Impact case study database

(1) INDUSTRIAL IMPACT

The ICS work performed by the CTI has led to the recognition of DMU as an Academic Centre of Excellence in Cyber Security Research (ACE) by the NCSC and EPSRC, which includes a grant of GBP60,000 [C1]. DMU is one of only 19 ACEs in the country, the first ACE in the East Midlands and the joint-first post-92 university to gain this recognition.

Dr Richard Smith is also a full member NCSC’s Industrial Control System’s community of interest – open only to those with a demonstrable expertise within the field with a track record of impactful work for industry – and is currently leading a workstream on how organisational readiness of a critical infrastructure provider can be tested and exercised. Membership of the community of interest has also provided Dr Smith the opportunity to contribute to the NCSC cyber research problem book, used to inform research direction for cyber security projects nationwide. He has been invited to give keynote presentations at industrial events in the UK, Romania, Australia, Austria, the USA, Germany and France.

DMU has also been recognised as one of only two Airbus Academic Centres of Excellence in ICS cyber security in Europe [C2]. This has been realised in the form of an enhanced Knowledge Transfer Partnership, supported by Innovate UK, in Tools and Techniques for ICS/SCADA Digital Forensics, with Airbus Group supported by GBP225,000 funding. The work has generated a forensic memory acquisition tool used by Airbus workers on their factory floors to allow direct memory acquisition from industrial devices for the first time, increasing the chance of identification and mitigation of attacks against the company. Previously, suspect devices would simply be thrown away, losing valuable forensic information. Now, the evidence is extracted and stored for the investigative team [C3].

Cyber Warfare and incident response exercises have been used to enhance participants’ skillsets and change the way IR teams operate. The DMU Agile Incident Response for ICS (AIR4ICS) project, worth GBP250,000 with additional contributions in kind of GBP160,000 from Airbus, Rolls-Royce, BT and Limes Security, has produced new Agile methodologies and tools providing benefits for IR teams who have adapted their business practices [C4]. This modular framework was funded by the NCSC and allows organisations to choose which elements they feel can be best incorporated into their working practices. Organisations such as Nettitude have chosen to adopt practices and tools from AIR4ICS, such as the Sprint cycle, Incident backlog and Incident board which focus on communication and information sharing between team members and have seen a number of benefits. ‘The first is an increase in technical confidence of the participants, which has manifested itself in more confident decision making’ and ‘The improved situational awareness has assisted the management team and the SOC analysts to be more efficient’ [C5], and the UK military ‘On the exercise itself, there was a clear uplift in capability and performance … demonstrated in the feedback from the exercise assessors in both qualitative and quantitative terms’ [C6].

Cyber Warfare and Incident Response exercises designed, developed and delivered by DMU, for the UK Army, Navy and Air Force response teams in January 2016 and February, April, June, August, November and December 2017 have been used to improve the skills of 124 participants. These skills were then demonstrated and described during cyber exercises of up to 1,000 international participants from NATO countries [C6, C7]. Events during DMU CyberWeek in 2018 and 2019 and AIR4ICS which have trained 123 participants from 22 organisations including SMEs, NHS, local government, industry such as Emerson and Rolls-Royce. These events have utilised DMU’s state-of-the-art hybrid cyber range CYRAN [R4] to create realistic sandboxed cyber environments along with the new IR approaches to introduce new working practices for industry, such as at Nettitude where 11 staff were trained on the AIR4ICS techniques, who have since introduced them to their colleagues and adopted them within the organisation. The main benefits of adopting these techniques has been seen in task management and tracking, ‘the 15 Security Operations Centre staff have implemented a number of measures to improve the efficiency of the Nettitude SOC. These include SCRUM meetings and kanban boards. We have also introduced sprints into aspects of the platform, monitoring and IR operations’ [C5].

Valuable hands-on practical experience of the ICS equipment used in DMU’s CYRAN cyber range has had the added benefit of providing device penetration tests, identifying vulnerabilities for manufacturers to be used to inform their patch cycle. The work has also allowed the Red team participants, from Austria, Germany and Denmark, who were responsible for attacking the network, to use AIR4ICS techniques to increase the efficiency of their penetration testing service and therefore provide better security recommendations:

Our staff doing blue team benchmarking projects became certainly more efficient through the AIR4ICS contributions. Also, in cases where we support customers with incident response, the agile approach gives guidance yet does not bloat the activities like a formal process, so we certainly consider it useful for real-world projects. The value provided even for senior OT security staff as in our case, where realistic attacks lead to realistic responses is substantial, we are glad to have joined the consortium as our invested resources have had a good knowledge-return already. [C8]

To raise awareness of the risk posed to ICS by cyber threats and to increase the understanding of the unique environment in which they exist, SCIPS exercises have been performed at both private events, such as for UK Cyber Defence Academy, and at public events like DMU CyberWeek 2018 and 2019. Some 104 participants have successfully taken part in these SCIPS exercises, including people from organisations including Thales, Rolls-Royce and Emerson. Successful identification of industrial cyber risk increased by 75% and 90% of respondents registering an increased cyber awareness of the threats to ICS [C9].

DMU’s expertise in the area of IR and security operations has been recognised by Deloitte with GBP20,000 funding provided to create a new research Security Operations Centre that will be used to define more effective defensive offerings in the future for Deloitte: ‘It is essential that when providing advice to our clients we are informed by research that is subjected to rigor and scrutiny. Shaping research with DMU in the SOC allows us to develop solutions that address organisations’ most complex cyber security challenges’ [C10].

(2) SOCIETAL IMPACT

DMU has changed the perception of industrial risk within the cyber security and engineering community. Cyber Security attack demonstration devices developed by in conjunction with Airbus and Claroty have successfully been included at major international events where previously there was no ICS representation. These include the first ever ICS ‘capture the flag’ event at RSA 2018, an event attended by over 25,000 people. Some 250 participants were trained and reported an increased understanding of issues within ICS security at the RSA 2018 international conference [C3]. Additional demonstrator devices developed by DMU have also been presented at international events including DEFCON25 ICS Village, the Hong Kong GREAT festival of Innovation, BruCon (Belgium’s largest hacking conference), the IET/BCS Turing EngTalk and DMU have hosted events at their Leicester campus for participants from organisations such as British Gypsum and Siemens Rail.

100,000+ ACM members around the world must abide by the Code, which is a condition of their membership and has a strong enforcement policy that is called on if violations are found. Consequences for breaking the Code can result in prohibition from attending ACM conferences or publishing with ACM. ACM publications and conferences are at the top in the field, and are significant publication and dissemination spaces for both academic and industry research, so this provides a significant incentive to take note of and abide by the Code. The Code has been translated into Chinese and Spanish. The acceptance and use of the final version of the Code not only by the leadership and membership of the ACM, but by other professional organisations, educators, computing professionals and others, shows the impact of Flick’s underpinning research and her direct contributions, such as in Principle 1.6, to shaping the final version of the Code [C1].

New members have cited the ACM Code of Ethics as the reason they joined, and existing members have claimed the updated Code as a reason why they are proud of being members of the ACM, for example @andihyson on Twitter stating ‘Proud to be new member of The Association for Computing Machinery @TheOfficialACM – The code of conduct [sic] swung it for me’ [C2]. This shows the resonance of the Code for professionals who might otherwise have been reluctant to join the ACM.

The IFIP, which represents over 54 countries’ professional societies of computing-related industries, is adopting the ACM Code of Ethics as their code of ethics, to exist alongside the national professional societies’ codes of ethics [C1]. Other professional organisations have adopted the Code for their own members’ use, showing that it has broader appeal than just the ACM [C3]. These institutions are, like the ACM, using the Code as a benchmark for their members’ professionalism:

• Association for the Advancement of Artificial Intelligence

• Institute for the Certification of Computing Professionals

• Association for Computational Linguistics

• Association for Software Testing

Conference series (outside those of the ACM) are also beginning to ask that papers submitted to them and conference attendees abide by the Code, for example the Empirical Methods in Natural Language Processing (EMNLP) and Supercomputing (SC) conference series [C3]. These conferences are open not just to academia, but to industry and government as well.

Educational institutions around the world use the ACM’s Code of Ethics as a basis to teach ethics to school-age, as well as undergraduate and postgraduate computing students. A number of computer science programmes are using the new Code of Ethics in their curricula, with a quarter of technology ethics courses with publicly accessible curricula that teach professional ethics explicitly studying the ACM’s Code of Ethics [C4]. In the professional realm, the new Code has inspired people not at all involved in its development to give talks on it to their peers, or use it in continuing professional development, showing the importance to these professionals in not only internalising the new Code but disseminating it themselves to their peers, for example, its use in a DFKompetens Strategic Infosec course [C5], and presentations at USENIX SREcon18 [C6], RubyConf 2018 [C7]. The chair of the EC and co-chair of the ACM Committee on Professional Ethics states that:

expected further impact includes in education, with the ACM’s technical curricula being updated to show the relationship between technical concepts and the principles of the ACM Code of Ethics. The ACM technical curricula include computer science, information science, and software engineering, and are promoted by the BCS (Chartered Institute for IT) as part of its Skills Framework for the Information Age, for university level and professional education. [C1]

On social media, the ACM Code is regularly used to question organisational practices (Twitter search ‘ACM Code of Ethics’) – even of the ACM itself, for example when they signed a letter in opposition to the OSTP zero embargo proposal in the US (against open access publishing): ‘How does @TheOfficialACM signing this statement align with the @ACM_Ethics Code of Ethics? In particular “3.1 Ensure that the public good is the central concern during all professional computing work?”’ [C8]. The ACM subsequently retracted their statement and submitted a more nuanced response due to ‘concerns from our members’ [C9].

The new Code was used by Google employees to adjudicate the ethics of the Google project Dragonfly, which was cancelled after its ethics violations were brought to light [C1, C10], closing (to Google) an advertising market of 772,000,000 Chinese internet users. This shows that although the Code is aimed at an individual level, it has been used as leverage when groups of employees are ACM members and/or feel the Code represents their ethical and moral obligations [C1]. Other organisations such as Guna SPA (Italy) have used the Code to inform their practices and KPIs, or have adopted the Code internally with assistance from the Committee chair [C1].

The details present how, between 1 August 2013 and the end of 2019, Dr Gongora’s research at DMU has had significant impact in the security processes of the air travel industry by actively contributing to IATA’s and ACI’s efforts in guiding airports on maximising security while minimising disruption to passengers, and sustaining significant growth in air travel. This contribution includes security procedures, personnel training and the use of forecasting and optimisation tools to make efficient plans (e.g. rostering) according to throughput management and modelling, as well as guiding the R&D of manufacturers to provide state-of-the-art equipment.

After the tragic events of September 2001, airport security became challenging, creating conflicting processes among different airports and authorities, with no international agreement in place. The industry faced a serious conflict between operating safely while minimising costs and maintaining a high level of customer service. At the time, the team lead by Dr Mario Gongora were maturing their research in holistic behaviour modelling and process optimisation.

To contextualise this research, the team approached airports which quickly recognised the value of this work to allow growth in operations and enhance customer service without compromising security (e.g. with Birmingham Airport, R5). These trials resulted in Dr Gongora and his team becoming renowned worldwide as leading experts in the field.

As a result of Dr Gongora’s research and recognition as mentioned above, he was invited to join IATA’s ‘Checkpoint of the Future’ programme (COF) Expert Group (made up of a select number of worldwide experts in airport security and optimisation of operations) to work with their advisory group (made of airport/​airline managers and international transport authority executives). The COF evolved into the Smart Security programme when IATA and ACI joined forces to bring their efforts into a single global programme from early 2014.

The contribution of our research to the global air transport industry focuses mainly on the continuous development of the roadmap for the future of airport operations, taking cognisance of the criticality of security, the technologies and processes required to achieve this. The roadmap is delivered via continuously updated guidance documents to which Dr Gongora contributes as part of a select group of international knowledge exchange partners. These documents have emerged as the de facto standard for modern airport operations and security. They are used by IATA’s 300 airline members, ACI’s airport members (over 1,900 worldwide) as well as airport regulators (in 176 countries), authorities, industry and screening equipment manufacturers [C1, C2, C3].

These guidelines have shaped the evolution of airport security from inefficient, inconsistent (across airports and countries) and disruptive measures, to well-defined and consistent processes in the screening of hand baggage, managing of security point operations and appropriate allocation of resources that have significantly enhanced both security and passenger experience while allowing significant growth in the traffic since its inception (see p 18 of C5, where Keflavik Airport went from queues to the parking lot in 2015 to 99% passengers queuing for less than 10 minutes in 2017, despite much higher numbers).

The impact has affected not only airport processes but in turn has driven the market and developments in industry that follow the evolution in requirements for equipment to support these streamlined and robust operations. The blueprints and guides have enabled regulations and driven enhanced and efficient developments in screening technology (e.g. article 2 in C5).

Dr Gongora’s team regularly contribute to industry events, e.g. Airport IT and Security conference in Amsterdam, December 2018, where Dr Gongora was invited to talk about operations optimisation and resilience to the global airport community [C7, C8]. Dr Fabio Caraffini was invited to IATA/ACI’s NEXTT (New Experience Travel Technologies) event in June 2019 at EUROCONTROL Headquarters, Brussels, to plan for Air Transport Security – 2040 and Beyond.

In January 2019 Dr Gongora was appointed as the Adviser for Artificial Intelligence to the Latin American community of Risk and Security Management (COLADCA with over 15 member countries and over 2,000 members and companies) [C6], contributing to the security policies for Latin America.

During 2020 Dr. Gongora with his team at DMU contributed significantly to ACI’s efforts to support airport operations during the pandemic as well as recovery during the gradual easing of restrictions. The most significant impact of this contribution was the latest ACI Handbook: “Low-Cost Low-Tech Optimization Measures for Security Operations Handbook” which identifies solutions and wider applications of simpler and more affordable security initiatives, to ensure optimal use of resources amid complex times and increasing regulatory demands [C9].

(1) INFORMING PUBLIC DEBATE AND AWARENESS RAISING

The launch of the CASR led to international debate on the issue of sex robots, women, children and society. Media outlets including Newsnight, BBC News, Fox News, Channel 4 News and Netflix featured Richardson and her work [C1]. This campaign work has gone on to reshape feminist and women’s rights organisations that have traditionally campaigned on issues of domestic and sexual violence, the gender pay gap and legal protection for children and their care. These groups include Prostitution Education and Research (US), Collective Shout (Australia), FiLiA, CEASE and NotBuyingIt (UK) and RadicalGirlsss (France) [C2, C3, C4, C5].

This has led to each of these groups putting sex robot technology on their campaigning agendas (e.g. CEASE [C5]). This has included featuring the work of Richardson on their websites, campaigning remit and at events. For example, the CEO of FiLiA has stated the significance of Richardson’s work ‘as it is important for women’s rights groups to understand the impact of these new technologies on women and girls … As a result of Prof. Richardson’s work, we can’t ignore sex robots and it has now become a part of our campaigning remit’ [C4]. NotBuyingIt also stated that the CASR has ‘helped to raise our awareness of this field and its significant ramifications … we routinely feature CASR’s research and insights in our social media, newsletter and other platforms (that reach at least 3,000 followers) … and has provided us with a useful tool to raise the current threats to women’ [C2]. From these associations, Richardson organised an online international workshop titled Sex Tech, Robots & AI: A Feminist Response (4 July 2020), which featured speakers from ten feminist organisations, and over 200 participants, and the CASR has been instrumental in bringing about this change and received positive feedback [C6].

Finally, as a result of the CASR profile, a group in Houston, Texas, called Elijah Rising successfully campaigned to close down a ‘sex doll brothel’ [C7]. The group used arguments prepared by Richardson in their Change.com petition statement and achieved over 13,000 supporters.

(2) REGULATIONS ON SEX ROBOTS IN THE USA

In the US, Richardson was contacted by Rep. Daniel M. Donovan Jr. who drafted the CREEPER Act of 2017 (H.R. 4655 – CREEPER Act of 2017) [C8, C9] to halt the development of paedophilic robots, for Richardson to provide written evidence for this. This law achieved a pass in the House of Representatives but was not approved in the Senate [C8, C9]. The tenets of the CREEPER Act have gone on to form the basis for new legislation and has recently been revived by Rep. Vern Buchanan in September 2020 (H.R.8236 – CREEPER Act 2.0) [C10].