competent authority’ on behalf of individual sectors. of assurance arises from the increasing complexity
of systems, and from systems beginning to use AI
technologies in decision-making.
Policy, as well as emerging frameworks, tools and
guidance for different sectors and applications, must
be based on the best scientific knowledge available and
Cyber safety and resilience strengthening the digital systems that support the modern economy 7
reflect scientific and commercial realities. Frameworks Recommendation 5b: Given the urgency with which
and tools should be well integrated into engineering improvements are needed, cyber safety and resilience
processes and not just a box-ticking exercise. The should be considered as a proposal for wave three of the
challenges require a multidisciplinary approach. Diffuse Industrial Strategy Challenge Fund, with funding targeted
research areas such as cybersecurity, IoT, AI, hardware at challenge-led programmes of research and application.
security and tools and methods for software engineering The programmes could involve major manufacturers,
will need support, with strong links to industry and SMEs, the Catapults and Innovate UK.
real-world application. An international outlook is
Recommendation 5c: Government funding for new
also needed, since hardware and software solutions,
technologies and systems should include requirements to
which are shaped by market forces in combination
address the cyber safety and resilience issues associated
with international regulation, are dominated by big
with the technologies and systems.
technology multinationals such as Intel, Samsung, IBM,
Cisco, Microsoft and Google. Recommendation 5d: Outstanding challenges and
gaps in knowledge in complex systems should be a
Recommendation 5a: UKRI and other research
focus in the government’s Cyber Security Science
funders should target funding towards outstanding
and Technology Strategy. Key challenges include
challenges and gaps in knowledge around assuring
understanding the long-term risks as systems and
complex systems and improving existing systems and
businesses evolve, balancing the commercial realities of
solutions. This must be done in the context of real-world
risk management against the level of risk that society is
applications and include strategic areas of growth for
willing to tolerate for critical national infrastructure, and
the UK, including the Grand Challenges identified in the
investigating the resilience that society expects and how
industrial strategy White Paper. Research should build on
to deliver it.
the UK’s world-class research expertise in cybersecurity,
safety-critical systems, software engineering, hardware
security and AI.
RESEARCH SHOULD BUILD ON THE UK’S WORLD-CLASS
RESEARCH EXPERTISE IN CYBER SECURITY, SAFETY-CRITICAL
SYSTEMS, SOFTWARE ENGINEERING, HARDWARE SECURITY
AND ARTIFICIAL INTELLIGENCE.
8 Royal Academy of EngineeringExecutive summary
A sector-specific focus – connected health devices
Digital health, including the use of connected impacts might scale as a result of interdependencies.
health devices20 in both clinical and non-clinical However, there is little robust evidence or quantification
settings, offers opportunities to transform health of the current security risks and potential impacts in
and social care best practice in the 21st century, the NHS for connected health devices, or more broadly,
creating economic and social benefits. upon which to base solutions. There is a need to start
However, there are many cybersecurity risks in the measuring the problem before solutions can be identified.
healthcare domain, ranging from ransomware attacks In the EU, there is a regulatory framework for medical
that cause disruption and affect the delivery of devices that aims to ensure that devices are safe for
care21, to data breaches from malicious or inadvertent patients, but it has not fully considered the possible
action22, which risk the privacy and integrity of patient impacts of poor cybersecurity on patient safety
data. Cyberattacks on connected health devices are or privacy. Furthermore, there is not a consistent
increasingly a concern as they could have severe, or even international regulatory approach to cybersecurity as
life-threatening, consequences on patient safety. Ever the US regulatory regime deals with cybersecurity much
greater numbers of health devices have been identified more explicitly. It is, however, less robust on telecoms
as being at risk in recent years23. The rapid growth in standards and privacy, which has implications for
consumer, wearable and mobile technologies used for telehealth and telecare. Incompatible regulation between
health and wellbeing brings additional risks with it24. different jurisdictions has important implications for the
Although the risks associated with connected health international supply chain and international trade.
devices are growing, there is still a lack of awareness in
the sector of how to manage them, or even that they As with other sectors, those procuring health devices
exist. Much of the focus is on the secure storage of need a greater awareness of supply chain risks, and need
patient data, which is distinct from the considerations to demand products with adequate security functionality.
for interconnected and embedded medical electronic There is also a need for good cyber-hygiene practices
systems. Many other sectors are more advanced in terms that are balanced with the level of risk, healthcare
of awareness, governance and resource. For these priorities and practical constraints on healthcare
reasons, the Academy chose connected health devices professionals, patients and others.
to illustrate the general principles discussed earlier in It will also be vital to develop regulation for medical
the report. devices that blends safety, security and resilience,
alongside other measures to improve practice. Non-
Key messages and critical uses of IoT in the health sector may require a less
stringent approach. The existing regulatory framework
recommendations: provides a means of getting other measures, such as
standards or cyber labels, into the field, which would
The health sector and other sectors can learn from each
help consumers and healthcare providers to demand
other in developing an approach to creating high quality
good security from manufacturers. However, the risks of
devices and systems, and to other measures such as
creating unintended consequences from such schemes
risk management. For example, there are similarities
must be addressed. Standards and cyber labels should be
between connected health devices and industrial control
considered alongside risk-based approaches.
systems, although the difference in potential impacts
of a cyberattack will necessitate differing responses to The report presents the recommendations for the
address risks. In particular, in the health sector, a large health sector below, which have been developed from
number of people may have access to devices, and there the general recommendations presented earlier. They
may be direct impacts on patient safety if the operation use the same numbering to clarify how the two sets
of devices is compromised. Related applications, such as of recommendations are linked. While many of the
smart homes and assisted living, may in turn be able to recommendations apply to all sectors, the size and
learn from the health sector. As with other sectors, there complexity of the NHS and the broader health ecosystem
is a spectrum of potential impacts depending on the makes their implementation a particular challenge. The
application, from wellness monitors to critical life-support report discusses additional aspects that are specific to
systems. The resources required for risk mitigation the health sector in Section 5.
depend on how the attack might scale and how the
Cyber safety and resilience strengthening the digital systems that support the modern economy 9EVERY HEALTH ORGANISATION SHOULD UNDERSTAND THE CYBER
SECURITY RISKS THAT ITS SUPPLIERS MAY PRESENT AND ENSURE
THAT PROPORTIONATE, AUDITABLE CONTROLS ARE IN PLACE THAT
ADDRESS THE PARTICULAR RISKS FROM EACH SUPPLIER.
Recommendations: safety, security and resilience, and link to data
protection regulation. It should also maintain influence
1. Health providers need to be more aware of the on the development of international standards. It
vulnerabilities that exist in components and other should review and extend existing safety regulations
products provided by their supply chain and need to better take account of issues associated with cyber
to demand that products are ‘secure by default’. safety and resilience. Government, NCSC and MHRA
should work with their international counterparts to
Recommendation 1: Every health provider should
ensure that international standards are sufficiently
understand the cybersecurity risks that its suppliers
robust to help deliver cybersecurity policies.
may present and ensure that proportionate, auditable
controls are in place that address the particular risks Recommendation 3b: FDA and MHRA should be part
from each supplier. Authoritative guidance should be of a task force convened by government to consider
developed and used as the benchmark for regulatory how the existing legislative frameworks can be
compliance. Organisations including the Medicines and strengthened, including in the areas of product liability
Healthcare products Regulatory Agency (MHRA), NHS and cybercrime. The frameworks should incentivise
Digital and health industry associations should work the production of software, hardware and systems of
together to develop guidance based on the generic higher quality, and to ensure that accountability lies
supply chain guidance from NCSC25. with those who can make improvements.
2. Stronger mechanisms are urgently needed Recommendation 3c: Government should focus
to ensure that cyber safety and resilience is resources on strengthening cybersecurity expertise
maintained in health applications but there is no in MHRA, using part of the budget for the UK’s
‘silver bullet’. cybersecurity programme. It should consider how MHRA
can ensure standards and regulations address cyber
Recommendation 2a: NCSC, in conjunction with the
safety and resilience as part of its duties.
Department of Health and Social Care, NHS Digital26
and MHRA, should continue to convene the appropriate Recommendation 3d: Following the introduction
stakeholders to tackle the cyber safety and resilience of of the NIS Directive in May 2018, government should
the health sector, and to create a mutually supportive ensure that expertise and resources are available for
direction of travel. In addition, there is a pressing need the Department of Health and Social Care and NHS
to clarify roles and responsibilities for cyber safety and Digital27 in taking on the functions of ‘competent
resilience within the NHS governance structure at both authority’. Sufficient resources will also need to be
local and national level. provided to the relevant bodies in Wales, Scotland and
Northern Ireland.
Recommendation 2b: Working with the medical
device industry, the Department of Health and Social
4. The UK has world-class expertise in safety-
Care and NCSC should adapt and operationalise a general
critical systems that should be transferred to
cybersecurity risk-management framework, tailored to
connected health devices and systems.
the health sector’s specific requirements.
Recommendation 4: Professional engineering
Recommendation 2c: The Department of Health and institutions, with the support of the Academy and
Social Care and NHS organisations should encourage health organisations, should publish case studies of
the adoption of the framework through procurement, relevance to the health sector, which illustrate robust
by incorporating the use of the framework in project applications of IoT where cyber safety and resilience
specifications. have been successfully addressed. Case studies should
investigate technological, business and operational
3. Medical device regulations will no longer be
practices that contribute to cyber safety and resilience
fit for purpose as systems evolve and the threat
including, the use of safety-critical systems tools and
level changes. Greater focus is needed on cyber
methods where relevant, and the use of IoT to monitor
safety and resilience. In future, regulations must
safety and security. The case studies should highlight
integrate safety, security and resilience and
the strengths and weaknesses of such applications,
protect consumers.
including business benefits to the NHS and other
Recommendation 3a: Government should ensure healthcare providers. Similarly, case studies of robust
that the UK maintains its influence on the development applications in the NHS should be identified and
of improved medical device regulations that integrate disseminated to other disciplines.
10 Royal Academy of EngineeringExecutive summary
5. Methods for assuring complex systems of society’. Of relevance to this is the need for research
systems require further research. on the assurance of systems that use AI for decision-
Recommendation 5a: UKRI and other research making. It is critical that research is undertaken with the
funders should target funding towards outstanding major suppliers of medical devices as they provide the
challenges and gaps in knowledge around assuring solutions.
complex health systems and connected health devices, Recommendation 5b: Outstanding challenges and
and improving existing health systems. This must be gaps in knowledge in complex health systems should be
done in the context of real-world health applications, a focus in the government’s Cyber Security Science and
including the Grand Challenge identified in the Technology Strategy. The Academy welcomes the focus
industrial strategy White Paper: ‘harness the power on medical devices in the strategy.
of innovation to help meet the needs of an ageing
Cyber safety and resilience strengthening the digital systems that support the modern economy 111. Introduction
The integration of physical and digital systems Vulnerabilities in the digital technologies arise from
creates many opportunities for improved software, hardware and systems that are not sufficiently
performance and innovation in the supporting well-designed in terms of security functionality as
systems of a modern economy, generating well as other aspects of performance37. The security
economic value and creating social and vulnerabilities recently discovered in Intel, Arm and
environmental benefits. In Connecting data: AMD processors were caused by hardware-level
driving productivity and innovation28, the weaknesses38,39, while software defects have caused
Academy and the Institution of Engineering system failures, such as in cars and aircraft40, that put
and Technology (IET) illustrated the myriad people at risk of harm41.
opportunities that such systems and their
underpinning technologies, such as data Both deliberate and non-deliberate42 threats put systems
analytics, advanced connectivity and IoT, will at risk: deliberate threats include cyberattacks43, while
provide across sectors of the economy, including non-deliberate threats include the failure or malfunction
advanced manufacturing, built environment, of components and systems, natural hazards and
energy, transport, health, aerospace, defence human error. For example, flooding in Lancaster in
and insurance. It showed how organisations 2015 caused an electricity black-out, with the resulting
and sectors will be able to improve products failure of various related systems44. The failure of the
and processes, and innovate, leading to an baggage-handling system at Heathrow in 2017 was
improvement in the UK’s productivity. Others initiated by a power outage in a data centre, followed
have estimated that big data analytics and the by damage to equipment when power was reinstated
Internet of Things (IoT) combined could add £322
in an uncontrolled way. This then resulted in massive
billion to the UK economy between 2015 to 202029.
disruption to passengers and costs to British Airways45.
However, there is a growing awareness of the The evolution in the scale and nature of deliberate
risks associated with the increasingly complex and threats over recent years, and the increasing complexity
interdependent systems of systems that are being and interconnection of digital systems, has resulted in a
created as a result of the integration of digital and greater number of vulnerabilities that can be targeted.
physical systems30,31,32. Such systems are at risk of More traditional threats – for example, external drives
unanticipated emergent behaviour, including cascades such as USB sticks – are also still present.
of failure. Vulnerabilities may be pre-existing, may arise
While it may be impossible to design systems that are
from the digital technologies themselves, or from the
entirely secure or free from the risk of failure, appropriate
creation of new interdependencies between digital
levels of cyber resilience and safety are necessary.
technologies and the physical system33. For example,
Cyber safety refers to the ability of systems to maintain
the operation of digital communications infrastructure
adequate levels of safety during operation, including in
such as mobile phone networks and the internet are
the event of a cyberattack or accidental event, protecting
entirely dependent on electricity34, and in turn the
life and property. Current approaches to safety need to
operation of industrial control systems used in electricity
be extended to address malicious, as well as accidental,
generation plants are increasingly dependent on digital
threats. Safety is a desirable property of a system during
communications and other digital technologies. As cars
normal operation, whereas resilience describes the
become more connected, self-driving mechanisms and
capacity of a system to handle disruptions to operation.
entertainment systems may introduce vulnerabilities35.
One aspect of cyber resilience is the ability to ‘prepare
Building management systems are becoming increasingly
for, withstand, rapidly recover and learn from deliberate
intelligent and connected to the internet, so that heating
attacks or accidental events in the online world’46.
and fire alarm systems may be more at risk of sabotage36
However, in addition to attacks via the internet, there
or failure.
12 Royal Academy of EngineeringIntroduction
HIGHER LEVELS OF CYBER SAFETY AND RESILIENCE ARE
NEEDED FOR SYSTEMS THAT ARE PART OF CRITICAL NATIONAL
INFRASTRUCTURE, SUCH AS THE ELECTRICITY GRID AND THE
TRANSPORT SYSTEM, OR SAFETY-CRITICAL SYSTEMS, SUCH AS
NUCLEAR POWER STATIONS AND AIRCRAFT.
may be other ways of carrying out attacks, such as by the consequences of failure in one part of a system could
using radio transmitters or lasers47. Addressing broader have more far-reaching consequences. Such systems
issues such as supply chain risks and people-centred of systems need new approaches to cyber safety and
aspects will contribute to ensuring cyber resilience. resilience. Cyber safety and resilience of industrial sites
Resilience thinking needs to be embedded more deeply that are not critical national infrastructure should also
into systems48. be addressed since there is potential to cause significant
harm to workers and the public they are subject to
Higher levels of cyber safety and resilience are
cyberattack or accidental failure. As integrated physical
needed for systems that are part of critical national
and digital systems increasingly interact directly with
infrastructure, such as the electricity grid and the
people’s lives, a focus on the cyber safety and resilience
transport system, or safety-critical systems, such as
of consumer products such as autonomous vehicles and
nuclear power stations and aircraft. Indeed, as systems
medical devices is also required.
become more interdependent, elements that were not
previously considered critical increasingly become so, and
Cyber safety and resilience strengthening the digital systems that support the modern economy 132. The challenges for
critical and non-critical
infrastructure
2.1 What systems are being well documented, along with examples of cyberattacks
on industrial equipment57,58. For example, during
created? the Wannacry attack in 2017, the car manufacturers
This report focuses on the complex, interconnected Renault and Nissan59 were affected, even though the
systems that result from integrating physical and malware was not targeted specifically at industrial
digital systems. It covers the important systems control systems.
that support the modern economy, including critical Cyber safety and resilience of networked building
national infrastructure49. It also includes discussion on management systems also requires consideration.
IoT50, which both industrial and consumer sectors are Building management systems are increasingly
increasingly adopting, increasing interconnectivity in interconnected and a cyberattack or inadvertent failure
the future. may impact on safety and security, as well as business
Industrial control systems are used in numerous continuity through disruption to heating or chilling
applications including transportation, electricity and systems, access control and surveillance systems, fire
gas distribution, water treatment, chemical processes, systems, power supply, lift systems and lighting.
oil refining and other manufacturing processes. For IoT enables enhanced real-time control, or can be
example, highways use industrial control systems to used alongside data analytics to inform actions. The
control and monitor tunnel ventilation51 or in moving technology could potentially underpin a range of
bridge systems. Industrial control systems are used in ‘smart’ applications across many sectors including
aviation and maritime applications. They are also used e-health, smart homes, cities and infrastructure,
in electricity generation, transmission and distribution, connected cars and autonomous vehicles. If there was
and infrastructure assets. In turn, they are dependent a step-change in adoption, the economic, social and
on digital communications infrastructure that may environmental benefits that could result are widely
be used to connect remote field sites, for example52. recognised, alongside the risks60,61,62,63,64. Benefits
They may be part of critical national infrastructure. include improved health and wellbeing, better-informed
However, there are also many industrial sites that are consumers, more efficient services, reduction of traffic
not critical national infrastructure but are in critical congestion and improvements in the use of energy
national infrastructure sectors such as chemicals and and water. For example, the introduction of smart
energy. They have the potential to cause significant meters will empower consumers to reduce their energy
harm to workers and the public if there is a cyberattack usage, while informing the planning and operation
or accidental failure53, and should also be a focus in the of the electricity grid. Connected cars will contribute
National Cyber Security Strategy. to improved road safety, more effective vehicle
Industrial control systems may comprise embedded maintenance and allow drivers to plan journeys better.
computing devices that have vulnerabilities, such Technologies including IoT can help to improve the
as remote terminal units54 or programmable logic way the UK operates infrastructure, maintains existing
controllers55. They may also contain sensors and assets, and enhances the capacity and resilience of
actuators that provide real-time feedback for its networks65. As IoT technologies are adopted, there
automation or optimisation. The adoption of IoT in will be more devices and more interconnectivity in
industrial applications will increase the number of applications such as the energy and transport systems.
devices and the degree of interconnectivity in the The scale of adoption is expected to be huge, with tens
future, with multiple benefits56 but also greater risks. of billions of IoT devices connected to the internet by
The risks of connecting industrial control systems are 202066. However, following the distributed denial-
14 Royal Academy of EngineeringThe challenges for critical and non-critical infrastructure
of-service attack through insecure devices on a major different untrusted entities may be involved in the
provider of internet infrastructure in October 201667, design and assembly phases and it is becoming
awareness of cybersecurity risks associated with IoT increasingly difficult to ensure the integrity and
is growing . authenticity of devices. Maintaining confidence
in security and the supply chain throughout the
development process and the product lifecycle is one of
2.2 What vulnerabilities exist? the main research challenges being investigated under
Poor quality components and the way that they are the new Research Institute in Secure Hardware and
integrated into communications networks compromise Embedded Systems69.
the cyber safety and resilience of systems. Cheap,
Both corporate information technology (IT) systems
unsophisticated sensors with little or no security are
and operational technology70 (OT) systems are at risk
prevalent, making systems vulnerable to inaccuracies
of cyberattack. Cyber security is a particular challenge
in sensor readings, delayed feedback or cyberattack.
in organisations where both exist and are integrated,
The trustworthiness of the software behind these
as they have had very different technological and
devices is also of concern. As devices are low-power,
functional characteristics71 in the past. Legacy
applications with small footprints68 are being written
industrial control systems were designed to be closed,
but it is hard to know whether they are trustworthy,
but become open once connected to the internet
resilient or tamper-proof. Devices have much shorter
and face threats that they were not designed for. It
lifecycles than the infrastructure systems in which
is questionable whether security patches (updates
they are embedded and replacing them during the
to improve the software) are appropriate for these
lifecycle of the infrastructure should be considered.
systems, and it is also possible that new faults could be
Battery-powered devices are susceptible to power
introduced that lead to unanticipated behaviour.
failure with ensuing implications if the system has
not been designed with that in mind. Components are Where wireless technologies replace wired
often commercial off-the-shelf (COTS) for ease and technologies, they become vulnerable to jamming and
cheapness, and it is possible that design errors are interference. Communications networks are being
introduced when they are integrated into systems if created without sufficient concern for how they will
component information is limited. operate in an open state. Greater understanding of how
to identify and secure weak links is needed. A major
The supply chain is now considered to be susceptible
concern is the potential for damage or disruption to
to a range of hardware-based threats, particularly in
essential services from a cyberattack.
relation to consumer products. Counterfeiting and the
emerging threat of hardware Trojans may introduce IoT is a communications infrastructure that may be a
modifications to hardware. With the globalisation of target for attack in its own right, but it also is bearer or
supply chains, the design and manufacture of today’s store for data. The security of data at rest or in transit
electronic devices is now distributed worldwide, is an important consideration. Security is needed to
through overseas foundries, third party intellectual protect its integrity and availability and to reduce the
property (IP) and third party test facilities. Many risk that it may be used for hostile purposes.
Cyber safety and resilience strengthening the digital systems that support the modern economy 15CYBER ATTACKS THAT COMPROMISE DATA INTEGRITY, SUCH AS
CONSISTENT SPOOFING OF DATA REPORTED BY SENSORS, CAN
REMAIN UNDETECTED FOR A LONG TIME YET HAVE POTENTIALLY
SEVERE CONSEQUENCES.
The diversity of classes of hardware devices and operation of software, hardware and systems is also an
software systems that are emerging, and the speed important aspect.
at which the middleware72 on which they run is
New risks are also emerging as systems become
changing, means that it is hard for experts to identify
increasingly data-driven, with decisions often based
how future use cases will emerge. Furthermore, the
entirely on the data held by systems. Thinking about
systems themselves are changing as a result of new
how data (as opposed to software or hardware) should
connections, new or updated software, or the systems
be managed, controlled and processed in a safety-
changing from their originally intended use.
related context may also be of use to applications that
Systems are also vulnerable as a consequence of are not safety critical. Guidance produced by the Safety
poor cyber hygiene73,74,75. Organisations can improve Critical Systems Club78 focuses on how organisations
cyber hygiene by strengthening the activities used to might identify, analyse, evaluate and treat data-related
keep the organisation, or a particular function within risks, thus reducing the likelihood of data-related
the organisation, safe and secure. For example, they issues causing harm in the future. One such risk is that
might include raising awareness of supply chain risks, data integrity is compromised, either inadvertently or
improving system assurance and patching76 processes, by a cyberattack. Cyberattacks that compromise data
or planning how to recover if there is an incident. A integrity, such as consistent spoofing of data reported by
planned, flexible human response is often the first step sensors, can remain undetected for a long time yet have
in any recovery, regardless of the technical nature of potentially severe consequences. Technical approaches
the incident. A strategy that could potentially mitigate to identity and access management provide a form of
many cyber incidents77 is patch management, which data-centric security, helping to maintain privacy or
should be an important consideration. Using principles protect the integrity of data79.
from human-factors engineering in the design and
16 Royal Academy of EngineeringYou can also read
