{"id":907,"date":"2017-05-15T06:39:24","date_gmt":"2017-05-15T06:39:24","guid":{"rendered":"https:\/\/abnormaldistribution.org\/?p=907"},"modified":"2017-05-15T06:39:24","modified_gmt":"2017-05-15T06:39:24","slug":"safety-and-cybersecurity-again","status":"publish","type":"post","link":"https:\/\/abnormaldistribution.org\/index.php\/2017\/05\/15\/safety-and-cybersecurity-again\/","title":{"rendered":"Safety and Cybersecurity. Again."},"content":{"rendered":"<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">IEC 61508:2010 is the latest edition of the general functional safety standard for E\/E\/PE systems. IEC 61511:2016 is the latest edition of the functional safety standard for E\/E\/PE systems in IACS.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">Last Thursday I gave a short talk (twice) to the German electrotechnical standardisation organisation DKE&#8217;s annual one-day get-together event, now called the Innovation Campus <\/span><\/span><\/span><a href=\"https:\/\/www.dke.de\/de\/ueber-uns\/innovation-campus-2017\"><span style=\"color: #420178;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.dke.de\/de\/ueber-uns\/innovation-campus-2017<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> . The theme of the Campus was, amongst other things, functional safety and cybersecurity.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">It turns out you can put the entire collection of clauses in IEC 61508:2010 in which cybersecurity is mentioned on 5 easily-readable slides, and those in IEC 61511:2016 on 6 slides.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">I then listed 10 cybersecurity vulnerabilities that have occurred in incidents in nuclear power plants, as noted in the Chatham House report of October 2015 <\/span><\/span><\/span><a href=\"https:\/\/www.chathamhouse.org\/publication\/cyber-security-civil-nuclear-facilities-understanding-risks\"><span style=\"color: #420178;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.chathamhouse.org\/publication\/cyber-security-civil-nuclear-facilities-understanding-risks<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> . They are all observations of behaviour by means of which malware could easily enter (in some cases, did enter) the IACS. Some of them go back decades.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">I asked the rhetorical question: which of these incidents would have been avoided by following the current guidance in IEC 61508 and IEC 61511? The answer is: none.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">Concerning the current brouhaha about WannaCry and the UK National Health Service, e.g., <\/span><\/span><\/span><a href=\"https:\/\/www.theguardian.com\/technology\/2017\/may\/14\/cyber-attack-escalate-working-week-begins-experts-nhs-europol-warn\"><span style=\"color: #420178;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.theguardian.com\/technology\/2017\/may\/14\/cyber-attack-escalate-working-week-begins-experts-nhs-europol-warn<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> , many systems in the NHS are still running Windows XP, which Microsoft stopped supporting in 2014, and which is vulnerable to the malware. On 6 July, 2016 the Care Quality Commission and the UK National Data Guardian published a report on data security within the NHS. In their letter to the Secretary of State for Health, Jeremy Hunt, they made inter alia 13 recommendations on data security <\/span><\/span><\/span><a href=\"https:\/\/www.gov.uk\/government\/uploads\/system\/uploads\/attachment_data\/file\/534790\/CQC-NDG-data-security-letter.pdf\"><span style=\"color: #420178;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.gov.uk\/government\/uploads\/system\/uploads\/attachment_data\/file\/534790\/CQC-NDG-data-security-letter.pdf<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> . The 4th recommendation was: &#8220;Computer hardware and software that can no longer be supported should be replaced as a matter of urgency. [CQC]&#8221; (The acronym in brackets indicates that this derives from the Care Quality Commission.)<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">Over the winter and continuing, there have been and are constant reports that the NHS is unusually strapped for cash, e.g., <\/span><\/span><\/span><a href=\"https:\/\/www.theguardian.com\/commentisfree\/2017\/feb\/06\/the-guardian-view-on-the-nhs-more-cash-less-dog-whistling-needed\"><span style=\"color: #0000e9;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.theguardian.com\/commentisfree\/2017\/feb\/06\/the-guardian-view-on-the-nhs-more-cash-less-dog-whistling-needed<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> , <\/span><\/span><\/span><a href=\"https:\/\/www.theguardian.com\/society\/2017\/feb\/02\/nhs-cash-crisis-in-kent-halts-non-urgent-surgery-until-april\"><span style=\"color: #0000e9;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.theguardian.com\/society\/2017\/feb\/02\/nhs-cash-crisis-in-kent-halts-non-urgent-surgery-until-april<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> , <\/span><\/span><\/span><a href=\"https:\/\/www.theguardian.com\/society\/2017\/apr\/27\/nhs-needs-25bn-in-emergency-cash-theresa-may-told\"><span style=\"color: #0000e9;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.theguardian.com\/society\/2017\/apr\/27\/nhs-needs-25bn-in-emergency-cash-theresa-may-told<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> . Replacing computer systems of course costs money.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">How does this concern E\/E\/PE system safety professionals? Pervasive ransomware and critical-care systems is obviously a safety issue. Estimates will likely be derived of how many people died or suffered because of this WannaCry\/NHS incident, although they will mostly rely on indirect inference.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">In case people haven&#8217;t yet noticed, cybersecurity is the elephant in the room. I&#8217;d like to say that E\/E\/PE safety assessors who don&#8217;t assess systems according to the basics of cybersecurity are performing an inadequate job. But the standards to which they are assessing conformance don&#8217;t say that, as I pointed out last Thursday.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">In any case, what are the &#8220;basics&#8221; of cybersecurity? In the UK, it used to be the Cyberessentials program <\/span><\/span><\/span><a href=\"http:\/\/www.cyberessentials.org\/\"><span style=\"color: #420178;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>http:\/\/www.cyberessentials.org<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> . It was supposed to be something quick and easy for SMEs. But last October the first large UK defence supplier to qualify in the program gave me an indication of how much effort was required. It was enormous. Consider the supply-chain assurance alone, when you have over 100,000 suppliers and a chain of length at least 15 (I understood I could use such example figures). A colleague who is a one-person cybersecurity consultant took months to figure out what he needed to do and how. I don&#8217;t think that is how the program was conceived to operate.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">One may well ask what the point of a Cyberessentials program is, when UK government suppliers must conform but major government-funded organisations such as the NHS do not have to do so.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">But at least it was a program, an attempt to get everyone pervasively &#8220;clean&#8221; on the &#8220;basics&#8221;, whatever they may be. In Germany, there is guidance through the BSI, lots of it, but there has not yet been an attempt to get the ducks all in the one and same row, as in the UK. There is a general alliance, the Allianz f\u00fcr Cyber-Sicherheit <\/span><\/span><\/span><a href=\"https:\/\/www.bsi.bund.de\/DE\/Themen\/Cyber-Sicherheit\/Aktivitaeten\/Allianz_fuer_Cybersicherheit\/Allianz_node.html\"><span style=\"color: #420178;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><u>https:\/\/www.bsi.bund.de\/DE\/Themen\/Cyber-Sicherheit\/Aktivitaeten\/Allianz_fuer_Cybersicherheit\/Allianz_node.html<\/u><\/span><\/span><\/span><\/a><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"> , with recommendations, but not yet a program.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"color: #313131;\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\">It&#8217;s time for Bruce Schneier&#8217;s monthly Crypto-Gram newsletter. Schneier has been complaining regularly about the practice of government cybersecurity agencies in hoarding vulnerabilities for future use and deriving exploits for them (so-called zero-day exploits). Apparently WannaCry was one of the devices in the Shadow Brokers&#8217; recent publication of NSA-hoarded exploits. I&#8217;m sure May&#8217;s Crypto-Gram will include an &#8220;I told you so&#8221; note.<\/span><\/span><\/span><\/p>\n<p class=\"western\"><span style=\"font-family: 'Times New Roman', serif;\"><span style=\"font-size: medium;\"><span style=\"color: #313131;\">Microsoft issued a patch for supported systems already in March. In case you haven&#8217;t heard and you come across Windows XP systems, Microsoft has published a patch now also for Windows XP.<\/span><\/span><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>IEC 61508:2010 is the latest edition of the general functional safety standard for E\/E\/PE systems. IEC 61511:2016 is the latest edition of the functional safety standard for E\/E\/PE systems in IACS. Last Thursday I gave a short talk (twice) to the German electrotechnical standardisation organisation DKE&#8217;s annual one-day get-together event, now called the Innovation Campus [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,6],"tags":[],"_links":{"self":[{"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/posts\/907"}],"collection":[{"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/comments?post=907"}],"version-history":[{"count":0,"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/posts\/907\/revisions"}],"wp:attachment":[{"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/media?parent=907"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/categories?post=907"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/abnormaldistribution.org\/index.php\/wp-json\/wp\/v2\/tags?post=907"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}