A World Apart – Security of Safety Systems

I was invited to present a paper on “Bridging the Safety-Security Software Gap” at the Fifth International Conference on Safety and Security Engineering, known as SAFE 2013, held in Rome, Italy in mid-September 2013. The audience comprised mainly researchers specializing in safety-critical physical systems, although there was some interest expressed about the security of such cyber-physical systems … more about that later.

In December 2012, I had given a similar presentation, namely, “CISOs and Safety Engineers: Bridging the Communication Gap to Secure the Critical Infrastructure,” at the New Jersey CISO Executive Summit, in Whippany, New Jersey, to a group of InfoSec professionals. Enthusiasm among InfoSec folks to become more involved with, and knowledgeable about, safety-critical systems was muted, to say the least. The general response was that CISOs already have more than enough to worry about on the cyber side and they were not looking for more responsibility.

In the ten months between the two conferences, there have been a number of articles in the press about how vulnerable control systems are becoming as they are connected to the Internet. For example, on the Forbes website, Kashmir Hill wrote an article, dated September 4, 2013, with the title “The Terrifying Search Engine That Finds Internet-Connected Cameras, Traffic Lights, Medical Devices, Baby Monitors And Power Plants,” which can be found at http://www.forbes.com/sites/kashmirhill/2013/09/04/shodan-terrifying-search-engine/ The article also appears in the September 23, 2013 issue of Forbes magazine. The article describes the website “Shodan” that enables one to see many control systems that are so exposed.

My message at SAFE 2013 was that education programs should include both the security and safety of software systems so that professionals will take a more holistic view of systems. This should ensure a higher level of protection against attacks and help reduce the harm that physical systems might cause to humans and the environment.

Interestingly I learned at SAFE 2013 of closely related research being done at the Nagoya Institute of Technology in Japan. Ms. T. Aoyama gave a presentation on “A unified framework for safety and security assessment in critical infrastructures,” which is based on a chapter by Aoyama et al in the conference proceedings in the book Safety and Security Engineering V, edited by F. Garzia, C.A. Brebbia and M. Guarascio (WIT Press, 2013). While the work at the Nagoya Institute is directed at protecting embedded software systems, many of the concepts and concerns match those when safety-critical industrial control systems connected to the Internet. Ms. Aoyama was similarly surprised to learn that I was doing similar work and had published Engineering Safe and Secure Software Systems, which addresses the need to improve awareness across security and safety silos. It was indeed gratifying to find a kindred spirit, albeit on the opposite side of the globe.

Having presented to both InfoSec and safety professionals, I have found that the safety folks seem more accepting of security issues and remedies than InfoSec practitioners showing interest in making cyber-physical systems safe. This is disappointing, especially as there have been a number of attempts to raise awareness in such publications as the IEEE Security & Privacy magazine, for example. The July/August 2013 issue of the magazine focuses on “Safety-Critical Systems,” as I describe in my September 10, 2013 BlogInfoSec column on “Securing Safety-Critical Systems.”

It is amazing to me to see how relatively little interest among professionals there currently seems to be with respect to the security of safety-critical (as well as the safety of security-critical systems) despite warnings by both the popular and professional presses. As the presentations by Ms. Aoyama and me state, there are explanations for this deficiency as well as possible remedies, but the fixes require knowledge transfer and considerable investments in education and training. Add to that the enormous effort and expense of building both safety and security into modern Internet-connected distributed systems, and perhaps the unwillingness to confront the issues head-on is understandable. But the longer we delay, the more expensive it becomes both in terms of remediation efforts and the consequences of substantial breaches, with the possibility of inflicting serious harm on many people. Time is not on our side.

Post a Comment

Your email is never published nor shared. Required fields are marked *