Hierarchy of Control – Why is similar not applied to Cyber Security?

Within the safety sphere many will have heard for the Hierarchy of Control.? The concept has been around for a number of years? and is well publicised.

The hierarchy is according to the HSE:

·??????? Elimination – physically remove the hazard

·??????? Substitution – replace the hazard

·??????? Engineering controls – isolate people from the hazard

·??????? Administrative controls – change the way people work

·??????? PPE – protect the worker with equipment

(Source :? https://www.hse.gov.uk/ppe/ppe-regulations-2022.htm#:~:text=Hierarchy%20of%20controls,-PPE%20should%20be&text=Elimination%20%E2%80%93%20physically%20remove%20the%20hazard,change%20the%20way%20people%20work)

This is a priority for dealing with a realised or potential hazard.? This has set an onus on the elimination of hazards and only if that is not possible are measures taken to mitigate or contain the hazard put in place.

Within Cyber though there is a hierarchical approach is quite different.? NIIST identify this as:

·??????? Identify: Create a cybersecurity policy and list equipment, software, and data

·??????? Protect: Use security software and control who can access devices and networks

·??????? Detect: Monitor networks for unauthorized access, devices, and software

·??????? Respond: Have a plan for notifying employees and customers, and keeping business operations running

·??????? Recover: Restore normal operations and data after a cybersecurity incident

(Source:? https://www.nist.gov/cyberframework/getting-started/online-learning/five-functions)

The approach here is much more reactive in nature.? It assumes that there are? already adequate measures and elimination, or substitution of process or machinery is not possible.

This though often leads to the assumption that the hacker will always get through, and the key factor is? how the organisation detects and reacts to this.? The focus must start with eliminating as many threat vectors as possible.

Threat Elimination starts at the concept phase of the design.? High level assessment of the initial concept for threat vectors at an early stage will prevent many vectors being inadvertently added later in the process.? It will also focus the minds of the design team into elimination of threats at source.

The safety concept of elimination focusses heavily on the physical removal.? There is the temptation to therefore assume that functional and behavioural risks cannot be eliminated.? This is of course not the case.? When applying to cyber security these elements have a high degree of cross over.? In this case a common cyber-safety approach is entirely appropriate to take.? When reviewing the impact of functions within a system looking at the impact in terms of safety and security yields a far higher degree of overall integrity.

The concept of Substitution is common to both fields.? Can a task be done in a different way?? Is there a different technical solution?? Substitution may be as simple as swapping the sensor with online calibration for one which requires manual, offline calibration.? In this though is where the needs of safety and security may come up against one another.? Careful? design and thought should be given that there are no unintended consequences.

Engineering and administrative controls are where current cyber practices focus efforts.? These stages as what measures can be put into place to reduce risk through automation and through working practices.? There is chapter and verse on this written.? What is worth noting though is that Safety and security considerations at this level tend to be very well aligned and complementary.

In conclusion a more nuances process to NIST:

1.??????? Identify: Create a cybersecurity policy and list equipment, software, and data

2.??????? Eliminate: Remove all non-essential processes elements and equipment

3.??????? Substitute: Where possible use lower risk processes, software and equipment

4.??????? Protect: Use security software and control who can access devices and networks

5.??????? Detect: Monitor networks for unauthorized access, devices, and software

6.??????? Respond: Have a plan for notifying employees and customers, and keeping business operations running

7.??????? Recover: Restore normal operations and data after a cybersecurity incident

In this there is now the possibility to prevent threat vectors from becoming risks and to be proactive in prevention of threats both at the physician and the organisational levels.