Clash Of Cultures? Bringing Cybersecurity Into (Aero)space Safety

finish the introduction thank you so much and no pressure there with the promises of a great talk so my name's Emma Taylor um I'm here um to speak at bside it is my very first ever bside speaking so save the difficult questions and the good ones right for the end I'm here to talk about cyber security and bring it into Aerospace safety I am relatively new into cyber security I've been doing engineering for an awful long time in fact it's 20 years in the Aerospace industry um and then I have to say I like new and difficult things um exploring and innovating my parents are always like can't you just get an easy job why do you keep having to like

challenge yourself and I like it so I've had 20 20 years in Aerospace seven in oil and gas and seven in counting in transport I got my first proper job in cyber security a few years ago at age 50 so if you're thinking about a career in cyber security it's never too late um and I'm here talking to you with my Royal Academy of engineering visiting Professor haton which sounds awfully impressive it just means that I applied for it and said I'd like to go and teach about digital safety and cyber security and bring the two together so I'm based at Cranford University um cran university has planes it has a Runway it even has a plane park

next to your building which for me counts as pretty cool and the Royal Academy of engineering if you're not familiar with them um they're the UK's engineering body um I think they'd like to say they're the premier engineering body and I think I'd agree with them and they bring together what we need to think about in the UK and globally about engineering and try and point out the future so if you've not actually looked at their resources I'd encourage you it's a good place to start they talk about safety sustainability across the board now before I get to the main point of my talk I just like to highlight a personal commitment because as part of

the application to become a visiting Prof I said i' talk about Safety and Security in the crossover I said I take an aerospace perspective but I also made a personal commitment to try and raise awareness of deaf awareness as a communication hurdle and also a communication opportunity it's something for all now I was inspired by this by one of my mentees uh that I met before the pandemic so I saw the world through their eyes and all the difficulties of communication and I'm just aiming for Clear communication for all and I'd encourage all of you to try next time you're in a teams call turn on your close caption try perhaps with playback if you're watching this in YouTube put

the transcription and close captions on if you're having a meeting why not send out meeting notes beforehand and help people with pre-briefing and reading include space at the bottom of the slides this is a good one and you'll find that my slides don't have one picture and three words on it that's deliberate because if you're watching in playback you can provide some more information and if someone's having trouble following the transcription or lip reading they can look at the slides I'm going to do my best to do deatha awareness I've written on my slide I'm still improving I'd actually say that um some times I'm pretty crap at it but that doesn't stop me trying and i'

encourage you all to find out a bit and see what you can do I promise you it does help you with your communication and across the board um and so that's it that's my personal commitment and you can tell me at the end um questions on Safety and Security and also where I can improve on De awareness so this morning I actually opened up the talk description and thought what did I actually promised to say because yes I turned up with my talk 2third written and just finished my last slide about 10 minutes ago and I saw that I said I was going to try and put forward some ideas of how cyber can connect with safety and to give you all

some potential challenges and pitfalls and perhaps some encouragement as well that you can take some of the tips from the teaching where I tried to bring together the two um using a bowai method and it is really welcome to my world and take away what you think might work for you any of it all of it or none of it this is all about raising awareness now if you're thinking about security and if you're thinking about safety where do you start and the Little Red Box highlights what you can start thinking about and here I'm now going to go I'm at a bsides conference and I'm going to go to some Basics I'm going to go to some below

Beyond Basics I'm going to go to some things that you think surely she's not having to explain this but actually from the security point of view and I pointed this out to safety you're there to protect the system from people often with malicious intent and from the safety perspective you're there to protect people from malfunction of the system and I have been in meetings more than once with people with a safety background and they're actually having trouble believing that people have got malicious intents they say why do people do that do people do that and that fundamental sort of challenge in thinking was one of the things that I addressed and this whole room is going

really but honestly there's a proportion of people out there that are not yet aware of this malicious attempt and you can help bridge the gap so what did I do I thought to myself I can go out telling sort of stories and and and descriptions but if you're there to teach you're not there to broadcast you're there to educate and encourage people to use the knowledge so I thought I'm going to round up some stakeholders that's middle-aged PE middle-aged speak for people who think what you're about to do is important and often people have money and can back you um so if someone says I'll be your stakeholder this is generally speaking a good thing I put in

digital Safety and Security with the and underline to highlight I was going to look at the overlap and what I wanted to do was test out this stick iness of like the Cyber message to safety people and the overlap by teaching a workshop and classes and I'm doing that right now I'm halfway through the visiting professorship me being me do you remember I said I like do things that are difficult I didn't apply to teach across one MSE course I applied to teach across five plus everything from accident investigation to air worthy this um additional Challenge and difficulty um the academics said well you can have one hour or maybe two or maybe six as a trial across our whole

MSE to teach about cyber non-trivial task oh and by the way you're funded for 12 days teaching a year so somehow we've got to highlight that cyber is different to safety and there's this whole other world that you've got to highlight and these crossover challenges so I work in my day job as cyber security um and it's a VC funded startup and I've been introduced to that work relatively late but there's many good things about it um agile is perhaps an overused word it introduces smiles and shuts of horror in others it's certainly something that Consultants talk about but for me it just means have a go do something see what happens iterate and change um I like the phrase

minimize work done that's something that's got to shape everything you've seen the constraints and very much focus on the basics that cyber understanding that fundamental remember that poter said about malicious that absolutely needs to be put across otherwise you're not building across Good Foundations and then last but not least I need to persuade the safety people Bay yourself of this line here that actually cyber isn't all that difficult and to have a go because if you describe this whole fantastic complex domain of cyber and it and OT and information security as the whole scope of reality people are just going to go way too much effort for me I I can't do that that's just for the

Specialists and if you take that then how are you going to get people to bring it on board and incorporate in the discipline so that sense of have a go so it's something that I'm doing so you're probably curious about me and um how I ended up in cyber age 50 and it would take a long time to do the career story so I'm just going to do a couple of shortcuts so I'm not your typical bside speaker um you know I like Post-its proof um I love a safety management system I could talk about standards until the cows come home and often people think of standards and Management Systems as boring but for me

they're a powerful tool that cuts through I also like blowing holes in things and breaking them the thing on the right hand side is a small light gas gun which allows you to accelerate space debris from zero to about 5 km a second in about this distance the NASA guns are much more impressive but this is the one where I did my PhD I'm really sorry I forgot to bring the piece of spacecraft with a hole blown in it that's my bad I was busy writing my talk yesterday so creative curious and not afraid to sort of push some boundaries now should you find yourself and you will at some point in a room with safety Specialists you

need to know what's ticking inside our heads in order to start that communication conversation I remember um one of my colleagues probably about six or seven years ago getting super frustrated with me because I kept saying no and safety people we are there to spot the things that could go wrong that other people haven't thought about and to persuade people that they need to pay attention there is some similarity here with cyber security and we are particularly stubborn um if we think something's going to go wrong and people aren't paying attention and safety does get listened to sometimes we'll say no and we can stay that way for a long time I've held a line for years um when I

think something really shouldn't be signed off so just to be aware of that but we're being negative to be good my colleague I mentioned he looked at me one day he said Emma you're negative and I looked at him there was this kind of realization inside yeah and he said but you're negative to be positive so when you find yourself with cyber security people or Specialists or something and a safety person is sitting they're going no they're doing it with positive intent even though they're probably irritating the crap out of the delivery team after them that just wants to get it done um and there's a reason why sometimes we we say no in that way and

I'll get to that in the F on slide so there I am starting out in my career and it's a kind of common backbone safety people they might work in different disciplines but they've got this kind of persistence and this positive curiosity um and that's good for me obviously because I get to learn new things it can be less good for other people because I am always asking questions for those of you that are parents and that have toddlers that keep asking why what if why why um maybe we never grew up as safety Engineers but asking questions peeling back the layers is the it's the safety DNA we're never really sort of satisfied so on the left hand side the

kind of blue thing with the lines on it that's a piece of a Hubble Space Telescope solar array and that was my early days of the PHD you bring it down you have a look you try and work out what made that hole because you need to know about space debris and interestingly enough this attribution if I can borrow a cyber phrase is really hard to reverse engineer as you trying to work out what made that thing before it hit the solar array at maybe 7 km a second and just physic its way into sort of Oblivion so we also sort of like retrieved satellites not me personally that wasn't me in the shuttle someone

brought the satellite down for us and we looked at the craters and the reason why there's a big red buff on my slide with the schematic of a satellite is it back to when I was 18 I was doing a pre-university placement and I walked into the manufacturing facility um and it wasn't a clean room it was just a kind of mockup and there was this huge satellite called envisat the size of a bus and I went I wonder what would happen if a piece of space de debris hit it and I'd go around and people would say it's fine you know it's fine there isn't that much it's fine it's fine and I kept going but

but but and I ended up actually getting hold of some bits of spacecraft and then putting it in the gun and we basically blew the black off the piece of the spacecraft structure I can still remember the technician coming to me going you've got to have a look at this so sometimes we really do uncover things when you take that safety mindset but often we're a lone voice so where does the safety perspective Focus you know actually you know how does it compare with cyber security what makes us tick we've got an idea already about that persistence that Curiosity not asking questions but because safety is about protecting people you know we're very much about the prevent we're

very much about to find it and this is a line from The Talk this morning I think but we're about finding it and fixing it if you turn up and say look at this you better down well follow through with a solution um as well and after there's been an incident or near miss people focus even more on prevention they gather the data because you believe if you look at the past and the trends You can predict where you're going to need to focus in the future so this plan do check Act underpins everything in those Safety Management Systems there's a little bit of a deeny weeny problem if you try and take that and Bridge it across to cyber

security because can you prevent all sorts of cyber security brief ages can you aim for a 100% protection and prevention of any cyber incident ever if anyone would like to raise their hand and confirm you can have 100% no didn't think so just thought I'd ask to check your away but that's where safety's aiming for if you're like a working nuclear power on under a reactor you're not going to say okay once a week is fine and I'll do my equivalent of Microsoft Patch Tuesday no you know this this is's a different threshold and we're persistently sort of driving down and chasing and the idea that actually it's about respond and recover and that's where you focus a lot

of your attention is a little bit alien so this will be a clash of cultures or Bridging the Gap that when you find in the room you are going to focus what else drives it when you work in the safety background and this includes considering things of digital systems you can and you can end up in court um you're there as a responsible engineer professionally engineered you can end up in front of the barristers that's King's Council now used to be Queen's Council obviously we we're professionally registered and if things go wrong and there is an inquiry and the Nimrod inquiry um is well worthwhile a read it may be 500 pages of a document

but it's 500 pages of beautifully horribly accurately directly written of all the ways in which complex projects and cultures and people can go wrong there's this line they use the word incompetence so when these kind of things go wrong if I'm a safety engineer whether I've worked in cyber digital systems or physical protection that could be me that could be me in front of the QC or the KC answering and explaining myself so we are we feel the responsibility we feel the pressure when you go and train and safety you know in your first term you're meeting the people that have met the inspectors that have met the accident investigators that have found themselves in court you hear

and you feel it so that kind of stiffness that firmness that know that persistence that stubbornness this is one of the reasons why and working now looking at the crossover and cber I think that cold Challenge and fear around regulation I think it's less so in cyber but as the two disciplines start to cross over what happens for safety will happen for people doing cyber security digital systems so be mindful so I was talking about teaching so I thought with the students I do a little check-in right what do you think about cyber security where's your focus where's your priorities two very simple questions that I just made up like you do and then I there's a little clash and

in my animation I've got my animation the wrong way around you've got the answer at the bottom um but what I'm going to do is I'm going to show you the answers that I got okay how important is cyber security for you and your role and the people I was teaching were midcareer in the main and studying their masters alongside their jobs and they said yeah somebody else's issue but it's rapidly increasing in priority do you think that safety is more important than cyber security uh no don't know not sure don't know enough so you've got this mismatch confusion people don't quite know where to place cyber security in their domain and if you think about that whole

context then you know it's it's it's it's a challenge and people are uneasy when they don't know where to place and bear in mind we get a lot of professional enjoyment for like thinking about the way this thing can go wrong um I think I wrote the word fun in my abstract this for me is professional fun thinking about all the ways I could find myself in trouble and then working out how to fix it um we're an unusual breed um now one of our power tools one of the things that really gets safety people quite interested and exercised um is a risk assessment now anybody that works in any domain that's not safety as soon

as you hear the word risk assessment think paper think procedures think something you've got to do think burdensome but actually a risk assessment is a way of thinking um we talked there was a talk earlier on today that talked about risk likelihood and impact and it's almost a like underlying belief that you can apply this to anything and if you like you say to someone actually I don't think a risk assessment is going to be really useful in this case their heads aren't going to literally blow up but you're going to get some fairly funny looks back because it's a mindset you decide what your system is that you're going to evaluate you look at the

likelihood of things happening you look at the consequences you decide what you're going to do about it you put them in place and then you Monitor and review applies to simple applies to complex that what was was being done incorrectly and incompletely for the Nimrod accent is what's been done for nuclear reactors trains planes automobiles across the board but it's not a cyber risk review don't get the two terms confused confused and also it depends on you having the information available and the knowledge of the system and the system boundary I think probably the time when I've talked about the difficulties of taking a risk assessment mindset and looking at what happens in practice just

this pause you know you you're you're taking away people's fundamental foundations actually know you may not be able to do a risk assessment in this case because the risk assessment is the basis of the safety management system is the basis of the life in take that away what is there from the cybus perspective you understand you can't Wrangle this into submission you just have to monitor monitor monitor Pro protect and respond and recover and exercise and drill something else we're talking about Bridging the Gap and a CL crack class clash of cultures possibly safety is everyone's responsibility it was probably I can't remember that far back probably even further safety used to be the responsible of that person over

there the safety person but the culture has shifted safety is everyone's responsibility particularly in cni critical National infrastructure if you go into a room and ask you know um who's responsible for safety I'd be surprised if everyone goes oh not my problem over there but when it comes to cyber security um it's really quite different and if we can get to the point where people everybody across the board thinks cyber is their respons responsibility in the same way as safety that will be useful you might have an IT team that's an overhead and the finance directors turning the screws says please get it cheaper you might have a a stressed ceso on the board if you're lucky and one of

the things that the safety people chall challenge with you know the idea is that having trouble getting people's attention once they start talking about cyber security really because the safties often like directly reporting up to the key seat on the board particularly for critical National infrastructure and I think you get all sorts of different organizations once you start to split across information security it and cyber and I'll come back to that so I mentioned about teaching and there I was not very many hours and like to teach the whole whole of cyber security in a couple of hours or maybe if I'm lucky six hours and I thought to myself oh Emma you've taken on something quite difficult here so

what are we going to do we're going to try out we're going to do a test could I teach to bridge the gap would there be a clash of cultures in my room full of established safety professionals that worked in Risk died in the wool all of the things I've outlined to you so I gave them an exercise I made something up I like making things up I said you work at a regional Airline I was very careful not to name a real Airline um because that would have got me into trouble and I said that you work for a regional Airline one of your competitors has just lost their license because of loss of access access to maintenance

data um now the idea that you lose access to your data or you know backup fails or maybe a ransomware is bad but not insanely bad but the idea that you lose your license because you've lost access to your maintenance data it'll make people blanch it's a really serious issue so I made up and Blended the incidents here I put some ransomware in so the XO that's your board that's is Senior Management are getting lots of calls from the people that put up the money and they said you know are we good as our maintenance data managed um do we need to worry and I I gave them basically I don't know I think it was an

hour an hour and a half and maybe a bit for the discussion and they didn't have any cyber background I didn't drop them in it completely I gave them a few bits of briefings and I'll show them to you before the talk but in a nutshell um I just said right off you go and I'm going to give you maybe 5 minutes to brief the board in this exercise tell them where do they need to focus the resources what do they need to worry about the most now and anything else you want to and that was the brief fortunately this wasn't being assessed for any exams because this is an unfair exercise but as far as

I can tell nothing in digital security or cyber security is fair it's not the Queensbury rules there's always a mismatch and a balance between attacker and Defender so what was one of the first things I told them I got them to think about smart cities and I said you need to think about the fact bear with me here that things are connected and actually use cases change and actually the software is going to get updated and the people and you've got a long life cycle and the system's going to start to behave in a way that you didn't predict the emerging properties and you've got systems connected with systems and there's these criminals and cyber threats and the

systems of vulnerabilities and you might be thinking surely surely you didn't have to point this out but when you have that sort of mindset and training and absence of training in cyber this was a thing that I needed to embed in now is it a culture Clash I don't know it's stating the obvious but when you find yourself talking and when you find yourself doing these exercises you know make make sure this point is there otherwise people will come in with their structured system boundaries that you look at this system with this safety level and this system with safety level the connections now fortunately people have thought about in the regulatory basis what you do with Aviation this is called

a bow tie um it essentially the big red dot in the middle is the thing to go wrong that you don't want to have happen and in this case it's about mucking around with maintenance data if you muck around with the maintenance data you've got problems with your Air Airline Aviation that big red thing on the back is like the threat the consequence they call their bow TI significant seven which is quite cute um the blue things are the threats now the threats are the things that can go go wrong if you have a damage to your maintenance system then you're going to have a problem with the systems that operate and then your plan's going to be in

trouble and then so I said some of these things might be more likely than others if you've got a ransomware attack or your data is being modified you might have inservice technical thoughts and so they were familiar with this as a presentation and I said I want you in this scenario to think about maintenance look at that and just think about where things can go wrong it's really cruel exercise and to add extra in the yellow is supply chain because it isn't just one company all doing the maintenance your maintenance be outsourced and you all know if you work in digital systems that it's usually fourth tier where somebody's updating the libraries um done by four people on open source or

something there's complexity there so the teaching exercise put them into two teams but how can I accelerate that learning how could I really get them to the point where they'd actually get to something useful in about about five minutes presentation and 2 hours of work I split them into red team and blue teams and I had to explain what they were and then I had to tell them that it wasn't a technical exercise I just want you to play I want you to think about you're a blue team you work for the company you're going to look at that whole bow tie and decide where are you going to worry where do you need to focus the resources

cuz these are all the activities that the company does to manage that maintenance data to prevent those blue threats from leading to Red consequences um what do you do red team it's your job to find the weakest link go away and have a play and see where you think exco need to do the resources and by the way nobody else is doing this exercise so it's a mindset rather than a technical exercise and you've got to tell them where theyve got to worry about loss of confidentiality um integrity and avail ability of the data because you need the right information at the right time with the right sort of security controls in other to operate your planes and um tell

them and I just let them run I even chucked a bit extra in because the last sort of culture Clash or Bridging the Gap is because most people in safety cyber is just five letters and that's it it's cyber security a thing over there the whole difference between it and operational technology information security it cybercity just one sort of block a lot of the graphics I'm showing you here are from um an i code of practice on cyber security and safety um and my plan is to actually write up a LinkedIn article put the links in and get it up this weekend so you can find me on LinkedIn by Sunday and I should have it done by then but

that's it then so you have to think about it and OT now I'm watching the time so I've got about two three minutes left so I'm going to hop over just a couple of Zoomin in there and say to you what happened how did things play out in my experiment to get across digital Safety and Security with those seven culture Clash challenges no teaching time and quite frankly wanting to get something useful because if the students thought it was no good then they probably wouldn't get else back so no pressure so you'd think that given the starting point and given the fact the students were all of a certain background and discipline and training that the red team and the blue team

presentations would be broadly the same they would zoom in on the same areas but actually there was quite a few differences The Blue Team stay very safety I was popping in and out of the team's rooms backwards and forwards right systematic regulated mindset serious actually they were justifying how they were doing it audit Trails they were farming and organizing the information they looked a bit stressed because they didn't have enough time to do a good job now the red team that mindset they went Rogue and I remain astounded at how little time it took them to no longer look like they've come from that safety structured environment I'd say about 45 minutes I went in there they were

organizing their logos they had the like the hoodies out psychologically if not physically and they they'd gone they'd gone down that pathway and if there's one thing to take away for how to kind of bridge the gap with safties go play with this exercise it works I obviously had to encourage them but i' kind of En en them by giving them a task that they couldn't do reasonably in that time at all there was no chance that was it um they had to find a different way um and it's a few of them really got it so I'm just going to wrap up now with a couple of slides recapping those seven culture Clash Bridge gaps and my thoughts and

I'm hopefully making the case as I run through that actually it's not one world over here of safety and the other of cyber but but you can actually bring them together and this is just my personal thoughts and they'll probably change in about a month or two's time this is very much a moving topic so safety very much always aims to prevent prevent prevent and you can't ever prevent 100% cyber related inance so this is one thing to take away and shift the focus now safety feels that pressure of Law and Regulation and I think cyber security l so but very much so the two are coming together and I'm not talking decade by decade or even year by year

I'm talking month by month to year by year we're in that position where critical National infrastructure is increasingly important and the vulnerabilities are increasingly present now you going to find this wide range of where do you slot cyber security in try and break away the fact it's five letters and into like a whole complex world of digital systems and find yourself also explaining that actually risk assessment isn't where you start think inste of the nisp cyber security framework there's a few more safety is going to find it strange to St into ceso shoes and find that actually it's harder to get the resources and it is considered as an overhead and don't forget to stick to the basics of

considering how things are connected um the data flows I know this is sound fundamentally obvious but you do need to get people into that mindset and then last introduce safety to the world um of others too so give it a go reach out to the safety world go to some webinars explore the differences and the Gap is smaller than you think I'm starting with like a negative outlook and I'm finishing with a positive wrap up and this Clash of cultures can be used to create a culture and safety blend I'm watching the time I'm a few minutes over but I just like to finish with a wrap up she says hopping back and forth on her slides on

De awareness I've been trying to give this talk in a way where I'm talking to the microphone the camera's on my face for the recording so someone could lip read me I've tried to make sure I speak to the slides there's enough information on the slides it can go back and I've asked myself the question and you can too if you're doing it imagine someone's using a combination of software tools can they actually pick up what your message do you have too much or too little information on your slides have you got some random information which is going to distract someone as they're trying to work out why it's there and Are you delivering it at a pace in a

format that the algorithms are coping um everybody's accessibility needs is different so if you're trying to do this or think about it do some research and if you're not sure why not ask so that's the end for now and it's time for questions and answers thank you for your attention