Organisational, Political and Technical Barriers to the Integration of Safety and Cyber-Security Incident Reporting Systems

Johnson, C.W. (2015) Organisational, Political and Technical Barriers to the Integration of Safety and Cyber-Security Incident Reporting Systems. In: 34th International Conference, Safecomp, Delft, The Netherlands, 23-25 Sep 2015, pp. 400-409. ISBN 9783319242545 (doi:10.1007/978-3-319-24255-2_29)

Full text not currently available from Enlighten.

Abstract

Many companies must report cyber-incidents to regulatory organisations, including the US Securities and Exchange Commission and the European Network and Information Security Agency. Unfortunately, these security systems have not been integrated with safety reporting schemes. This leads to confusion and inconsistency when, for example a cyber-attack undermines the safe operation of critical infrastructures. The following pages explain this lack of integration. One reason is a clash of reporting cultures when safety related systems are intended to communicate lessons as widely as possible to avoid any recurrence of previous accidents. In contrast, disclosing the details of a security incident might motivate further attacks. There are political differences between the organisations that conventionally gather data on cyber-security incidents, national telecoms regulators, and those that have responsibility for the safety of application processes, including transportation and energy regulators. At a more technical level, the counterfactual arguments that identify root causes in safety-related accidents cannot easily be used to reason about the malicious causes of future security incidents. Preventing the cause of a previous attack provides little assurance that a motivated adversary will not succeed with another potential vector. The closing sections argue that we must address these political, organisational and technical barriers to integration given the growing threat that cyber-attacks pose for a host of complex, safety-critical applications.

Item Type:Conference Proceedings
Additional Information:Lecture Notes in Computer Science: 9337. The final publication is available at Springer via http://dx.doi.org/10.1007/978-3-319-24255-2_29
Status:Published
Refereed:Yes
Glasgow Author(s) Enlighten ID:Johnson, Professor Chris
Authors: Johnson, C.W.
College/School:College of Science and Engineering > School of Computing Science
Publisher:Springer International Publishing
ISSN:0302-9743
ISBN:9783319242545
Copyright Holders:Copyright © 2015 Springer International Publishing Switzerland
Publisher Policy:Reproduced in accordance with the copyright policy of the publisher

University Staff: Request a correction | Enlighten Editors: Update this record