Vigilance can report that Researchers at City's Centre for Software Reliability (CSR) have won a £400,000 Engineering and Physical Sciences Research Council (EPSRC) grant to carry out work in communicating and evaluating cyber risk to industrial control systems.
Cyber Risk
City University London's Centre for Software Reliability (CSR), has won a £400,000 Engineering and Physical Sciences Research Council (EPSRC) research grant to assist with a project titled "Communicating and Evaluating Cyber Risk and Dependencies (CEDRICS)". The CSR's Professor of Software and System Dependability, Professor Robin Bloomfield, is the principal investigator, supported by co-investigators, Professor Peter Bishop and Dr Peter Popov.
The context for the research is the UK's national cyber strategy and the need to protect against cyber threats to the UK's critical national infrastructure (CNI) such as public health, transportation and energy systems. It will assist in understanding and mitigating vulnerabilities from hackers or malware infiltrating CNI systems.
The City grant is one of four research projects worth a total value of £2.5m, awarded by EPSRC as part of the EPSRC/Centre for the Protection of National Infrastructure (CPNI) "Research Institute in Trustworthy Industrial Control Systems". The Research Institute in Trustworthy Industrial Control Systems (RITICS), based at Imperial College London, is also co-ordinating projects undertaken at Queen's University Belfast, the University of Birmingham, and Lancaster University.
Professor Chris Hankin, from the RITICS, said: "Where control systems are linked to the internet we need to understand how failures could cascade across the system. We will be looking at new ways of repairing damage to systems if an attack happens. We need to address how to approach network maintenance for industrial control systems, particularly as most systems operate on a 24/7 basis. So we will be looking at how we can ensure better protection without compromising performance."
nullThe City project will start on the 1st of October 2014 and will last 3 years. The research proposal will address two significant problems:
1. Understanding and communicating cyber risks. This challenge will be addressed using the approach "Claim - Arguments - Evidence (CAE)", pioneered by Professors Bloomfield and Bishop and successfully applied in safety assessment (safety case). The approach will be extended to risks from cyber security in industrial control systems (ICS).
2. Evaluating defence in depth and impact on dependencies. The work is intended to build on the previous work by the team on model-based assessments of the impact of interdependencies on the resilience of interdependent critical infrastructures. The specific challenges to address are creating a credible model of an Adversary in ICS and applying accurate models to assess the impact of various uncertainties (e.g. in the topology of the ICS, of the model parameters, related to the Adversary, etc.) on the resilience of the modelled systems.
Professor Bloomfield said: "The research will produce a methodology supported with modelling software that can be deployed in the risk assessment of critical infrastructures. It will take a scenario-based approach to risk assessment addressing uncertainties and doubts in intelligence, the systems themselves as well as the impact of attack. The risk communication is an important component of the project and will consider the needs of different stakeholders, not just highly technical people. Some of the modelling work will be published as case studies and made publicly available. The theoretical results will be validated on empirical studies provided by industrial collaborators (Adelard LLP and ALSTOM Grid UK)."
Professor Bloomfield, a Fellow of the Royal Academy of Engineering, is a former member of the Treasury's Engineering Expert Group on Interdependencies (EEIG) which informed the UK national plan "National Infrastructure Plan 2010".