The evolution of cyber space is transforming the way our infrastructure is managed. Industrial control systems, that is those systems that manage critical utility infrastructure such as Energy, Water and Transport are increasingly interacting with enterprise IT systems in intricate fashions. This leads to an increase in the level of threats to these critical infrastructures. This is only too evident from cyber weapons such as Stuxnet which targeted centrifuges in Iran's nuclear facilities and more recent news that over 60,000 exposed control systems were accessible online. The US Defence Secretary Leon Panetta described a recent spate of cyber attacks against critical infrastructures as a "pre-9/11 moment". The cyber attack surface of future generations of control systems is likely to increase further with new technologies and working practices such as the use of autonomous software agents in their operation and handheld wireless devices in control and maintenance.
Given the importance of industrial control systems to society, it is important that decision-makers are able to effectively articulate the risks posed to them from cyber space. Even more importantly, decision-makers should be able to understand and respond to such risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. However, to date, metrics for articulating cyber risk in such settings have largely been driven by technical measures pertaining to security of information or resilience of the control system itself. Though important, these metrics bear little relationship to typical factors used in business risk analysis, such as business continuity, disaster recovery, cost, reputation, impact on resources, etc.
The MUMBA project takes the perspective that metrics for articulating cyber risk (in industrial control systems) as business risk only make sense in the context of what we understand the larger system to be, and cannot sensibly be designed without a model of this system. Post-hoc mapping of security and resilience metrics to business risk fails to account for the complex socio-technical landscape in which current and future generations of control systems reside. Effective articulation of cyber risk as business risk requires multi-faceted metrics that are first and foremost driven by business risk concepts. Such metrics consider business risk both along and across various facets of an industrial control system setting i.e., the control system itself, enterprise systems, business processes, people, third party organisations in the product/service supply chain and new/emergent technologies (and associated working practices). Furthermore, the project addresses the need to contextualise these metrics to a particular critical infrastructure domain to ensure meaningful interpretation of business risks and prioritisation and implementation of responses (i.e., whether to mitigate, transfer, accept or avoid particular risks).
The project involves a world-leading multi-disciplinary team of researchers in cyber security, resilient industrial control systems, risk management and social anthropology from the Security Lancaster research centre. This academic expertise is complemented by practical insights provided by four industry partners: Airbus, Thales, Atkins Global and Raytheon. Through its research into the complex socio-technical processes at play in contemporary industrial control system settings, new metrics and how to instrument such environments to gather relevant data to compute such metrics, the project aims to become a cornerstone for future research and practice on articulating cyber risk as business risk.