Not a week goes by without hearing a story about a successful cyber attack compromising a critical system, hacking into a car, or a personal data breach. Script kiddies, online fraudsters, state-sponsored hackers all abound. Recent repeated attacks on TalkTalk and Sony show that we do not learn from the past. It appears things are broken and they remain so. Where are we headed?
We live in an age where everything around us is increasingly digital, connected and increasingly has a mind of its own . Modern systems are a mix of complex software (often millions line of computer code), hard physical components as well as software parts, and human-driven social networks enabled through some digital fabric. They are to be found in traditional domains such as cyberspace, finance and healthcare, but also in emerging domains including automotive, rail, aviation, energy, and smart cities. This is a significant departure from how things were a couple of decades ago.
Over the next decade such systems are expected to feature higher levels of autonomy; bringing together advances in sensing and intelligent decision making. And, there are increasing levels of interconnectivity, where communication is opportunistic and ad hoc. Imagine a smart city where connected autonomous cars are able to talk to each other and their surroundings to be aware of traffic routes, road works and safety hazards. Based on real-time information, such cars may then decide on how fast to drive and where to park. And now imagine what would happen if some part of this “system of systems” was hacked!
The notion of “systems security” aims to address security, privacy and resilience properties in such systems. Acknowledging this requires a mix of technology, policy and behaviour. The case for security and privacy is made given the growing threat landscape. This is due to both targeted attacks aimed at data and operational compromise, and implications of the use and design of the software leading to security violations. Resilience is equally important if systems are to continue to work despite of some compromise.
There has to be a push towards building systems so that security is factored in by design. This is not an easy challenge however.
The computer science community has long been working on methods for rigorous design of digital systems. Such design and development needs to acknowledge some parts of a system may not be relied upon for security. A modern car may have several Engine Control Units (ECUs) that are interconnected and controlling various aspects from bluetooth to brakes. What happens if hacking through the bluetooth affects the brakes?
Policy is equally important as technology does not exist in a vacuum. Issues of ownership, governance, liability and risk all affect our use of technology as does the technical design itself. If a modern car is hacked to cause the brakes to fail, who is responsible? Manufacturer or the driver?
Academia, industry and the government is increasingly aware of this and need to come together to address these technology and policy mechanisms. Industry trends and policy discourse is also catching up. There is however a need to bring together stakeholders to help a clearer view of what the specific challenges are and how can they be overcome.
Enabling various stakeholders in the supply chain to address the above through research, innovation and knowledge transfer would remain a challenge.
Dr. Siraj Ahmed Shaikh is a Reader in Cyber Security in the Centre for Mobility and Transport Research at Coventry University. He is currently seconded to the Knowledge Transfer Network (KTN) as their Cyber Security lead. He is also seconded to HORIBA MIRA working on automotive cybersecurity as part of Royal Academy of Engineering’s industrial secondment.
guardian.co.uk © Guardian News & Media Limited 2010
Published via the Guardian News Feed plugin for WordPress.