1. News
  2. 2014
  3. October
  4. Understanding and communicating cyber risk to critical infrastructure
News from City, University of London
Digital binary code going down a tunnel
Science & Technology Series: Research Spotlight

Understanding and communicating cyber risk to critical infrastructure

Researchers at City's Centre for Software Reliability (CSR) have won a £400,000 Engineering and Physical Sciences Research Council (EPSRC) grant to carry out work in communicating and evaluating cyber risk to industrial control systems.
by John Stevenson City University London's Centre for Software Reliability (CSR), has won a £400,000 Engineering and Physical Sciences Research Council (EPSRC) research grant to assist with a project titled "Communicating and Evaluating Cyber Risk and Dependencies (CEDRICS)". The CSR's Professor of Software and System Dependability, Professor Robin Bloomfield, is the principal investigator, supported by co-investigators, Professor Peter Bishop and Dr Peter Popov.

The context for the research is the UK's national cyber strategy and the need to protect against cyber threats to the UK's critical national infrastructure (CNI) such as public health, transportation and energy systems. It will assist in understanding and mitigating vulnerabilities from hackers or malware infiltrating CNI systems.

The City grant is one of four research projects worth a total value of £2.5m, awarded by EPSRC as part of the EPSRC/Centre for the Protection of National Infrastructure (CPNI) "Research Institute in Trustworthy Industrial Control Systems". The Research Institute in Trustworthy Industrial Control Systems (RITICS), based at Imperial College London, is also co-ordinating projects undertaken at Queen's University Belfast, the University of Birmingham, and Lancaster University.

Professor Chris Hankin, from the RITICS, explains:

"Where control systems are linked to the internet we need to understand how failures could cascade across the system. We will be looking at new ways of repairing damage to systems if an attack happens. We need to address how to approach network maintenance for industrial control systems, particularly as most systems operate on a 24/7 basis. So we will be looking at how we can ensure better protection without compromising performance."

nullThe City project will start on the 1st of October 2014 and will last 3 years. The research proposal will address two significant problems:

1. Understanding and communicating cyber risks. This challenge will be addressed using the approach "Claim - Arguments - Evidence (CAE)", pioneered by Professors Bloomfield and Bishop and successfully applied in safety assessment (safety case). The approach will be extended to risks from cyber security in industrial control systems (ICS).

2. Evaluating defence in depth and impact on dependencies. The work is intended to build on the previous work by the team on model-based assessments of the impact of interdependencies on the resilience of interdependent critical infrastructures. The specific challenges to address are creating a credible model of an Adversary in ICS and applying accurate models to assess the impact of various uncertainties (e.g. in the topology of the ICS, of the model parameters, related to the Adversary, etc.) on the resilience of the modelled systems.

Professor Bloomfield said:

"The research will produce a methodology supported with modelling software that can be deployed in the risk assessment of critical infrastructures. It will take a scenario-based approach to risk assessment addressing uncertainties and doubts in intelligence, the systems themselves as well as the impact of attack. The risk communication is an important component of the project and will consider the needs of different stakeholders, not just highly technical people. Some of the modelling work will be published as case studies and made publicly available. The theoretical results will be validated on empirical studies provided by industrial collaborators (Adelard LLP and ALSTOM Grid UK)."

Professor Bloomfield, a Fellow of the Royal Academy of Engineering, is a former member of the Treasury's Engineering Expert Group on Interdependencies (EEIG) which informed the UK national plan "National Infrastructure Plan 2010". 

Please visit this website for more information on the Centre for Software Reliability.

Software reliability testing

A field of software testing that relates to testing a software's ability to function, given environmental conditions, for a particular amount of time. Software reliability testing helps discover many problems in the software design and functionality.

Share this article