Effective Solutions for the NIS Directive – Supply Chain Requirements for Third Party Devices

Summary

This project will deliver a methodology and framework that will enable ICS operators to quickly and effectively verify the security of 3rd party devices. Such COTS devices can often compromise the security of an otherwise well-designed system.

These devices can often be hard to check, because the source code and design is often not available, and sometimes not even known the to the supplier of the device. We will ease the challenge such checking imposes to obtain NIS compliance by providing detailed guidance and analysis on the best methods of checking such components. This will be based on our experience of such analysis and validated by new analysis of common ICS components. This will lead to a body of knowledge that ICS owners could use to review potential issues that may exist in their systems, as well as providing contextual information about the source of that vulnerability and how it may be mitigated.

We will use this body of knowledge to compare different assessment methods and provide the results as a report that ICS owners can used to decide on the most effective analysis methods, for their needs. We will also investigate automatic analysis methods, such as common scanning tools and also more advanced research tools that could be used by ICS owners to analyse their systems without requiring major resources and expertise. We will assess such tools on a range of ICS components, and again provide guidance to ICS owners on their use and effectiveness.

Project members

Tom’s research interests are in statistics and information theory for measuring information leakage, security for peer-to-peer systems, e-passport security, the theory of traceability attacks, anonymity, and formal modeling for secure distributed systems. He has previously held appointments at CWI (Amsterdam), Ecole Polytechnique (Paris) and Stevens Institute of Technology (Hoboken). He obtained his Ph.D. from the University of Edinburgh (Scotland).

His research interests centre on methods for the storage, processing and display of railway related datasets – in particular data representation and exchange via ontologies, manipulation and integration of data relevant to the multimodal transport system, and cyber security in industrial control systems.

Since joining the rail group in 2009, John has been involved in a wide range of projects including the TRIME third-rail monitoring system, which in 2012 was the joint winner of the Stephenson Award for Engineering Innovation at the National Rail Awards, EU-funded work (Interail, Automain, OnTime, and Capacity4Rail), and the EPSRC-funded SCEPTICS project (part of the RITICS research institute). John sits on the executive committee of the Institute of Engineering and Technology’s Railway Network, and has recently been seconded to the cross-industry Digital Railway programme.

Richard has just completed a PhD in the Cybersecurity of Rail Applications in next-generation systems at Birmingham, and previous to this used to work as a ServiceNow Developer and Workflow Analyst/ServiceNow Evangelist.