The 12th International Conference on System Safety and Cyber Security
30 October - 1 November 2017 | IET London: Savoy Place
Monday 30 October 2017
|09:00 - 11:00||
A roadmap for improving the cyber-security of safety-critical systems
The focus here is on operational aspects of safety-critical systems rather than the associated business information systems. Most cyber security research cannot be applied to safety-critical applications.
As a trivial example, it is (almost) impossible to gain regulatory approval for intrusion detection systems (IDS) within Supervisory Control and Data Acquisition (SCADA) environments.
Many of these IDS rely on AI/machine learning; which is not approved for safety related systems within existing software safety standards such as IEC61508. How can you prove that a program is safe when its behaviour is influenced by future training sets? And if you can, how would you respond to an alert in the Flight Data Processing Systems in Heathrow?
You cannot switch the system off and do a forensic analysis with dozens of aircraft in the sky. If you continue to operate, you may endanger safety by ignoring evidence that you have software of unknown provenance in your networks.
Existing security standards, including the ISO27k series, are equally hard to apply.
Would you leave them unpatched with known security vulnerabilities or update them and run the risk of transferring malware to the devices that control the reactor? In this tutorial, I will provide a number of solutions to these problems; outlining further challenges and successes in the cyber-security of safety-critical systems.
Presented by: Prof. Chris Johnson, University of Glasgow
Integrating cyber security: IT, OT & safety
The increasing focus on Operational Technology security is demonstrated by the rate new guidance published from a variety of sources. Controls systems are at the heart of IOT, and fundamentally shape the Industrial IOT.
Which guidance is most applicable to your systems, and how should you utilise the good practice to best effect? This tutorial will explore the development of OT and cyber physical systems security guidance, including the interdependencies of safety and cyber security.
Coverage includes IEC 62443, CPNI Securing ICS, NIST SP 800-82R2, NIST Cyber Security Framework, ISA TR84.00.09, VDI 2182, DOE C2M2 and the Framework for Cyber-Physical Systems:
Safety and security are increasingly converging, participants will learn about approaches to integrate both aspects in their projects, and manage convergence risk.
Presented by: Dr Richard Piggin, Atkins
You are under attack – Cyber defence or protect the business?
Just because there’s a vulnerability and a threat, doesn’t mean there’s a corresponding risk. Bruce will explore with you the nature and relevance of threats and vulnerabilities, and where they fit in to the UK Cyber Defence taxonomy (which he was tasked to develop).
He’ll look at some aspects of intelligence-based defence, including:
He’ll spend a bit of time on sensible Risk Assessment, Risk Management and, most particularly, Risk Recovery (based on the fact that the bad guys are ALREADY inside, doing damage!).
Finally, he’ll offer you some ways of thinking, including a novel doctrine based around “deter - deny - defend - detect - diagnose - delineate - display - demarcate - decontaminate - dissect - disseminate – destroy” which might help inform any balance of investment decisions you get involved in.
Bruce has nothing to sell, and no hidden agenda – he merely hopes that by the end of his session he will have given you cause for thought, stimulated some lateral thinking, and perhaps even inspired you to do something you wouldn’t otherwise have done!
Presented by: Bruce Wynn, Independent Cyber Consultant and Special Advisor (Cyber) to the City of London Police
Workshop 4 - to be confirmed
Programme is correct at time of publication. Topics and speakers are subject to change.
Member - £595
Non-member - £695