Securing information systems

Man using a laptop The IT industry is at the heart of developing future resilient information systems says Andrew Tyrer from the Technology Strategy Board.

Picture the scene: it's a typical day in your business or private life. You've woken up, checked the television or radio news for transport updates, read emails on your BlackBerry, tweaked your SatNav system on the way to school, work, or the supermarket.

You're barely an hour into your day, and yet, you've become reliant on complex systems underpinned by IT. We're at the stage in modern society where you simply can't go back to paper information. What a wonderful technology-inspired world we live in. But wait, these systems cannot fail, can they?

The answer, of course, is yes they can. As our dependence on information systems increases, so does the risk of these complicated tools failing through capacity overload, human intervention, or natural disaster.

In fact, not only do we depend on these systems, but the systems themselves are also heavily reliant on each other. In the home we are running multiple Internet connections, home entertainment systems, digital televisions and telephone lines that converge into a single set top box, dealing with more complex information year upon year.

As an information system matures, it converges with many other technologies due to the demand for increased agility, virtualisation and interconnection. The end result is an unplanned 'system of systems' where functionality overrides resilience, leading to security concerns. If this fails, it can take out many systems at once.

For example, a significant systems failure was the electrical blackout of the eastern seaboard of the United States in August 2003. This breakdown in continuity lasted for more than 48 hours and affected more than 50 million people.

It was suggested that the initial event, which lead to a chain reaction, started at a power plant in Ohio. A breakdown in the computer control system failed to detect a small electrical problem and rectify it. This small scale local event cascaded into a major outage for a large population of eastern United States and Canada.

Closer to home we witnessed the Buncefield oil explosion and subsequent fires in 2005. What was perceived as an environmental peril soon became an IT information problem. The fires caused damage to IT data storage company Northgate Information Systems' equipment. The knock-on effect led to Addenbrooke's Hospital IT-centred patient admission system failing, causing major disruption.

Safeguarding our complex information systems

To counteract these security fears, we need innovative and technical solutions to enable systems to be managed - to mitigate risk. These systems will get even more complex in the future, so there is an element of the unknown. We need expertise today to start predicting future security problems. We need to start taking a prevention approach, not cure.

We need collaborations across diverse industry sectors such as transport, healthcare, engineering and finance - all underpinned by IT expertise. We're facing a massive societal and business challenge, but we believe the UK has the expertise to tackle this challenge - and the Technology Strategy Board is at the forefront of this societal problem.

We are working with the Centre for the Protection of National Infrastructure and the Engineering and Physical Sciences Research Council to allocate £6m in research funding to secure our business information systems.

During this funding period, we want organisations with the necessary skills to develop tools, techniques and services to tackle the ever-increasing threat to our information systems. This investment will directly target the complexity and dependency challenges associated with intricate information systems that UK government and businesses use daily.

This funding competition will address innovative solutions for making our information infrastructure more robust. This could include the development of real-time predictive models with particular emphasis on interdependency analysis and supply chains.

No 'silver bullet' solution

We don't see there being a 'one size fits all' solution, but we welcome innovative ideas that will address high level challenges that include:

  • increasing understanding and management of complex interdependent IT infrastructures and systems;
  • development of models focusing on real-world practical applications to enable SMEs and large companies to secure their information systems;
  • producing systems with better scope for data capture, security and data segregation across industries such as healthcare, assisted living, intelligent transport;
  • bringing together diverse groups such as IT professionals, academics, health professionals, economists, transport planners and insurance professionals to share knowledge and ideas;
  • making software more secure, and therefore less susceptible to security vulnerabilities and attacks.

We see these challenges being met by pioneering thinkers within the information security and IT community. We understand that staff from SMEs are very busy, often working on their own, which is why the Technology Strategy Board is offering its full support to the SME community to encourage individuals to form collaborations and apply for this funding.

SMEs who successfully apply for competition funding will be able to keep and exploit the intellectual property they develop from their work. This will be financially beneficial, especially if an entrant's work is produced for a new burgeoning commercial market.

We want to make it clear that this competition is not about funding research that won't produce tangible results. The competition offers the only UK public money currently available to address the security of society's complex information systems, so naturally we want to see a return from our investment.

It's vital that research proposals clearly demonstrate positive economic and business impact, coupled with environmental and social sustainability. We strongly encourage projects that can demonstrate tangible benefits across business sectors. It's essential that the research outputs could, for example, benefit the banking industry as well as transport planning and healthcare systems.

The solutions

We are not going to pretend that solving system security weaknesses will be easy, but we are confident we have the expertise to benefit services that make our lives easier to live, in the home, in the workplace and on roads we travel upon.

In the home, we see this research making our internet connections safer. Also, as our population ages, we could see the funding design a safer home where technology can support our wellbeing. The research funding could enable systems to remain robust, avoiding downtime, allowing constant monitoring of a person's health and activities.

In the workplace research has many potentially successful and beneficial applications. The banking industry could benefit from better software that predicts risks from cyber attacks. In healthcare industries, better information systems to ensure patient's records are maintained securely can be designed and implemented. Transport systems could benefit from more robust IT systems.

These are possible solutions to improving our complex information systems. We know there are many others. We're challenging industry to play a major part in making our business and private lives more efficient through secure systems.

We have become a digitally-dependent society; the days of paper systems are well and truly a thing of the past, so we need to collaborate, to strengthen our information-based society, for the now and in the future.

Further information www.networksecurityip.org

This article first appeared in the Spring 2009 issue of ISNOW. 

April 2009

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.