Download A Cross-Sector Perspective on Product Cyber. Security. Dr Robert Oates. Software Centre of Excellence,. Rolls-Royce plc. Private – Rolls-Ro...
Download A Cross-Sector Perspective on Product Cyber. Security. Dr Robert Oates. Software Centre of Excellence,. Rolls-Royce plc. Private – Rolls-Royce Proprietary ...
Download 23 Feb 2018 ... Page 1. The importance of cyber security in product development and manufacturing. Page 2. Source: ...
Download 23 Feb 2018 ... Page 1. The importance of cyber security in product development and manufacturing. Page 2. Source: ...
SGS CYBER SECURITY GROWTH OPPORTUNITIES Eric Krzyzosiak –GENERAL MANAGER DIGITAL Jeffrey Mc Donald –Executive Vice President CERTIFICATION & BUSINESS ENHANCEMENT
Download taking into account a cultural perspective. In particular ... been applied in cross- cultural approaches to systematically investigate these influences. (Callaghan et al. ..... Cognition 108(3), 732-739. doi:10.1016/j.cognition.2008.06.01
Download 7 Mar 2018 ... Keywords: social responsibility; human resources; sustainability .... From an integrative perspective on the connection between CSR and HRM, ...
Download taking into account a cultural perspective. In particular ... been applied in cross- cultural approaches to systematically investigate these influences. (Callaghan et al. ..... Cognition 108(3), 732-739. doi:10.1016/j.cognition.2008.06.01
Download These companies need to generate demand for their products through ... some 300K online visitors to Cyber Security websites, over a period of 6 months.
Download 7 Mar 2018 ... Keywords: social responsibility; human resources; sustainability .... From an integrative perspective on the connection between CSR and HRM, ...
Download Estimated Cyber. Primary Insurance Market. DEVELOPMENT. ▫ 90% of cyber premiums in North. America. - Tight data breach regulation. - Large incidents ( e.g. ...
Download Estimated Cyber. Primary Insurance Market. DEVELOPMENT. ▫ 90% of cyber premiums in North. America. - Tight data breach regulation. - Large incidents ( e.g. ...
Download These companies need to generate demand for their products through ... some 300K online visitors to Cyber Security websites, over a period of 6 months.
Cyber Security Awareness FY-06 (Intranet) Welcome and Introduction Page 1 of 1 Welcome to the Veterans Affairs (VA) Office of Cyber and Information Security Awareness
Cyber insurance, security and data integrity Part 1: Insights into cyber security and risk — 2014
255 Albert Street Ottawa, Canada K1A 0H2 www.osfi-bsif.gc.ca MEMORANDUM Date: October 28, 2013 To: Federally Regulated Financial Institutions
EPICC Cyber Security and Business Continuity Management October 2016 www.pwc.com/ca
May 16th, 2017 Page 1 Security Notification – WannaCry Ransomware Cyber-Threat Affected Products: Product Line Category Device Version DeltaV Workstations and
Kenya Cyber Security Report 2016 [9 Enhancing Visibility and Increasing Awareness Achieing Cyber Security esilience the source of an attack is an insider, a hacker or a
Cyber Security: A New Model for Protecting the Network The World Bank Group 3 Global ICT Department Weak links in the global information infrastructure
of the previous erotic works as Kdma Siltra, the Ratirahasya, the Paficasdyaka, the Smaraprrzdz'pa, the Ratimar'zjarz' and Abhilfisita Cintdmom'. Now to comment on the psychosocial background of medieval India when the Anafiga Rariga and. Koka Sdstra we
FORDHAM LAW REVIEW My argument will be two-fold. In Part One, I will point out some of the ways in which our conception of legal ethics and legal practice is
discontinuity by sensor and turn on the alarm circuit. If once the alarm circuit is on it will still ringing until push ... We decide to make a security project as our project. In this project we have used laser light to cover a ... or object crossov
Download model to interpret data from the target articles relative to the acquisition of phonology. 1. Introduction. One recurrent problem in linguistic and psycholinguistic research is that data are often taken to reflect one or two particular
Download Journal of College Student Development, Volume 50, Number. 6, November/ December 2009, pp. 621-639 (Article). Published by The Johns Hopkins University ...
A Cross-Sector Perspective on Product Cyber Security
Dr Robert Oates Software Centre of Excellence, Rolls-Royce plc
Trusted to deliver excellence Private – Rolls-Royce Proprietary Information
Key Messages •
All industrial sectors are seeing a rise in cyber security risk
•
There is a wealth of standards and guidance • •
•
Some of it doesn’t work Some of it does work
There are things missing
Private – Rolls-Royce Proprietary Information
2
3
The Software Centre of Excellence
Civil Aerospace
Defence Aerospace
Marine
Nuclear
Power Systems
Software Centre of Excellence
Process Improvement
Auditing
Private – Rolls-Royce Proprietary Information
Standardisation & Best Practice
Tooling
Project Work
Binding Factors Across the Organisation -
-
Safety critical systems
-
High impact of failure
-
Multiple interfaces and entities Emergent behaviour
Complex systems -
-
Strongly regulated sectors -
-
Critical National Infrastructure
Private – Rolls-Royce Proprietary Information
-
4
High level of evidence for changes/updates Pace of technology is faster than pace of regulatory change Aggressive, highly motivated attackers
Why is cyber security risk growing in all sectors?
Attacker Capability / Motivation
Technical Sources
Cultural Sources
Private – Rolls-Royce Proprietary Information
5
Technical Sources of Risk
6
Higher Performance Systems
• Better monitoring & analysis means more data • More reliance on data means a higher impact of losing data Hyperconnectivity integrity/availability New services require moreexhaustive interconnectivity •• System complexity makes testing impossible COTS • Internet facing services • Internet-of-things technologies •• Market driving use of COTS instead of dedicated, bespoke More connections invalidate old models of “trusted networks” solutions Big Data • COTS equipment is easier for researchers to analyse and attack • Big data increases business reliance on high-integrity data which means new, publicised vulnerabilities
Risk
Private – Rolls-Royce Proprietary Information
Cultural Sources of Risk When does product cyber security not get dealt with? Low awareness / complacency: “Nobody would attack us” Poor regulatory / legal environment: “We don’t need this”
Poor skills / capability: “This is too hard” Inability to communicate problems to people who can solve them: “Nobody’s going to do anything about this” Low economic margin sectors: “You first” Poor economic incentives: “Nobody wants this” It will be dealt with further up the supply chain: “Not our problem” Private – Rolls-Royce Proprietary Information
7
Attacker Resources Knowledge •
Commonalities with IT
•
Cheaper systems components
•
Shared tools and understanding
Time / Money •
Hackers as a service / niching
•
Vulnerability marketplace
•
Nation sponsored
Impunity
•
Complex, international prosecution
•
Poor capability/resourcing of law enforcement agencies
Private – Rolls-Royce Proprietary Information
8
How do we engineer secure systems?
People
Process
Technology
Best Practice Market Drivers: insurance/regulation, market demand Private – Rolls-Royce Proprietary Information
What Doesn’t Work? Airgaps “Solutioneering” – Technology-specific Prescriptive Security Assuming safety makes you secure Assuming IT techniques will read across
Private – Rolls-Royce Proprietary Information
11
What Works? - Process Proportionate, risk-based controls
Understand risk Keep costs down Keep risks down
Private – Rolls-Royce Proprietary Information
12
13
What Works? - Process System Reliability
Security
Cyber Security
• System level quality factors • Through life quality factors • Preventing harm Private – Rolls-Royce Proprietary Information
Safety Data Safety
• Design principles • Risk driven design change • Controls that are proportionate to risks
Design Principles in Opposition: Diversity Safety
Security Outputs
P(failure) = (0.0001) 0.0001 2
Likelihood of attack?
X
Implementation specific vulnerabilities Uncertainty: Low, de-risked from extensive testing and well established process
Extremely Low risk system Private - Rolls-Royce Proprietary Information
Inputs
Inputs
Inputs
Risky system!
Maintenance Processes in Opposition: Patching Safety
Security Outputs
P(failure) = (0.0001)2
Likelihood of attack?
Vulnerability Report Uncertainty: High! What has the patch done to our systems?
System A
System B
Need to retest, recertify….
Low risksystem! system Risky Private – Rolls-Royce Proprietary Information
Less Risky Risky system! system? Inputs
Inputs
16
Risk Driven Design Processes Inputs: i) Organisation: ->What’s our risk appetite? ii) Functional Requirements -> What are we making?
Initial Design to Design Principles
Technical Risk Assessment
Risk Treatment Plan
Update Design
Identify Mitigations
Private - Rolls-Royce Proprietary Information
no
Are risks acceptable?
yes
Next phase
What Works? - People Security is everybody’s responsibility
Training Routes to escalation Incident response planning Security Champions Communication
Private – Rolls-Royce Proprietary Information
17
What’s Missing? Systems Engineering for Safety and Security • Is a common risk model possible? • Is a common impact model possible? Efficient Incident Response • Forensics • Team members Intelligence Focus • Where do you get threat intelligence from? • How do you use it? Private – Rolls-Royce Proprietary Information
