MUMBA: Multi-faceted Metrics for ICS Business Risk Analysis
Lead Research Organisation:
Lancaster University
Department Name: Computing & Communications
Abstract
The evolution of cyber space is transforming the way our infrastructure is managed. Industrial control systems, that is those systems that manage critical utility infrastructure such as Energy, Water and Transport are increasingly interacting with enterprise IT systems in intricate fashions. This leads to an increase in the level of threats to these critical infrastructures. This is only too evident from cyber weapons such as Stuxnet which targeted centrifuges in Iran's nuclear facilities and more recent news that over 60,000 exposed control systems were accessible online. The US Defence Secretary Leon Panetta described a recent spate of cyber attacks against critical infrastructures as a "pre-9/11 moment". The cyber attack surface of future generations of control systems is likely to increase further with new technologies and working practices such as the use of autonomous software agents in their operation and handheld wireless devices in control and maintenance.
Given the importance of industrial control systems to society, it is important that decision-makers are able to effectively articulate the risks posed to them from cyber space. Even more importantly, decision-makers should be able to understand and respond to such risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. However, to date, metrics for articulating cyber risk in such settings have largely been driven by technical measures pertaining to security of information or resilience of the control system itself. Though important, these metrics bear little relationship to typical factors used in business risk analysis, such as business continuity, disaster recovery, cost, reputation, impact on resources, etc.
The MUMBA project takes the perspective that metrics for articulating cyber risk (in industrial control systems) as business risk only make sense in the context of what we understand the larger system to be, and cannot sensibly be designed without a model of this system. Post-hoc mapping of security and resilience metrics to business risk fails to account for the complex socio-technical landscape in which current and future generations of control systems reside. Effective articulation of cyber risk as business risk requires multi-faceted metrics that are first and foremost driven by business risk concepts. Such metrics consider business risk both along and across various facets of an industrial control system setting i.e., the control system itself, enterprise systems, business processes, people, third party organisations in the product/service supply chain and new/emergent technologies (and associated working practices). Furthermore, the project addresses the need to contextualise these metrics to a particular critical infrastructure domain to ensure meaningful interpretation of business risks and prioritisation and implementation of responses (i.e., whether to mitigate, transfer, accept or avoid particular risks).
The project involves a world-leading multi-disciplinary team of researchers in cyber security, resilient industrial control systems, risk management and social anthropology from the Security Lancaster research centre. This academic expertise is complemented by practical insights provided by four industry partners: Airbus, Thales, Atkins Global and Raytheon. Through its research into the complex socio-technical processes at play in contemporary industrial control system settings, new metrics and how to instrument such environments to gather relevant data to compute such metrics, the project aims to become a cornerstone for future research and practice on articulating cyber risk as business risk.
Given the importance of industrial control systems to society, it is important that decision-makers are able to effectively articulate the risks posed to them from cyber space. Even more importantly, decision-makers should be able to understand and respond to such risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. However, to date, metrics for articulating cyber risk in such settings have largely been driven by technical measures pertaining to security of information or resilience of the control system itself. Though important, these metrics bear little relationship to typical factors used in business risk analysis, such as business continuity, disaster recovery, cost, reputation, impact on resources, etc.
The MUMBA project takes the perspective that metrics for articulating cyber risk (in industrial control systems) as business risk only make sense in the context of what we understand the larger system to be, and cannot sensibly be designed without a model of this system. Post-hoc mapping of security and resilience metrics to business risk fails to account for the complex socio-technical landscape in which current and future generations of control systems reside. Effective articulation of cyber risk as business risk requires multi-faceted metrics that are first and foremost driven by business risk concepts. Such metrics consider business risk both along and across various facets of an industrial control system setting i.e., the control system itself, enterprise systems, business processes, people, third party organisations in the product/service supply chain and new/emergent technologies (and associated working practices). Furthermore, the project addresses the need to contextualise these metrics to a particular critical infrastructure domain to ensure meaningful interpretation of business risks and prioritisation and implementation of responses (i.e., whether to mitigate, transfer, accept or avoid particular risks).
The project involves a world-leading multi-disciplinary team of researchers in cyber security, resilient industrial control systems, risk management and social anthropology from the Security Lancaster research centre. This academic expertise is complemented by practical insights provided by four industry partners: Airbus, Thales, Atkins Global and Raytheon. Through its research into the complex socio-technical processes at play in contemporary industrial control system settings, new metrics and how to instrument such environments to gather relevant data to compute such metrics, the project aims to become a cornerstone for future research and practice on articulating cyber risk as business risk.
Planned Impact
There are four principal beneficiaries of the project:
1. Industry organisations in ICS and critical national infrastructure (CNI) domains will benefit from new and improved metrics enabling them to translate cyber risk to business risk as well as evaluate and understand higher order impacts of cyber risk on business, i.e. across space and time. They will also benefit from a deeper understanding of the broader ICS context in which cyber risk is situated, how intersections of various elements, i.e. ICS, enterprise systems, business processes, people, 3rd parties, new technologies, etc. shape this risk and the associated risk responses. They will also benefit from design principles for new metrics, a methodology and decision-support tool along with guidelines to operationalise them in different organisational contexts. Equally importantly, they will benefit from improved skills in business risk assessment of contemporary and future generations of ICSs.
They will also benefit from economic gain through a reduction in costs from cyber-security breaches - being better equipped with knowledge of associated business risks and strategies to counter/mitigate such risks. The results of the project will prepare risk assessors in these organisations for more effective assessment and communication of cyber risks.
Our industry partners and the various domains they cover will directly benefit from knowledge and technology transfer into their working practices with regards to cyber security and ICS settings.
2. Cyber-security industry will benefit from improved methods and tools and new insights into how to tackle the complex landscape of cyber-security and ICS/CNI they encounter on a regular basis and how best to articulate business risk and the impact on business continuity in such settings. They will also benefit from metrics, methodology and tools to provide innovative services to the ICS sector to help manage the impact of increasing connectivity, virtualisation and use of mobile handheld (wireless) devices.
3. Policy makers and government organisations charged with CNI protection will benefit from a deeper understanding of the role that various facets of a modern ICS environment play with regards to cyber risk, how this exposes various business sectors to a range of threats and what mitigation approaches can have the maximum impact in minimising the potential economic and security impact. Equally importantly, they will gain insights into developing good practice guidelines to help businesses protect themselves against a range of known and future cyber-security risks in modern (and future) ICS settings.
4. Last, but not least, the general public will benefit from more resilient utility infrastructures that are better equipped to manage the risks arising from an increasingly complex, highly connected landscape where battles are often being fought in cyber space and the impact of any compromise of such infrastructure will be most felt by citizens.
1. Industry organisations in ICS and critical national infrastructure (CNI) domains will benefit from new and improved metrics enabling them to translate cyber risk to business risk as well as evaluate and understand higher order impacts of cyber risk on business, i.e. across space and time. They will also benefit from a deeper understanding of the broader ICS context in which cyber risk is situated, how intersections of various elements, i.e. ICS, enterprise systems, business processes, people, 3rd parties, new technologies, etc. shape this risk and the associated risk responses. They will also benefit from design principles for new metrics, a methodology and decision-support tool along with guidelines to operationalise them in different organisational contexts. Equally importantly, they will benefit from improved skills in business risk assessment of contemporary and future generations of ICSs.
They will also benefit from economic gain through a reduction in costs from cyber-security breaches - being better equipped with knowledge of associated business risks and strategies to counter/mitigate such risks. The results of the project will prepare risk assessors in these organisations for more effective assessment and communication of cyber risks.
Our industry partners and the various domains they cover will directly benefit from knowledge and technology transfer into their working practices with regards to cyber security and ICS settings.
2. Cyber-security industry will benefit from improved methods and tools and new insights into how to tackle the complex landscape of cyber-security and ICS/CNI they encounter on a regular basis and how best to articulate business risk and the impact on business continuity in such settings. They will also benefit from metrics, methodology and tools to provide innovative services to the ICS sector to help manage the impact of increasing connectivity, virtualisation and use of mobile handheld (wireless) devices.
3. Policy makers and government organisations charged with CNI protection will benefit from a deeper understanding of the role that various facets of a modern ICS environment play with regards to cyber risk, how this exposes various business sectors to a range of threats and what mitigation approaches can have the maximum impact in minimising the potential economic and security impact. Equally importantly, they will gain insights into developing good practice guidelines to help businesses protect themselves against a range of known and future cyber-security risks in modern (and future) ICS settings.
4. Last, but not least, the general public will benefit from more resilient utility infrastructures that are better equipped to manage the risks arising from an increasingly complex, highly connected landscape where battles are often being fought in cyber space and the impact of any compromise of such infrastructure will be most felt by citizens.
Publications
Bobba R
(2017)
CPS-SPC 2017
Bures T
(2017)
Software Engineering for Smart Cyber-Physical Systems Challenges and Promising Solutions
in ACM SIGSOFT Software Engineering Notes
Edwards M
(2017)
Panning for gold: Automatically analysing online social engineering attack surfaces
in Computers & Security
Frey S
(2018)
The good, the bad and the ugly
Frey S
(2019)
The Good, the Bad and the Ugly: A Study of Security Decisions in a Cyber-Physical Systems Game
in IEEE Transactions on Software Engineering
Knowles W
(2015)
Assurance Techniques for Industrial Control Systems (ICS)
Philippou E
(2020)
Contextualising and aligning security metrics and business objectives: A GQM-based methodology
in Computers & Security
Rashid A
(2018)
CPS-SPC 2018
| Description | A number of key findings have emerged from the project: 1. The role of latent design conditions in cyber security of industrial control systems We have undertaken a study of historical security incidents to analyse the factors that impact the cyber security of industrial control systems (ICS). Our study challenges the usual tendency to blame human fallibility or resort to simple explanations for what are often complex issues that lead to a security incident. We highlight that (i) perception errors are key in such incidents (ii) latent design conditions - e.g., improper specifications of a system's borders and capabilities - play a fundamental role in shaping perceptions, leading to security issues. Such design-time considerations are particularly critical for ICS, the life-cycle of which is usually measured in decades. Based on this analysis, we also discuss how key characteristics of future smart CPS in such industrial settings can pose further challenges with regards to tackling latent design flaws. 2. Contextualising and Aligning Security Metrics and Business Objectives Pre-defined security metrics suffer from the problem of contextualisation, i.e. a lack of adaptability to particular organisational contexts - domain, technical infrastructure, stakeholders, business process, etc. Adapting metrics to an organisational context is essential (i) for the metrics to align with business requirements (ii) for decision makers to maintain relevant security goals based on measurements from the field. We have developed a methodology, SYMBIOSIS, that defines a goal elicitation and refinement process - mapping business objectives to security measurement goals via the use of systematic templates that capture relevant context elements (business goals, purpose, stakeholders, system scope). This well-defined process enforces that (i) metrics align with business objectives via a top-down derivation that refines top-level business objectives to a manageable granularity (ii) the impact of metrics on business objectives is explicitly traced via a bottom-up feedback mechanism, allowing an incremental approach where feedback from metrics influences business goals, and vice-versa. The methodology has been validated using three case-studies, which show how the aforementioned pitfalls of security metrics development processes affected the outcome of several high-profile security incidents and how SYMBIOSIS addresses such issues. 3. Decision-making behaviours and patters of cyber security stakeholders in an industrial control systems setting Stakeholders' security decisions play a fundamental role in determining security requirements and their relative prioritisation given budgetary constraints and trade-offs with other requirements. Little is currently understood about how different stakeholder groups within an organisation approach security decisions and the drivers and tacit biases underpinning their decisions. Yet, understanding the "how" and "why" behind security decision processes is essential to building a common understanding of the issues at play during requirements elicitation and prioritization. We studied and contrasted the security decisions and the underlying strategies of three demographics - security experts, computer scientists and managers - when playing a tabletop game (Decisions and Disruptions) that we designed and developed. The game tasks a group of players with managing the security of a cyber-physical environment, specifically a small utility company, while facing various threats. Analysis of the players' actions reveals strategies that repeat in particular demographics, e.g., managers and security experts generally favoring technological solutions - and especially the "big shiny boxes" - over training and awareness-raising activities, which computer scientists preferred. Surprisingly, security experts were not ipso facto better at making security decisions - in some cases, they made very questionable decisions when contrasted with groups in the other two categories; yet they showed a higher level of confidence in those decisions. We also classified players' decision-making processes, i.e., procedure-, experience-, scenario- or intuition-driven. We further analyzed the players' actions to elicit decision patterns - both good practices and typical errors and pitfalls. Feedback from players also highlights the value of our game as a requirements sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security. We have continued to analyse the data emerging from the original dataset from the game as well as collecting new data based on insights from the game being run in the wild by a national policing organisation. Further key insights have emerged since the project concluded: (i) We have undertaken an analysis of the original dataset to identify patterns of risk thinking that underpin cyber security decision-making. We have identified four risk thinking patterns - isolated, sequential, radial and complex. Our analysis shows that teams rarely utilised complex thinking - thus identifying a need for further research and improved guidance on risk decision-making. We also identified that teams utilise two forms of risk-focused reasoning during their decision-making: risk-first whereby they identify risks and then seek to discover the optimum mitigation; and opportunity- first, whereby they first consider the investment or opportunity available and then evaluate its effectiveness in mitigating potential risks or giving rise to new ones. (ii) Using data from 208 sessions and 948 players of a tabletop game run in the wild by a major national organisation over 16 months, we have explored how choices are affected by player background (e.g., cyber security experts versus risk analysts, board-level decision makers versus technical experts) and different team make-ups (homogeneous teams of security experts versus various mixes). We found, that no particular player background-be that cyber security experts versus risk analysts, board-level decision makers versus technical experts-performed any better during the game than any other. Likewise, no variation of team make-up (e.g., homogeneous eams of security experts versus various mixes) had any impact on game performance. Our findings show that, whilst non-cyber security professionals may lack some cyber security specific knowledge, they are still capable of using their experience in order to derive an understanding of the decision-making context, and consequently perform comparably in our analysis. |
| Exploitation Route | These are fundamental insights into factors that impact cyber security risk decisions in industrial control systems. They can form the basis of future research in improving cyber security of such infrastructures. |
| Sectors | Aerospace, Defence and Marine,Digital/Communication/Information Technologies (including Software),Electronics,Government, Democracy and Justice,Manufacturing, including Industrial Biotechology,Transport |
| URL | http://ritics.org |
| Description | A cyber-physical systems security game, Decisions and Disruptions has been designed to study security decision-making by security experts and non-experts in industrial control systems environments. The game has been played with a number of industry participants - from security, IT and management backgrounds. The game has not only provided key insights into decision-making behaviours of various demographics but has also been highly successful in educating participants about cyber security in such critical infrastructure settings. We are currently in the process of developing a number of "game boxes" to be shared with a range of interested industry and practice organisations for use in cyber security training. A number of other engagements with industry partners have taken place in order to understand the issue that impact cyber security of industrial control systems. A series of studies have been undertaken to study the cyber risk decisions of experts. Regular engagement with industry takes place through the RITICS advisory board. Several invited talks at industry events have been given including the SMI Oil and Gas cyber security conference. The game has been adopted by the Metropolitan Police Service to teach leaders about how to protect their companies from cyber attacks. The game has continued to be utilised by the Metropolitan Police Service as part of their programme to raise awareness about cyber security. It has also been used by a number of organisations nationally and internationally. The work has led to follow-on projects - one studying security practices with reference to the EU NIS directive (funded through RITICS) and another on designing a follow-on game (in collaboration with City off London Police). The Decisions and Disruptions game has won two awards: Winner of the Best Innovation Award at the SANS European Awareness Summit 2019, and The National Cyber Awards 2020. |
| First Year Of Impact | 2016 |
| Sector | Digital/Communication/Information Technologies (including Software),Other |
| Impact Types | Economic,Policy & public services |
| Description | Adoption of the Decisions and Disruptions game by Metropolitan Police Service |
| Geographic Reach | National |
| Policy Influence Type | Influenced training of practitioners or researchers |
| Impact | The use of the Decisions and Disruptions game raises awareness of cyber security issues across organisations and provides an innovative and fun way to learn about cyber security decision-making. The game is seeing continued use by the Metropolitan Police Service as part of their awareness programmes. It has also been used by a number of other industry and government organisations nationally and internationally to help decision-makers learn about cyber security and the trade-offs inherent in the decision regarding particular controls or choices as well as their impact on the organisation both in terms of security and business goals. |
| URL | http://www.bris.ac.uk/news/2018/march/cyber-security.html |
| Description | Forensic Readiness for Industrial Control Systems |
| Amount | £19,507 (GBP) |
| Organisation | University of Bristol |
| Sector | Academic/University |
| Country | United Kingdom |
| Start | 10/2021 |
| End | 03/2022 |
| Description | How many shades of NIS? Understanding Organizational Cybersecurity Cultures and Sectoral Differences |
| Amount | £250,000 (GBP) |
| Organisation | National Cyber Security Centre |
| Sector | Public |
| Country | United Kingdom |
| Start | 04/2019 |
| End | 03/2021 |
| Description | Remote Working Cyber Tabletop Exercise |
| Amount | £46,352 (GBP) |
| Organisation | Mayors Office for Policing and Crime |
| Sector | Public |
| Country | United Kingdom |
| Start | 01/2023 |
| End | 06/2023 |
| Description | 15th International Conference on Critical Infrastructure Security (CRITIS) |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | We hosted and chaired the 15th International Conference on Critical Infrastructure Security. Due to the pandemic, the event was moved to an online only event. |
| Year(s) Of Engagement Activity | 2020 |
| URL | http://critis2020.org |
| Description | Article in CREST Security Review: Cyber Security Decisions: How Do You Make Yours? |
| Form Of Engagement Activity | A magazine, newsletter or online publication |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Policymakers/politicians |
| Results and Impact | Professor Awais Rashid and Dr Sylvain Frey investigate cyber security decision making processes through a tabletop game. |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://crestresearch.ac.uk/comment/cyber-security-decisions/ |
| Description | Cyber Security of Industrial Control Systems - Challenges and Research Directions |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | Industrial Control Systems play an important role in the monitoring, control, and automation of critical infrastructure such as water, gas, oil, and electricity. Recent years have seen a number of high profile cyber attacks on such infrastructure exemplified by Triton, Colonial Pipeline and the Ukrainian Power Grid attacks. This naturally begs the question: how should we manage cyber security risks in such infrastructure on which the day-to-day functioning of our society relies? What are the complexities of managing security in a landscape where these systems are increasingly connected to other networked systems? What are the challenges posed by the convergence of IoT and critical infrastructure through the so-called Industrial Internet of Things? This talk will discuss insights from a multi-year programme of research investigating these issues and the challenges to addressing them. The talk will also discuss design and usage of realistic testbeds for studying such challenges. |
| Year(s) Of Engagement Activity | 2022 |
| Description | Decisions and Disruptions Workshops |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Professional Practitioners |
| Results and Impact | A number of workshops were organised using the Decisions and Disruptions game developed as part of the Mumba project. The game provides a sandbox in which players can experiment with security risks, learn about decision-making and its consequences, and reflect on their own perception of security. The game has been played with a number of industry organisations (research ethics prohibit naming the organisations) and has also been requested for use internationally. The game has been adopted by the Metropolitan Police Service to teach business leaders how to protect their companies from cyber attacks. The game is continuing to grow in popularity and is being utilised by a number of organisations for raising awareness about cyber security. |
| Year(s) Of Engagement Activity | 2016,2017 |
| URL | http://www.bris.ac.uk/news/2018/march/cyber-security.html |
| Description | Fourth ACM Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC) in conjunction with the ACM Conference on Computer and Communications Security (CCS) in Toronto, Canada. |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | Professor Rashid chaired the workshop that brought together international researchers to discuss key challenges and new approaches for security and privacy in cyber-physical systems, including industrial control systems. |
| Year(s) Of Engagement Activity | 2018 |
| URL | https://cps-spc.org |
| Description | Google Talk 2017 |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Industry/Business |
| Results and Impact | Invited Talk: Everything is Awesome! or is it? Cyber Security Risk in Critical Infrastructure, Google Zurich, 2017. This talk discussed insights from three years of research studying cyber security in such settings. The talk highlighted the complexity of managing security in a landscape shaped by the often competing demands of a variety of stakeholders, e.g., managers, control engineers, enterprise IT personnel and field site operators. It also covered how the security decision-making patterns of the various stakeholders contrast, with some surprising (or perhaps not so surprising) insights into the decision patterns of security experts and so-called non-experts. The talk concluded by discussing risks arising from the prevalence of social media information especially how these may be utilised to infer employees of a critical infrastructure organisation - leading to the potential for highly targeted spear-phishing campaigns. |
| Year(s) Of Engagement Activity | 2017 |
| Description | Keynote at 14th International Conference on Critical Information Infrastructures Security (CRITIS), Linkoping, Sweden |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | A keynote speech was delivered at the conference. This was followed by an invited paper in the Proceedings of the conference. The talk led to a number of additional discussions and collaborations with researchers and practitioners in the area. |
| Year(s) Of Engagement Activity | 2019 |
| URL | https://critis2019.on.liu.se/program.html#speakers |
| Description | Keynote: 13th European Conference on Software Architecture, Paris, France 2019. |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | A keynote speech was given at the European Conference on Software Architecture. The talk discussed the challenges of developing secure software architectures for large connected environments. |
| Year(s) Of Engagement Activity | 2019 |
| URL | https://ecsa2019.univ-lille.fr/program/keynotes |
| Description | Lightening Talk at Advances in Security Education Workshop, USENIX Security Symposium, 2017. |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | Decisions & Disruptions: A Tabletop Game for Industrial Control Systems Security Education As connectivity moves beyond traditional enterprise systems to cyber-physical infrastructures such as industrial control systems (ICS), one must consider the specific needs for security education in such environments. There is an increasing recognition of gamification as a means for delivering security education. However, games designed for traditional enterprise systems do not readily translate onto such infrastructures. ICS are complex environments incorporating a plethora of devices from sensors and actuators through to programmable logic controllers (PLCs) and remote telemetry units (RTUs) that monitor and control the physical process (through the aforementioned sensors and actuators). Contemporary ICS are also increasingly linked to and communicate with a range of enterprise-level business applications. The user base in such environments is, therefore, much more diverse than traditional enterprise systems, including field workers, Supervisory Control and Data Acquisition (SCADA) operators, control engineers and plant managers in addition to regular IT users, administrators, security personnel and business managers. Educating such a diverse user base about cyber security is challenging. Different user groups have their own cultures and perceptions or lack thereof security. Decisions & Disruptions (D-D) (http://www.decisions-disruptions.org) is a tabletop game to educate this variety of users about security risks in ICS. It provides a rich yet intuitive sandbox environment where players from varied backgrounds can familiarise themselves with the ins and outs of ICS protection, experiment with risk-driven decision-making, and discover and assess their own cyber security culture. In this lightening talk, we will discuss the design and gameplay within D-D and present initial insights from 14 game sessions played, involving a total of 52 players. These include 5 groups of post-graduate and undergraduate students (2 groups of security students, 1 group of general computer science students, 2 groups of management students), 6 groups from industry (2 groups of security experts, 2 groups of general computer scientists, 2 groups of non-technical managers) and 3 groups of mixed players from diverse backgrounds: academics in computer science, PhD students in security, and non-technical players (e.g., economists). |
| Year(s) Of Engagement Activity | 2017 |
| Description | Lunchtime Talk at Pervasive Media Studio: "Everything is Awesome!!!" or is it? Cyber Security Risks in Critical Infrastructure |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Regional |
| Primary Audience | Public/other audiences |
| Results and Impact | Industrial Control Systems play an important role in the monitoring, control, and automation of critical infrastructure such as water, gas, oil, and electricity. Recent years have seen a number of high profile cyber attacks on such infrastructure exemplified by Stuxnet and the Ukrainian Power Grid attacks. This naturally begs the question: how should we manage cyber security risks in such infrastructure on which the day-to-day functioning of our society relies? In this talk Awais Rashid will discuss insights from three years of research studying cyber security in such settings. The talk will highlight the complexity of managing security in a landscape shaped by the often competing demands of a variety of stakeholders, e.g., managers, control engineers, enterprise IT personnel and field site operators. He will also discuss how the security decision-making patterns of the various stakeholders contrast, with some surprising (or perhaps not so surprising) insights into the decision patterns of security experts and so-called non-experts. |
| Year(s) Of Engagement Activity | 2018 |
| URL | https://www.watershed.co.uk/studio/events/2018/10/05/"everything-awesome"-or-it-cyber-security-risks... |
| Description | Research Seminar at Cardiff University |
| Form Of Engagement Activity | A talk or presentation |
| Part Of Official Scheme? | No |
| Geographic Reach | Local |
| Primary Audience | Postgraduate students |
| Results and Impact | Understanding Cyber Risk as Business Risk in Industrial Control Environments |
| Year(s) Of Engagement Activity | 2016 |
| Description | Third ACM Workshop on Cyber-Physical Systems Security and PrivaCy (CPS-SPC) in conjunction with the ACM Conference on Computer and Communications Security (CCS) in Dallas, Texas, USA. |
| Form Of Engagement Activity | Participation in an activity, workshop or similar |
| Part Of Official Scheme? | No |
| Geographic Reach | International |
| Primary Audience | Other audiences |
| Results and Impact | Professor Rashid co-chaired the workshop that brought together international researchers to discuss key challenges and new approaches for security and privacy in cyber-physical systems, including industrial control systems. |
| Year(s) Of Engagement Activity | 2017 |
| URL | https://cps-spc.org/ |