Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems

Chris W. Johnson

doi:10.1007/978-3-319-24255-2_29

Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems

Chris W. Johnson^*

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Citations (Scopus)

Abstract

Many companies must report cyber-incidents to regulatory organisations, including the US Securities and Exchange Commission and the European Network and Information Security Agency. Unfortunately, these security systems have not been integrated with safety reporting schemes. This leads to confusion and inconsistency when, for example a cyber-attack undermines the safe operation of critical infrastructures. The following pages explain this lack of integration. One reason is a clash of reporting cultures when safety related systems are intended to communicate lessons as widely as possible to avoid any recurrence of previous accidents. In contrast, disclosing the details of a security incident might motivate further attacks. There are political differences between the organisations that conventionally gather data on cyber-security incidents, national telecoms regulators, and those that have responsibility for the safety of application processes, including transportation and energy regulators. At a more technical level, the counterfactual arguments that identify root causes in safety-related accidents cannot easily be used to reason about the malicious causes of future security incidents. Preventing the cause of a previous attack provides little assurance that a motivated adversary will not succeed with another potential vector. The closing sections argue that we must address these political, organisational and technical barriers to integration given the growing threat that cyber-attacks pose for a host of complex, safety-critical applications.

Original language	English
Title of host publication	Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings
Editors	Floor Koornneef, Coen van Gulijk
Publisher	Springer Verlag
Pages	400-409
Number of pages	10
ISBN (Print)	9783319242545
DOIs	https://doi.org/10.1007/978-3-319-24255-2_29
Publication status	Published - 2015
Externally published	Yes
Event	34th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2015 - Delft, Netherlands Duration: 23 Sept 2015 → 25 Sept 2015

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	9337
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	34th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2015
Country/Territory	Netherlands
City	Delft
Period	23/09/15 → 25/09/15

Access to Document

10.1007/978-3-319-24255-2_29

Cite this

Johnson, C. W. (2015). Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems. In F. Koornneef, & C. van Gulijk (Eds.), Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings (pp. 400-409). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9337). Springer Verlag. https://doi.org/10.1007/978-3-319-24255-2_29

Johnson, Chris W. / Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems. Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings. editor / Floor Koornneef ; Coen van Gulijk. Springer Verlag, 2015. pp. 400-409 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{7c2f150d5244428faa26ca9c63f75c27,

title = "Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems",

abstract = "Many companies must report cyber-incidents to regulatory organisations, including the US Securities and Exchange Commission and the European Network and Information Security Agency. Unfortunately, these security systems have not been integrated with safety reporting schemes. This leads to confusion and inconsistency when, for example a cyber-attack undermines the safe operation of critical infrastructures. The following pages explain this lack of integration. One reason is a clash of reporting cultures when safety related systems are intended to communicate lessons as widely as possible to avoid any recurrence of previous accidents. In contrast, disclosing the details of a security incident might motivate further attacks. There are political differences between the organisations that conventionally gather data on cyber-security incidents, national telecoms regulators, and those that have responsibility for the safety of application processes, including transportation and energy regulators. At a more technical level, the counterfactual arguments that identify root causes in safety-related accidents cannot easily be used to reason about the malicious causes of future security incidents. Preventing the cause of a previous attack provides little assurance that a motivated adversary will not succeed with another potential vector. The closing sections argue that we must address these political, organisational and technical barriers to integration given the growing threat that cyber-attacks pose for a host of complex, safety-critical applications.",

keywords = "Accident analysis, Cyber-security, Incident reporting, Organisational resilience, Safety",

author = "Johnson, {Chris W.}",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2015.; 34th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2015 ; Conference date: 23-09-2015 Through 25-09-2015",

year = "2015",

doi = "10.1007/978-3-319-24255-2_29",

language = "English",

isbn = "9783319242545",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "400--409",

editor = "Floor Koornneef and {van Gulijk}, Coen",

booktitle = "Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings",

address = "Germany",

}

Johnson, CW 2015, Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems. in F Koornneef & C van Gulijk (eds), Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 9337, Springer Verlag, pp. 400-409, 34th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2015, Delft, Netherlands, 23/09/15. https://doi.org/10.1007/978-3-319-24255-2_29

Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems. / Johnson, Chris W.
Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings. ed. / Floor Koornneef; Coen van Gulijk. Springer Verlag, 2015. p. 400-409 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 9337).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems

AU - Johnson, Chris W.

N1 - Publisher Copyright: © Springer International Publishing Switzerland 2015.

PY - 2015

Y1 - 2015

N2 - Many companies must report cyber-incidents to regulatory organisations, including the US Securities and Exchange Commission and the European Network and Information Security Agency. Unfortunately, these security systems have not been integrated with safety reporting schemes. This leads to confusion and inconsistency when, for example a cyber-attack undermines the safe operation of critical infrastructures. The following pages explain this lack of integration. One reason is a clash of reporting cultures when safety related systems are intended to communicate lessons as widely as possible to avoid any recurrence of previous accidents. In contrast, disclosing the details of a security incident might motivate further attacks. There are political differences between the organisations that conventionally gather data on cyber-security incidents, national telecoms regulators, and those that have responsibility for the safety of application processes, including transportation and energy regulators. At a more technical level, the counterfactual arguments that identify root causes in safety-related accidents cannot easily be used to reason about the malicious causes of future security incidents. Preventing the cause of a previous attack provides little assurance that a motivated adversary will not succeed with another potential vector. The closing sections argue that we must address these political, organisational and technical barriers to integration given the growing threat that cyber-attacks pose for a host of complex, safety-critical applications.

AB - Many companies must report cyber-incidents to regulatory organisations, including the US Securities and Exchange Commission and the European Network and Information Security Agency. Unfortunately, these security systems have not been integrated with safety reporting schemes. This leads to confusion and inconsistency when, for example a cyber-attack undermines the safe operation of critical infrastructures. The following pages explain this lack of integration. One reason is a clash of reporting cultures when safety related systems are intended to communicate lessons as widely as possible to avoid any recurrence of previous accidents. In contrast, disclosing the details of a security incident might motivate further attacks. There are political differences between the organisations that conventionally gather data on cyber-security incidents, national telecoms regulators, and those that have responsibility for the safety of application processes, including transportation and energy regulators. At a more technical level, the counterfactual arguments that identify root causes in safety-related accidents cannot easily be used to reason about the malicious causes of future security incidents. Preventing the cause of a previous attack provides little assurance that a motivated adversary will not succeed with another potential vector. The closing sections argue that we must address these political, organisational and technical barriers to integration given the growing threat that cyber-attacks pose for a host of complex, safety-critical applications.

KW - Accident analysis

KW - Cyber-security

KW - Incident reporting

KW - Organisational resilience

KW - Safety

UR - http://www.scopus.com/inward/record.url?scp=84969799449&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-24255-2_29

DO - 10.1007/978-3-319-24255-2_29

M3 - Conference contribution

SN - 9783319242545

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 400

EP - 409

BT - Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings

A2 - Koornneef, Floor

A2 - van Gulijk, Coen

PB - Springer Verlag

T2 - 34th International Conference on Computer Safety, Reliability, and Security, SAFECOMP 2015

Y2 - 23 September 2015 through 25 September 2015

ER -

Johnson CW. Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems. In Koornneef F, van Gulijk C, editors, Computer Safety, Reliability, and Security - 34th International Conference, SAFECOMP 2015, Proceedings. Springer Verlag. 2015. p. 400-409. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-24255-2_29

Organisational, political and technical barriers to the integration of safety and cyber-security incident reporting systems

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this