IEC 61508:2010 is the latest edition of the general functional safety standard for E/E/PE systems. IEC 61511:2016 is the latest edition of the functional safety standard for E/E/PE systems in IACS.
Last Thursday I gave a short talk (twice) to the German electrotechnical standardisation organisation DKE’s annual one-day get-together event, now called the Innovation Campus https://www.dke.de/de/ueber-uns/innovation-campus-2017 . The theme of the Campus was, amongst other things, functional safety and cybersecurity.
It turns out you can put the entire collection of clauses in IEC 61508:2010 in which cybersecurity is mentioned on 5 easily-readable slides, and those in IEC 61511:2016 on 6 slides.
I then listed 10 cybersecurity vulnerabilities that have occurred in incidents in nuclear power plants, as noted in the Chatham House report of October 2015 https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks . They are all observations of behaviour by means of which malware could easily enter (in some cases, did enter) the IACS. Some of them go back decades.
I asked the rhetorical question: which of these incidents would have been avoided by following the current guidance in IEC 61508 and IEC 61511? The answer is: none.
Concerning the current brouhaha about WannaCry and the UK National Health Service, e.g., https://www.theguardian.com/technology/2017/may/14/cyber-attack-escalate-working-week-begins-experts-nhs-europol-warn , many systems in the NHS are still running Windows XP, which Microsoft stopped supporting in 2014, and which is vulnerable to the malware. On 6 July, 2016 the Care Quality Commission and the UK National Data Guardian published a report on data security within the NHS. In their letter to the Secretary of State for Health, Jeremy Hunt, they made inter alia 13 recommendations on data security https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/534790/CQC-NDG-data-security-letter.pdf . The 4th recommendation was: “Computer hardware and software that can no longer be supported should be replaced as a matter of urgency. [CQC]” (The acronym in brackets indicates that this derives from the Care Quality Commission.)
Over the winter and continuing, there have been and are constant reports that the NHS is unusually strapped for cash, e.g., https://www.theguardian.com/commentisfree/2017/feb/06/the-guardian-view-on-the-nhs-more-cash-less-dog-whistling-needed , https://www.theguardian.com/society/2017/feb/02/nhs-cash-crisis-in-kent-halts-non-urgent-surgery-until-april , https://www.theguardian.com/society/2017/apr/27/nhs-needs-25bn-in-emergency-cash-theresa-may-told . Replacing computer systems of course costs money.
How does this concern E/E/PE system safety professionals? Pervasive ransomware and critical-care systems is obviously a safety issue. Estimates will likely be derived of how many people died or suffered because of this WannaCry/NHS incident, although they will mostly rely on indirect inference.
In case people haven’t yet noticed, cybersecurity is the elephant in the room. I’d like to say that E/E/PE safety assessors who don’t assess systems according to the basics of cybersecurity are performing an inadequate job. But the standards to which they are assessing conformance don’t say that, as I pointed out last Thursday.
In any case, what are the “basics” of cybersecurity? In the UK, it used to be the Cyberessentials program http://www.cyberessentials.org . It was supposed to be something quick and easy for SMEs. But last October the first large UK defence supplier to qualify in the program gave me an indication of how much effort was required. It was enormous. Consider the supply-chain assurance alone, when you have over 100,000 suppliers and a chain of length at least 15 (I understood I could use such example figures). A colleague who is a one-person cybersecurity consultant took months to figure out what he needed to do and how. I don’t think that is how the program was conceived to operate.
One may well ask what the point of a Cyberessentials program is, when UK government suppliers must conform but major government-funded organisations such as the NHS do not have to do so.
But at least it was a program, an attempt to get everyone pervasively “clean” on the “basics”, whatever they may be. In Germany, there is guidance through the BSI, lots of it, but there has not yet been an attempt to get the ducks all in the one and same row, as in the UK. There is a general alliance, the Allianz für Cyber-Sicherheit https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/Allianz_fuer_Cybersicherheit/Allianz_node.html , with recommendations, but not yet a program.
It’s time for Bruce Schneier’s monthly Crypto-Gram newsletter. Schneier has been complaining regularly about the practice of government cybersecurity agencies in hoarding vulnerabilities for future use and deriving exploits for them (so-called zero-day exploits). Apparently WannaCry was one of the devices in the Shadow Brokers’ recent publication of NSA-hoarded exploits. I’m sure May’s Crypto-Gram will include an “I told you so” note.
Microsoft issued a patch for supported systems already in March. In case you haven’t heard and you come across Windows XP systems, Microsoft has published a patch now also for Windows XP.