Organisational, Political and Technical Barriers to the Integration of Safety and Cyber-Security Incident Reporting Systems

Many companies must report cyber-incidents to regulatory organisations, including the US Securities and Exchange Commission and the European Network and Information Security Agency. Unfortunately, these security systems have not been integrated with safety reporting schemes. This leads to confusion and inconsistency when, for example a cyber-attack undermines the safe operation of critical infrastructures. The following pages explain this lack of integration. One reason is a clash of reporting cultures when safety related systems are intended to communicate lessons as widely as possible to avoid any recurrence of previous accidents. In contrast, disclosing the details of a security incident might motivate further attacks. There are political differences between the organisations that conventionally gather data on cyber-security incidents, national telecoms regulators, and those that have responsibility for the safety of application processes, including transportation and energy regulators. At a more technical level, the counterfactual arguments that identify root causes in safety-related accidents cannot easily be used to reason about the malicious causes of future security incidents. Preventing the cause of a previous attack provides little assurance that a motivated adversary will not succeed with another potential vector. The closing sections argue that we must address these political, organisational and technical barriers to integration given the growing threat that cyber-attacks pose for a host of complex, safety-critical applications.