Understanding the Impact of Cyber Security Risks on Safety
Christine Izuakor
Department of Computer Science, University of Colorado at Colorado Springs, 1420 Austin Bluffs Parkway,
Colorado Springs, U.S.A
Keywords: Security, Cyber, Safety, Risk Management, Risk Assessment, Impact, Confidentiality, Integrity, Availability,
Aviation.
Abstract: To date, cyber security risk management has focused on preservation of information security through
protection of confidentiality, integrity, and availability (CIA). The growing use of cyber technology in safety
intensive organizations has posed a challenge for those trying to understand the impacts cyber security risks
have on safety. This knowledge gap slows progress towards InfoSec maturity and puts organizations and
stakeholders at greater risk. For example, e-enabled aircraft now rely heavily on cyber resources, yet cyber
security analysis in aviation usually focuses on CIA of information to prevent economic loss. What happens
when a malicious attacker successfully exploits cyber aircraft vulnerabilities? This can potentially downgrade
critical functions and result in injury or loss of life. To better understand the impacts of cyber risk on safety,
the CIA information security triad should expand beyond its current focus to also consider safety.
1 INTRODUCTION
As technology continues to evolve and grow in use,
risk management plays an integral role in ensuring
that such technology does expose organizations to
cyber-attacks. Successful cyber-attacks can
negatively impact economic security and safety, and
are currently an inherent reality that any sustainable
organization or industry will face. For example, the
transportation sector provides a great example of
technological growth and evolution that can result in
innate risks. 25 years ago, aircraft were not e-enabled,
cab fare could not be paid using smart phones, and
automobiles did not include internal computer
systems with remote access. Today, all of these
features exist to provide a more convenient and
optimal experience for the user, yet expose the sector
to new cyber threats.
A key step in the risk management process is
understanding the impact, if such threats are to
become active risks (National Institute of Standards
and Technology, 2012). The impact of cyber threats,
especially in business settings, is commonly
measured in terms of economic loss. Examples
include, but are not limited to, the value of
information lost, brand damage, directly stolen funds,
and reduced revenue from system outages. The
consequence measurements are monetary; however,
motives are not limited to monetary gain. Research
firm TrendMicro, for example, cites information
theft, espionage and sabotage as motivators for cyber-
attacks (TrendMicro, 2015). These motivators can all
result in safety impact.
Recent reports of a researchers attempt to hack an in-
flight entertainment system on a commercial aircraft
and access the avionics control system are an example
where monetary loss is no longer the greatest concern
(Zetter, 2015). Though the International Civil
Aviation Organization discredits similar claims due
to checks and balances of the aviation systems
(International Civil Aviation Organization, 2014), if
an attack were successfully executed the impact
would likely exceed monetary loss and include safety.
Thus, an impact not adequately discussed and
understood in the cyber security realm is the
intentional or unintentional consequence of cyber
risks on safety. This provokes questions such as:
What impact can cyber security have on safety? Can
a cyber-security breach potentially result in an injury
or loss of life? The isolated perception that a breach
in cyber security can simply be measured in terms of
financial or informational loss needs to change.
Additional research should also be completed to
determine how security and safety coexist in this
space. This will contribute to risk management in all
industries, particularly those concerned with safety,
Izuakor, C.
Understanding the Impact of Cyber Security Risks on Safety.
DOI: 10.5220/0005796805090513
In Proceedings of the 2nd International Conference on Information Systems Security and Privacy (ICISSP 2016), pages 509-513
ISBN: 978-989-758-167-0
Copyright
c
2016 by SCITEPRESS Science and Technology Publications, Lda. All rights reserved
509
transportation, healthcare, and agriculture.
Ultimately, the evolving nature of cyber technology
calls for a new way of performing risk management;
one that considers the impact of cyber risks on safety.
2 BACKGROUND
There has been some debate regarding the difference
between security and safety. Merriam-Webster
defines security as “the state of being protected or
safe from harm.” Similarly, safety is defined as
“freedom from harm or danger” (Merriam-Webster,
n.d.). In other languages, such as Norwegian, there is
no difference between the two English words as the
terms are used interchangeably (Albrechtsen, 2003).
Researchers at a Norwegian university attempt to
distinguish security from safety by associating one
with deliberate harm and one with unintentional
hazards, respectively (Albrechtsen, 2003). In my
opinion, the difference is in the type of impact.
Perceptively, safety focuses on prevention of injury,
adverse health effects, and wellbeing of people.
Security focuses on preventing the loss of tangible
assets; whether information, buildings, functions, etc.
One could argue that people are also tangible assets.
While a valid argument, the loss of people from this
perspective is usually in consideration of loss of
function or value provided by people.
In the context of cyber technology, security is
often described as the preservation of confidentiality,
integrity, and availability of information. This
fundamental triad defines the core needs of
information and systems; Needs that, if impacted,
compromise information security. Organizations
concerned with safety, aim to prevent accidents and
provide protection from physical, mental, or
emotional injury. These organizations need an
effective way to map these information needs toward
safety.
3 ILLUSTRATION OF SAFETY
IMPACT
Cyber security risks have raised safety concerns in
several industries. For example, can e-enabled
pacemakers leave patients vulnerable to cyber-
attacks? Where e-enabled aircraft systems are
segmented using firewalls, can these be bypassed by
malicious intenders to execute unauthorized
commands? Can nuclear weapons with remote trigger
capabilities be activated? Each of these scenarios
employs cyber technology for convenience, but also
has the potential to gravely impact safety. There is
work to be done when it comes to considering these
trade-offs during risk management. Given the
growing global concern of cyber risks to aircraft and
the air traffic management system (International Civil
Aviation Organization, 2014), the aviation sector will
be used as an example of how cyber risks can impact
safety.
The aviation sector is both security and safety
intensive. The greater purpose of investing in civil
aviation security is to protect people from any harm
brought on, whether intentional or unintentional, by
individuals with access to aviation systems. With
good reason, airport security was heightened after the
successful attacks of 9/11 to prevent an attack of that
nature from reoccurring. More than a decade later,
aircraft still remains an attractive target to malicious
intenders seeking to “achieve surprise and maximize
the destructive effect” (Department of Homeland
Security, 2002) because these attacks result in loss of
life, cause mass grief and terror, and decrease
confidence in the aviation sector. As aircraft are
becoming more comparable to a complex information
systems, cyber-attacks in this sector can be targeted,
not only for traditional financial or competitive gain,
but to negatively impact safety and cause loss of life.
Malicious attackers may see this as an innovative
attack vector that airport security does not address.
The reliance of critical aviation components on cyber
technology creates exploitable vulnerabilities if not
adequately managed.
Though theoretical demos, as well as real world
events, have been documented involving cyber
threats to aviation, (Storm, 2013), (Soperus, 2009),
(Zetter, 2015), (Costin and Francillon, 2012) there
have been conflicting views amongst aviation experts
on the viability of successful cyber-attacks in
aviation. The International Civil Aviation
Organization released a working paper in 2014
reporting on risk assessment of cyber-attack against
the air traffic management system (International Civil
Aviation Organization, 2014). As an example, the
report discloses that threats such as the disruption of
aircraft separation data feeds could marginally
increase the risk of aircraft collision. The report also
states, “The ATC system has many internal checks
and balances that make it very unlikely that a hacker
can seriously compromise controlled traffic in
controlled airspace. Most of the claims…have been
made in ignorance of these system checks”
(International Civil Aviation Organization, 2014). In
order to make a risk management decision, in this
case what appears to be “accepting the risk,” there
ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy
510
should be a scientifically proven way to measure the
impact of these risks on safety. Solving this challenge
is imperative to the advancement of aviation security
in this technological age.
4 CURRENT STATE OF CYBER
SECURITY AND SAFETY RISK
MANAGEMENT
In risk management, once a credible risk is identified,
it can either be mitigated or accepted. In most cases,
this decision is made based on the likelihood and
impact of threat activation, consideration of existing
mitigating controls and the cost to mitigate. Impact
measurement is a key differentiator between cyber
security and safety risk management methodology,
and as such is the focus of this section.
Information security risk assessment frameworks
published by expert industry organizations such as
National Institute of Standards and Technology,
provide enough flexibility in process for safety to be
considered. The framework (National Institute of
Standards and Technology, 2012) is used by risk
management professionals in various fields and
targets assessment of information technology. The
approach begins with the identification of undesired
consequences and impacts based on mission or
business impact analysis. Critical assets associated
with those consequences are then identified followed
by threat identification. According to the framework,
“assessing impact can involve identifying assets or
potential targets of threat sources, including
information resources (e.g., information, data
repositories, information systems, applications,
information technologies, communications links),
people, and physical resources (e.g., buildings, power
supplies), which could be affected by threat events”
(National Institute of Standards and Technology,
2012). This allows a broad assessment of impact of
cyber threats and supports the aim to understand how
the loss of CIA impacts the organization on various
levels.
On the other hand, safety risk assessment
framework published by expert industry
organizations such as Occupational Health & Safety
Association (U.S. Department of Labor, 1992) and
Canadian Centre for Occupational Health and Safety
(Canadian Centre for Occupational Health and
Safety, 2015) do a fair job of determining safety
impact resulting from hazards. For example, the
Canadian centre assessment begins with
identification of hazards and then suggests measuring
likelihood of injury or illness occurring and its
severity to prioritize hazards. The ability to consider
the impact of cyber risk lies in the ability to identify
such hazards, but is not explicitly suggested. For an
assessor that is not consciously seeking to consider
cyber threats, this aspect of the assessment can easily
be overlooked. There should be an awareness to
deliberately consider cyber threats during safety
assessments.
5 GAP DISCUSSION
Using risk assessment methodology in a typical
organization, one may consider risk impact in terms
of loss of revenue, damage to physical assets, and
length of disruption. This information can then be
used to determine if the risk should be accepted or
mitigated. Though this is just one of many examples,
using these impact categories alone can omit
consideration of safety. It is possible that the same
cyber risk can fall short of monetary impact
thresholds, but could still result in injury or loss of
life.
Therefore, it appears the gap lies in segregation of
these two methodologies. Essentially, safety
assessment does not consider all appropriate threats
and cyber security assessment does not consider all
appropriate impacts. Information security risk
assessment methodology can facilitate evaluation of
safety impact if applied appropriately, but often is not
a concern of industries who use such frameworks.
Similarly, safety risk assessment frameworks are
effective for health impact analysis, but often focus
on physical or traditional threats. The opportunity to
incorporate cyber risks into these assessment is not
currently being maximized.
6 RECOMMENDATIONS
Cyber risk assessment and safety assessment can no
longer operate in silos. There is a need to understand
how growing reliance on cyber technology in safety
intensive organization impacts the bottom line:
safety. There are existing initiatives that can be
expanded and leveraged to address these concerns.
For example, the SESAMO security and safety
modelling project aims to integrate security and
safety assessment together for development of
embedded systems (City University London, 2015).
This is a great effort, but focus is limited to a solution
for embedded computing. The results of the project
Understanding the Impact of Cyber Security Risks on Safety
511
can contribute to future research.
Additionally, the MITRE Corporation published
guidance on evaluating the impact of cyber-attacks on
missions (Musman, et al., 2010). Using a similar
process, the focus on “missions” can be integrated
with emphasis on “safety.” Specifically, a model can
be created that establishes safety related capabilities.
For each capability, the normal expected operating
level can be compared against the operating level
after system impact has been realized. The resulting
variance is a way to potentially view the impact of
cyber-attacks on safety.
Other studies should be considered as well.
Nevertheless, using the CIA model as a base along
with cyber-attack characteristics outlined in the
MITRE guidelines (Musman, et al., 2010), we can
consider risks in the context of safety by simply
starting with the high level model shown in Figure 1.
Figure 1: CIA Safety Impact Model.
Using this model, the following questions can be
considered as a starting point for the assessment:
Level 1: Which component(s) of the CIA model is
impacted by system failure?
Level 2: What hazards types can result from such
failure?
Level 3: What impact do these hazards have on
the organizational safety mission?
Additional research should be conducted to
determine what scientifically proven mathematical
algorithms may support the assessment and risk
mitigation process inclusive of cyber and safety
considerations. This should be engrained in general
risk assessment, especially for those with primary
safety concerns. Newer companies coming of age
during the cyber era have the advantage of starting
from scratch with technology and establishing risk
management processes that adequately address cyber
threats. Senior entities that were established well
before these risks became of such great concern, have
greater challenges and more work to do to achieve a
reasonable security posture. The research and
resulting methodology should be applicable to both of
the aforementioned organization types. Working
toward a new way of thinking when it comes to safety
and security could be useful in all industries.
7 CONCLUSIONS
The growing use of cyber technology in industries
with high safety risks at stake increase the need to
understand the impact these attributes can have on
safety. Existing information security risk assessment
and safety risk assessment frameworks operate in
silos and do not provide a cohesive understanding of
how cyber risk impacts safety. By incorporating clear
safety impact measurements into proven cyber risk
assessment methods, there is an opportunity to gain a
better understanding of how losses to information
confidentiality, integrity, and availability can further
compromise safety. Additional research is suggested
to establish an algorithm for evaluating safety impact.
In doing so, the algorithm or methodology could
contribute to increasing security in transportation,
health, technology, and other industries.
REFERENCES
Albrechtsen, E., 2003. Security vs Safety, s.l.: Norwegian
University of Science and Technology.
Canadian Centre for Occupational Health and Safety, 2015.
Risk Assessment. [Online] Available at: http://
www.ccohs.ca/oshanswers/hsprograms/risk_assessme
nt.html.
City University London, 2015. SESAMO - Security and
Safety Modelling. [Online] Available at: https://
www.city.ac.uk/centre-for-software-reliability/
research/research-projects/sesamo-project.
Costin, A. & Francillon, A., 2012. Ghost in the Air
(Traffic): On insecurity of ADS-B protocol and
practical attacks on ADS-B devices, Sophia-Anipolis:
Black Hat.
Department of Homeland Security, 2002. National Strategy
for Homeland Security, s.l.: s.n.
International Civil Aviation Organization, 2014. Initial
Report on Risk Assessement of Cyber-Attack - Air
Traffic Management, Montreal: s.n.
Merriam-Webster, n.d. Security; Safety. [Online] Available
at: http://www.merriam-webster.com/dictionary/
security.
ICISSP 2016 - 2nd International Conference on Information Systems Security and Privacy
512
Musman, S. et al., 2010. Evaluating the Impact of Cyber
Attacks on Missions, McLean, VA: The MITRE
Corportation.
National Institute of Standards and Technology, 2012.
Guide for Conducting Risk Assessments, Gathersburg:
NIST.
Soperus, M., 2009. Conficker Work Shuts Down French
and UK Air Forces. [Online] Available at: http://
www.maximumpc.com/conficker-worm-shuts-down-
french-and-uk-air-forces/ [Accessed 20 September
2015].
Storm, D., 2013. Hacker uses an Android to remotely attack
and hijack an airplane. [Online] Available at:
http://www.computerworld.com/article/2475081/cyber
crime-hacking/hacker-uses-an-android-to-remotely-
attack-and-hijack-an-airplane.html [Accessed 20
September 2015].
TrendMicro, 2015. Understanding Targeted Attacks: Goals
and Motives. [Online] Available at:
http://www.trendmicro.com/vinfo/us/security/news/cy
ber-attacks/understanding-targeted-attacks-goals-and-
motives.
U.S. Department of Labor, 1992. VI. Risk Assessment.
[Online] Available at: https://www.osha.gov/
Zetter, K., 2015. Feds Say That Banned Researcher
Commandeered A Plane. [Online] Available at:
http://www.wired.com/2015/05/feds-say-banned-
researcher-commandeered-plane/
Zetter, K., 2015. Is it possible for passengers to hack
commercial aircraft?. [Online] Available at:
http://www.wired.com/2015/05/possible-passengers-
hack-commercial-aircraft/ [Accessed 20 September
2015].
Understanding the Impact of Cyber Security Risks on Safety
513