The evolution of cybersecurity standards is getting delayed
You made an interesting observation about the gradual change of focus from safety to security in industry. Can you elaborate?
The industry still talks about the two in isolation and there are fundamental reasons for that. Safety is predominantly driven by internal design principles, e.g., an aircraft is designed to make it safe, whereas security is mostly an external thing. A device can be made unstable by external elements that are trying to peep in, whereas in a safety paradigm, not many people will be ‘peeping in’, but something going wrong internally can cause an accident. The landing gear, for example, can fail due to internal factors, but failure due to external factors rarely happens unless it hits against something. So people responsible for safety were not concerned about the security aspect. But at some point of time systems started getting hacked – the most spectacular example being the sabotage of the Iranian nuclear programme – and that opened the eyes of the concerned people. The moment a system is hacked, all design principles of safety are rendered immaterial. So any system that is built today needs to be both safe and secure.
So safety alone is not enough – a system also has to be dependable?
The challenge in today’s world is any system – a machine, car or aircraft – has to be dependable. Dependability in turn is a combination of a few parameters where safety and security are major things, but also availability, reliability in terms of maintenance, etc. From a pure engineering point of view it has to be looked in a holistic manner. List down all the engineering requirements from the safety and security angle and then see how the design can address these requirements from both the parameters, and then test the system to meet those requirements.
In one of the presentations it was evident the regulatory mechanism in India is not strict. Is it changing for the better?
Yes, it is changing, no doubt. LDRA works in India with all the regulators – you name the industry, we are there. Because if you really want to engage with the ecosystem, there fundamentally there are 3-4 players, like the regulators for various industries, the standardisation agencies – in India it is the BIS – the various working groups, etc. About regulators, it is the ARAI for automotive, AERB for nuclear, the DGCA for aviation, and so on. People often blame the regulators, but that is unfair. The regulators go with the law of the land which lays the framework and they are expected to work within that. One can challenge a regulation that is outside the law, and the court may uphold that view. Now when the government amends the law, as in making helmets mandatory, there is a public outcry. So what we need is to first create awareness, change the law and then frame the regulations. Then you have a roadmap for change. The progressive regulation of auto emissions is a good example. Another example is the pharma industry and medical devices where for a long time there was no regulatory mechanism. It is the industry that suffers the consequences and loses in the global market.
The other point is the growing software use and complexity which again opens the field for further risks and safety and security concerns. How do we tackle these concerns?
That will always be a cat and mouse game without any clear winner of loser. Initially it was more hardware driven growth but then the focus changed to software. Look at the semiconductor industry and how many of them failed to make the transition from chips to ECU with multiple processors and a lot of software with further provision of adding other software on the top by the OEMs for various devices. So the whole tech industry has grown by adding software and the world has benefited from that but there are the vulnerabilities. So the solution is more stringent regulations not only for software, but also the hardware level like the FPGA systems which are becoming much more faster. The security issues in hardware are much more difficult to detect. So the only way forward is for nations to work on effective security frameworks and standards, like the BSI in UK, which India can emulate. The good part is, the BIS is talking about issues like cybersecurity.
What about the skills and the availability of trained manpower for this?
We believe in building the right skills, local skills. What I have observed is skills are available in India in various niches but not with Indian companies. Now this is not something against the MNCs. Their mandate is different so skilling manpower is not a priority for them. But what the country needs is to build indigenous skills – the IP can be owned by anyone – but the expertise required to do the sensitive tasks have to be there locally with the Indian companies, the government organisations and the ecosystem has to be built. The NSDC and the various sector specific skill councils working under it are all active. We are working with many of them and a change is happening, we now have to take it to the next level.
Is the multiplicity of platforms, protocols and standards a hindrance?
That itself is not a problem as such as these things exist – some driven by industry while some are country specific. Take IoT for example – in the beginning the issue was lack of any standards, and then evolving those standards by different bodies. Today it has reached a level where everyone realises the need for standardisation and convergence. The bigger issue today is of lack of trust in matters of security, unlike in safety where internationally everyone is on the same page. When it comes to security there is no trust and the ‘peep in’ culture comes and because of this there is no combined push from the global community, which is not a good sign. The evolution of cybersecurity standards is thus getting delayed. Maybe like an article pointed out recently, we are waiting for a major co-ordinated cyber attack to goad us into that effort.
The final question – what exactly is LDRA doing in India – the role and function? And the segments you are operating in?
LDRA came to India in 2010 and initially it was an uphill task. I had people laughing at me saying you are much ahead of your time. But somebody had to start. I was lucky enough that the UK management had some understanding of the Indian market and were prepared to wait. It took nearly 4 years of sustained effort with hardly any major success, but after 2014, there was no looking back. Today we have the largest head count in LDRA India and are leading in programmes and innovations.
India is a unique market where we have the world’s best companies doing their backend engineering – aerospace, electronics, automation and much else – and they are bound to follow the best practices and we also learn from them. Most of their high end testing is done in India. We also work with the leading PSUs as well as private sector companies of India with customers in different sectors. This unique blend is something we have not come across in any other region LDRA is operating in. The other aspect is LDRA is a unique organisation as our technology does not work in isolation. It sits on various design and development technologies, configuration and lifecycle management. This integration plays a major role in our technology being widely acceptable. India in general, and Bangalore in particular is a hub of global technology majors and it also makes for great networking. Our team is young, open to new ideas and keen to innovate, do new things.
As for the segments, traditionally aerospace is a big one, but more recently it is automotive that is getting more traction, and this year we have seen big surge in industry, which is a welcome development.