New US/UK initiatives against cyber-attacks on infrastructure, medical devices
Fri 3 Oct 2014
Two new initiatives, one British and one from the U.S., are examining recommendations to improve security measures, in infrastructure and medical devices, respectively.
In Britain the Engineering and Physical Sciences Research Council (EPSRC) is launching a £2.5mn research project into the network security of Britain’s infrastructure, whilst the U.S. Food and Drug Administration has made recommendations to manufacturers to increase security on critical medical devices and technologies.
The possibilities for remote incursion into vital infrastructure has increased as critical systems have evolved from standalone internal networks into more flexible – but also more complex – internet-facing set-ups.
Professor Chris Hankin from the Research Institute in Trustworthy Industrial Control (RITICS) at ICL observes: “Where control systems are linked to the internet we need to understand how failures could cascade across the system. We will be looking at new ways of repairing damage to systems if an attack happens…We need to address how to approach network maintenance for industrial control systems, particularly as most systems operate on a 24/7 basis.”
The EPSRC is pursuing the research under the coordination of Imperial College London, with sub-projects generated at City University, Lancaster University and the universities of Belfast and Birmingham. The initiative is supported by GCHQ and the Centre for the Protection of National Infrastructure (CPNI).
The researchers will generate metrics and software to help non-IT personnel understand the problems and implications of addressing potential cyber-incursions, and will work with industry partners towards this end.
Professor Awais Rashidof Lancaster University noted: “Our project is about understanding the cyber security risks at the intersection of people and technology. If you give people lots of technical metrics that they don’t understand you get poor decision making.”
Meanwhile in New Hampshire the FDA are focusing on a potential threat that has been little addressed even by popular culture, but the security implications of which are likely to come into focus as the Internet of Things (IoT) gains greater currency.
Though the administration has no evidence that network-connected medical infrastructure has been targeted by cyber-attackers, it is planning a public workshop this autumn to discuss the issue with medical device developers, security professionals and hospitals.
“There is no such thing as a threat-proof medical device” said Dr Suzanne Schwartz, the FBA’s Director of Emergency Preparedness/Operations and Medical Countermeasures. “It is important for medical device manufacturers to remain vigilant about cybersecurity and to appropriately protect patients from those risks.”
The U.S. Department of Defense announced a new and more open approach to infrastructure attacks in March, when Eric Rosenbach, Assistant secretary of Defense for Homeland Defense and Global Security, admitted: “The biggest problem is that we don’t own the nation’s critical infrastructure, and generally, there’s been a large underinvestment in the cybersecurity of that infrastructure. So it’s impossible for the Department of Defense, even with everything we have going on, to intercept every single cyber attack.”