EPSRC logo

Details of Grant 

EPSRC Reference: EP/M002780/1
Title: MUMBA: Multi-faceted Metrics for ICS Business Risk Analysis
Principal Investigator: Rashid, Professor A
Other Investigators:
Follis, Dr K Busby, Dr J Hutchison, Professor D
Researcher Co-Investigators:
Project Partners:
Airbus Group Limited Atkins Thales Ltd
Department: Computing & Communications
Organisation: Lancaster University
Scheme: Standard Research
Starts: 01 October 2014 Ends: 31 December 2017 Value (£): 393,867
EPSRC Research Topic Classifications:
Knowledge Management Networks & Distributed Systems
Organisational Studies
EPSRC Industrial Sector Classifications:
Aerospace, Defence and Marine Communications
Energy Information Technologies
Transport Systems and Vehicles Water
Related Grants:
Panel History:
Panel DatePanel NameOutcome
23 Jun 2014 TICS Research Institute Phase 2 Announced
Summary on Grant Application Form
The evolution of cyber space is transforming the way our infrastructure is managed. Industrial control systems, that is those systems that manage critical utility infrastructure such as Energy, Water and Transport are increasingly interacting with enterprise IT systems in intricate fashions. This leads to an increase in the level of threats to these critical infrastructures. This is only too evident from cyber weapons such as Stuxnet which targeted centrifuges in Iran's nuclear facilities and more recent news that over 60,000 exposed control systems were accessible online. The US Defence Secretary Leon Panetta described a recent spate of cyber attacks against critical infrastructures as a "pre-9/11 moment". The cyber attack surface of future generations of control systems is likely to increase further with new technologies and working practices such as the use of autonomous software agents in their operation and handheld wireless devices in control and maintenance.

Given the importance of industrial control systems to society, it is important that decision-makers are able to effectively articulate the risks posed to them from cyber space. Even more importantly, decision-makers should be able to understand and respond to such risks from a business continuity and recovery perspective in order to evaluate and prioritise their mitigation responses. However, to date, metrics for articulating cyber risk in such settings have largely been driven by technical measures pertaining to security of information or resilience of the control system itself. Though important, these metrics bear little relationship to typical factors used in business risk analysis, such as business continuity, disaster recovery, cost, reputation, impact on resources, etc.

The MUMBA project takes the perspective that metrics for articulating cyber risk (in industrial control systems) as business risk only make sense in the context of what we understand the larger system to be, and cannot sensibly be designed without a model of this system. Post-hoc mapping of security and resilience metrics to business risk fails to account for the complex socio-technical landscape in which current and future generations of control systems reside. Effective articulation of cyber risk as business risk requires multi-faceted metrics that are first and foremost driven by business risk concepts. Such metrics consider business risk both along and across various facets of an industrial control system setting i.e., the control system itself, enterprise systems, business processes, people, third party organisations in the product/service supply chain and new/emergent technologies (and associated working practices). Furthermore, the project addresses the need to contextualise these metrics to a particular critical infrastructure domain to ensure meaningful interpretation of business risks and prioritisation and implementation of responses (i.e., whether to mitigate, transfer, accept or avoid particular risks).

The project involves a world-leading multi-disciplinary team of researchers in cyber security, resilient industrial control systems, risk management and social anthropology from the Security Lancaster research centre. This academic expertise is complemented by practical insights provided by four industry partners: Airbus, Thales, Atkins Global and Raytheon. Through its research into the complex socio-technical processes at play in contemporary industrial control system settings, new metrics and how to instrument such environments to gather relevant data to compute such metrics, the project aims to become a cornerstone for future research and practice on articulating cyber risk as business risk.

Key Findings
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Potential use in non-academic contexts
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Impacts
Description This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Summary
Date Materialised
Sectors submitted by the Researcher
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Project URL:  
Further Information:  
Organisation Website: http://www.lancs.ac.uk