How should we prepare for future cybersecurity risks to our critical national infrastructure? Technology is changing fast, and as it changes it can create new possibilities of troubles and disasters. What do we do to avoid being taken by surprise?
As a team of researchers, we have recently been exploring the question in a 6 month research project. Following repeated interviews of 22 experts in CNI cyber topics in a two-round Delphi study, recently we held a workshop with a group of CNI strategists to discover how to use the findings.
The workshop was fun; rather than simply work through the existing report, the 11 participants held structured discussions, first to prioritise a few of the top trends, risks and approaches; then to figure out the associations between then (the blue lines in the diagram above). Then they explored a case study, a terminal disaster in the rail network’s software. Through it all we, as researchers, both participated and took notes of the conversations.
The results were striking. As we’d found in the earlier report (to be released next week here), human factors and the human interaction with software systems dominated the identified risks, and therefore the best approaches to dealing with them. In the case study, for example, stopping trains for any length of time has huge impact, as passengers panic, have to leave the train requiring power to be removed from the track, or have health problems; the lack of a freight network impacts food delivery; and trust in the rail system is undermined. And the results on the staff and operators may be involve huge stress, leading to errors and poor decision making in how they use their software control systems.
From the long and fascinating discussions, we took away a number of suprising observations which offer suggestions for practitioners. Here are three of our favourites:
- We often forget the human impact of incidents. We focus on technical recovery, but societal recovery, such as getting people home from stranded trains, is often the main problem. So, we need wholistic approaches to recovery, using systems thinking and based on resilience studies incorporating human factors.
- Labels determine access to resources: a ‘cyberattack’ gets more support than an ‘accident’; ‘secure by design’ gets extra up-front spending. Can we use labels to promote more effective outcomes in recovering from cyberattacks?
- We should not view legislation as a form of mitigation in itself, but rather as a tool for implementing mitigation strategies. The most important tools are the regulations and standards beneath the overarching laws. We should aim to modify existing regulations rather than create new ones; promote management regulations over technical ones; and establish unified standards for industry best practices.
As researchers, we are primarily interested in future research topics. The conclusion is clear. We need to research how we use human centred systems thinking, with consistent nomenclature and standards, to improve the cyber resilience of our critical national infrastructure.
And that’s a mission to take forward!
- Charles