With manufacturers increasingly reaping the benefits of connectivity the pressure is on for industry to improve its understanding of cyber-security, writes Professor Raj Roy.
The defence secretary’s recent warnings of increased cyber-warfare from nation states and other actors, determined to threaten the UK’s infrastructure, must be a wake-up call to the engineering profession. As we rightly reap the benefits of advanced technological interconnectivity and the rise of Industry 4.0, we must also be vigilant to the dangers that we face now and in the future. Cybersecurity can no longer be an optional extra for engineers; it must be a core competence of the profession.
When you think of warfare, what do you think about? Planes, tanks and ships? While still relevant, this is becoming outdated. An attack on a nation’s infrastructure is increasingly likely to come from a cyber-attack. Imagine the capacity of an aggressor to affect a nation’s manufacturing plants and machines, to compromise the security of products, production lines and supply chains.
Engineers need to focus on not just developing and maintaining technology, but increasingly need to understand and predict cybersecurity threats. But what do we mean by cybersecurity threats? Too many people think of cybersecurity as a virus on our computer – “it’s ok, my company’s IT department is in charge of the firewall and I have got the latest anti-virus software installed.” It is much more than this.
As engineers we specialise in bringing component parts together, often from across the world, to develop a new product. There are many questions we now have to ask ourselves. Do we understand the security behind those components and how secure they are during their lifecycle? How secure are the materials we are using and can they stand up to threats not just now but in the future?
The Anti-Counterfeiting Forum estimates that counterfeiting could cost the UK economy as much as £30bn and 14,800 jobs. They warn of ever-increasing counterfeit electronic components entering the UK, particularly concerning OEMs. We are becoming more aware of the threats but are perhaps less aware of the solutions.
At Cranfield, we are determined to change this. We need to grow the next generation of engineers to be cyber-aware and re-skill engineers to understand these very real threats. Our recently launched MSc in cyber-secure manufacturing aims to train and retrain engineering professionals to understand these issues. The key feature of our work, whether it is teaching or research, is that we develop our offering alongside industry. An example of this is our partnership with Atkins to appoint a new professor of secure engineering.
These challenges will not be solved by people working alone, but by all of us working together. Cyber-threats affect us all whether we are in academia or industry, whether we are an SME or a global corporation. We all need solutions to these common threats. For me, there are four key areas where we need to work together to establish common solutions as an industry: materials security, engineering systems security, systems-of-systems security and behavioural security.
In order to have the confidence of our customers, engineers will need to have a much greater understanding of the materials that we are using. The creation of digitally secure materials that remain secure throughout a component’s full lifecycle is paramount. For this to happen we will need the functionality to be able to constantly reprogramme in order to meet current threats.
It is not only the materials and components we use, but also the engineering systems that operate them. How can we take advantage of distributed ledger technology, self-learning (AI) and pattern recognition approaches to provide updatable protection and the ability to implement rapid threat-response strategies?
If we are to create these secure engineering systems, then we also need to understand much more about the behaviour of threatened systems and components. We need a systems-of-systems approach that allows us to understand much more about what happens when one part of our technology is threatened and the impact of that threat on all the other components. Using flexible software-defined networks and secure Internet of Things approaches, we need engineers who can design systems that isolate threats, still maintain a working system and try to self-heal and learn.
A lot of what we think about in cybersecurity is the threat from afar, but how do we protect against human error? Something missed at the design stage or, even worse, deliberately compromised at the design stage, could have a devastating effect. Behavioural psychology and systems thinking can allow us to understand individual and corporate behaviour and map weaknesses and generate monitoring and intervention strategies.
As Industry 4.0 is realised, we must develop engineers that not only understand how to unleash the potential that it brings, but also understand how to counter the threats that are being created. ‘Security by default’ must be our watchwords, if we are to not only maintain and improve productivity, but also safeguard the nation’s infrastructure, which has engineering at its heart.
This article first appeared in The Engineer, 16 March 2018.0