Trusted to deliver excellence

© 2017 Rolls-Royce plc

The information in this document is the property of Rolls-Royce plc and may not be copied or communicated to a third party, or used for any purpose other

than that for which it is supplied without the express written consent of Rolls-Royce plc.

This information is given in good faith based upon the latest information available to Rolls-Royce plc, no warranty or representation is given concerning

such information, which must not be taken as establishing any contractual or other commitment binding upon Rolls-Royce plc or any of its subsidiary or

associated companies.

Engineering Safety and Security in

the era of the Industrial Internet of

Things

Dr Robert Oates

Private – Rolls-Royce Proprietary Information

Talk Structure

- Who am I?

- What is Product Cyber Security?

- Why is it important to understand the interactions between safety and security?

- How do safety and security interact?

Private – Rolls-Royce Proprietary Information

2

Private – Rolls-Royce Proprietary Information

Product Cyber Security Team3

Civil Aerospace

Defence Aerospace

Marine NuclearPower

Systems

Product Cyber Security Team

ProcessImprovement

Auditing Standardisation&

Best Practice

Project Support

Tooling

Sources of Product Cyber Security Risk5

Private – Rolls-Royce Proprietary Information

Attacker Capability / Motivation

Technical Sources

Cultural Sources

Technical Sources of Risk

Private – Rolls-Royce Proprietary Information

6

Higher Performance Systems

Hyperconnectivity

COTS

Big Data

Technical CyberRisk

Example: Maritime Sector

Private – Rolls-Royce Proprietary Information

7

ThrustHeading

Organisation

Automation FunctionsAutomation

FunctionsAutomation Functions

Monitoring Functions

Remote OperationLikelihood

Impact

• Data driven services

• Automation and remote access

• Wireless sensor networks

• Internet of Things

Vessel

Crew

Automation FunctionsAutomation

FunctionsIoTComponents

IoT Services

Organisation

Attacker Capability – Who is attacking?

CNI Attackers (From GAO):

• Nation states

• Terrorists

• Industrial spies and organised crime

• Hacktivists

• Hackers

8

Private – Rolls-Royce Proprietary Information

Attacker resources9

AttackerCapability

/Motivation

Private – Rolls-Royce Proprietary Information

What can we do about PCS Risk?

Private – Rolls-Royce Proprietary Information

12

People

Process Technology

Risk Driven Design Processes13

Private - Rolls-Royce Proprietary Information

Technical Risk Assessment

Risk Treatment

Plan

Are risks acceptable?

Identify Mitigations

Update Design

Initial Design to Design Principles

Inputs:

i) Organisation:

->What’s our risk appetite?

ii) Functional Requirements

-> What are we making?

Next phaseyes

no

Secure Development Objectives

Private – Rolls-Royce Proprietary Information

14

Innate Security

Reactive Security

Security requirements across all sub systems to ensure that the system is secure at the system level

Active security features/subsystems that detect and react to intrusions

Information Assurance

The argument that the system is secure, through life

Changing Cultures

Security is everybody’s responsibility

Private – Rolls-Royce Proprietary Information

15

Training

Routes to escalation

Incident response planning

Security Champions

Communication

Changing Cultures

Proportionate, risk-based controls

Private – Rolls-Royce Proprietary Information

16

Keep costs down

Keep risks down

Understand risk

Risk Sources

Risk

Cyber Security

Attacks

Safety

Accidents

Economic

Financial Loss

17

Private – Rolls-Royce Proprietary Information

Statement 1

Product cyber security is a risk source that needs

to be addressed

18

Private – Rolls-Royce Proprietary Information

Fundamental Question

Can a software intensive system be

deemed safe if it isn’t secure?

19

Private – Rolls-Royce Proprietary Information

The Enemies of Safety / The Results of Attacks

Non-determinism

Uncontrolled change

Poor communication/understanding

Private – Rolls-Royce Proprietary Information

20

Private - Rolls-Royce Proprietary Information

SECURITY

SAFETY

CRYPTO

≠

Risk Driven Design Processes22

Private - Rolls-Royce Proprietary Information

Statement 2

Understanding the link to safety can make things

1. Safer

2. More secure

3. Cheaper

23

Private – Rolls-Royce Proprietary Information

Risk Direction: Safety

Private – Rolls-Royce Proprietary Information

25

Supplier Customer

Safety Risk

Financial Risk

Recompense

Risk Direction: Security

Private – Rolls-Royce Proprietary Information

26

Supplier

Customer

Security Risk

Legal Risk

Recompense

Attacker

Patching safety critical systems

Vulnerability

Researcher

Supplier

Malicious

Actors

System

Integrator

Discovery

Research

?

Exploitation

Research

?Remedial

actionsPatch application

Testing

and

recertification

Patch creation

Private – Rolls-Royce Proprietary Information

Patching safety critical systemsDiscovery

Patch application

Testing

and recertification

Discovery Discovery

. . .

. . .

. . .

Vulnerability

Researcher

Supplier

Malicious

Actors

System

Integrator

Response

cycleResponse

cycleResponse

cycle

Private – Rolls-Royce Proprietary Information

Design Principles in Opposition: Diversity

Private - Rolls-Royce Proprietary Information

Inputs

Outputs

System

Safety Security

P(failure) = 0.0001 Likelihood of attack?P(failure) = (0.0001)2

Implementation specific vulnerabilities

Specification vulnerabilities

Component vulnerabilities

Uncertainty: Low, de-risked from extensive testing and well established process

Low risk system Risky system!

System B

System A

Inputs Inputs

X

Extremely

Understanding Risk

Private – Rolls-Royce Proprietary Information

30

SafetySecurity

Data SafetyCyber

Security

• System level quality factors• Through life quality factors• Preventing harm• Design principles• Risk driven design change• Controls that are proportionate to risks

Technology

Private – Rolls-Royce Proprietary Information

31

Resist Detect and React

Network architecture• Interface control• Firewalls• Data diodes• Segregation

Protocol Selection

Cryptographic techniques• Cryptographic agility – quantum!• Legal issues

Multi-source localisation

Manual override

IDS• What is normal?• Interaction with watchdogs• Does “Adaptive” = “Non-deterministic” ?

Logging• Review processes

Reactions• Security responses shouldn’t

compromise safety• Safety responses shouldn’t

compromise security

…but there are things missing.

Systems Engineering for Safety and Security

• Is a truly common risk model possible?

Efficient Incident Response

• Design for Forensics

• Team members

Intelligence Focus

• Where do you get threat intelligence from?

• How do you embed live intelligence into an engineering/maintainance process?

32

Private – Rolls-Royce Proprietary Information

Statement 3

The interactions are complex. Some solutions exist,

but there is a way to go

33

Private – Rolls-Royce Proprietary Information

In Conclusion

1. Product cyber security is a risk source that

needs to be addressed

2. Understanding the link to safety can make

things

1. Safer

2. More secure

3. Cheaper

3. The interactions are complex, solutions exist

but there is a way to go

34

Private – Rolls-Royce Proprietary Information