Managing the risks of cyber-physical systems

Abstract

We are increasingly seeing the merging of information systems and industrial control systems into so-called cyber-physical systems; the smart grid being a prime example. This trend leads to major risk issues because the viewpoint of those designing and developing security-critical information (or computational or business) systems differs markedly from how those creating safety-critical control systems consider hazards and resulting risk. Essentially, information security has to do with protecting information assets, such as intellectual property and sensitive personal information, from falling into the hands of those bent on fraud and other nefarious activities. On the other hand, the focus of those responsible for the safety of software-intensive systems are intent on ensuring that a system malfunction or failure will not lead to harm to human beings or the environment. By combining security-critical information systems and safety-critical control systems, we have been creating a risk environment for these computer systems that is greater than the sum of the risk of the parts. For example, industrial control systems traditionally have been isolated from public networks and therefore not subject to cyber attacks over the Internet. As a consequence, such systems as these were never designed to withstand such remote attacks and are generally more vulnerable than information systems. On the other hand, those responsible for security-critical software systems would typically not consider physical harm resulting from successful attacks and believed that the worst that might happen would be financial losses. In the new cyber-physical systems world, designers and developers have to be concerned about the possibility of their systems being used as a conduit to controlling systems that have national security and critical infrastructure ramifications. In this paper we look at the totality of risks across a broad range of cyber-physical systems in the public and private sectors and point to areas that must be subjected to much greater scrutiny in order to mitigate increased risks. Since the risk is greater than the sum of the parts, so the mitigating activities must be that much greater to the extent that any security/safety approach needs to account for the risks of not only the individual components but also of the interactions among the components. This might well facilitate the justification of much greater expenditures and effort on securing the overall system since the consequences of successful breaches is that much greater. We present a model that helps to determine the factors that lead to levels of combined risk and will propose appropriate methods to suitably contain and minimize such risk.