Leading experts in cyber security have produced an authoritative guide that could help factories and process plants better protect their resources. Steed Webzell spoke to the guide’s project lead to find out more
The Cyber Security Body of Knowledge (CyBOK), funded by the UK’s National Cyber Security Programme and initiated by the National Cyber Security Centre (NCSC), has been created in a bid to fill the skills gap and provide consistent knowledge and advice for people to follow. As the first guide of its kind, CyBOK will also help to expand the capabilities of those tasked with tackling the security challenges of an increasingly connected commercial world. And there is little doubting its necessity – a 2018 report by the Washington-based Center for Strategic International Studies estimated that cybercrime costs the world economy close to $600 billion (£481 billion) a year (www.is.gd/uferik).
To set about creating CyBOK, the project team of internationally recognised scholars undertook an extensive exercise involving the mapping and analysis of relevant texts, as well as a range of community consultations via UK workshops, an online survey, interviews and position papers. Once complete, the 19 top-level knowledge areas (KAs) collated from the consultations and other various inputs were distilled and used to inform the scope of CyBOK. The KAs are essentially documents that comprehensively explore the strengths, limitations and implications of issues such as: risk management and governance; law and regulations; privacy and online rights; malware and criminal behaviours; and securing mobile and web technologies.
“Cyber security as a field is evolving rapidly, as most people will probably determine from the regular mainstream news stories involving major breaches,” says Awais Rashid, the project’s lead and professor of cyber security at the University of Bristol’s Faculty of Engineering. “Until CyBOK, there was no singular space that consolidated foundational knowledge on this subject. Although cyber security is a hot topic, there is wide variation in the quality of published information. If you’re an industry trainer or professional development expert, for example, deciding which material offers fundamental knowledge to underpin learning programmes can be challenging.”
Continues Rashid: “As a society we’re building really large, connected infrastructures to the point of reliance in our daily lives – even more so in the current Covid-19 climate with so many people working from home. However, all of this infrastructure runs on hardware and software, which presents a number of vulnerabilities that malicious actors want to exploit.”
Estimates vary, but Rashid says there may be a global shortage of around four million cyber security professionals, a figure that will only rise as society moves towards a future based on smart cities and connected transport systems. As a result, authoritative foundational materials are needed to help train future generations in this important subject area.
Unfortunately, an attacker only needs to find a single vulnerability to compromise a system, whereas a defender has to think about protecting every computer-based asset and networking architecture across the entire organisation. Rashid points out, however, that although criminals are getting more sophisticated, low-level attacks are far more prevalent, so there is no substitute for basic cyber hygiene.
“The NCSC recommends Cyber Essentials (www.is.gd/egawot), a simple, inexpensive but effective, government-backed set of controls that will help protect an organisation, whatever its size, against a whole range of the most common cyberattacks,” he says. “We did an analysis of Cyber Essentials three years ago which showed that, in typical networks, it mitigated against around 80% of basic attacks, so it does work.”
OPPORTUNITIES & CHALLENGES
For manufacturers, there are obvious risks presented by the sector’s shift towards Industry 4.0 and the cloud connectivity this concept entails.
“One of the challenges for factories and process plants is that operations must run quickly and safely in an uninterrupted way for long periods of time,” states Rashid. “However, there is often very little security built into the devices or networking protocols in such settings. What Industry 4.0 does is connect these legacy environments to the wider internet, which opens a number of potential attack vectors. Once you are into this arena, open protocols can be used to compromise infrastructure integrity or steal confidential data.”
He adds: “Last year we ran a live experimental demonstrator as part of the recently launched National Centre of Excellence for IoT Systems Cybersecurity (www.is.gd/epifon), where we showed that it was possible to compromise a cloud platform in an industrial IoT setting and drive it to seriously unsafe conditions.”
Industry 4.0 offers numerous valuable opportunities for manufacturers in terms of gaining business process intelligence, connecting systems and enhancing remote monitoring, for example, but risks are clearly evident due to inherent insecurities within the network architecture.
CyBOK should be of considerable interest to manufacturers. For instance, the guide contains a dedicated KA on the security of cyber-physical systems that highlights a number of potential attack pathways against devices, such as actuators and sensors, and outlines a number of countermeasures that can be deployed. By way of example, while many legacy plant devices will not feature integral security, it is possible to introduce devices in front of them that provide secure inter-device communication and monitor foreign intrusions.
“Of course, some of the newer cloud platforms may have built-in security features, but when they are combined with this melting pot of legacy protocols and devices, new types of vulnerabilities emerge,” explains Rashid. “Whenever deploying an Industry 4.0 solution, questions must not only be asked about its potential to expose critical systems, but whether the expertise exists to guard against such an eventuality.”
TRAINING
Everything comes back to question of training, and the availability of personnel who are expert in the field of cyber security. Rashid has no qualms in stating that while plenty of trained professionals exist in enterprise security, there are far fewer in operational technology settings. Clearly, this shortage is a major challenge as the sector moves towards the smart factory era.
“There is a massive skills gap,” he declares. “Most employers can find people able to perform website penetration testing, for example, but if they want to source someone who can undertake penetration testing of an industrial facility – there are very few. When you think about the criticality of some of these infrastructures to society, there is a real issue. Much more is needed, both from an industrial training perspective, and academia.”
The next project phase will focus on the impact and sustainability of CyBOK. These efforts will include the practical application and dissemination of the guide, and the longer-term evolution and maintenance of the KAs. “Our hope is that CyBOK, which contains over 800 pages of material and is the result of three years’ work, will provide a consolidated body of knowledge that becomes a universal guidebook and authoritative reference tool for academia, industry and government,” says Rashid. “Educational programmes ranging from secondary and undergraduate education, through to post-graduate and continuing professional development courses, can then be developed on its basis.”
The open source CyBOK is available for online download (www.is.gd/baxodo), along with a host of other resources, such as webinars and podcasts, which can be used for either commercial or non-commercial purposes, free of charge. “There is not even a requirement to provide any personal data: the thinking is that the more highly trained people we have in cyber security, the better it is for our infrastructure as a society,” concludes Rashid.
By Steed Webzell