Cyber resilience

Atkins | 09 Oct 2014 | Comments

Cyber-attacks on electricity grids, water supplies and transport systems aren’t just a theoretical possibility: they’re already happening. A new Atkins-built simulator is helping infrastructure operators to identify and communicate where the dangers lie.

It’s 7am on an ordinary Monday morning. But as you step out of bed, it’s soon clear something’s wrong.

The bathroom light doesn’t work. The shower produces only a trickle of water and it’s stone cold. Down in the kitchen, the gas won’t come on. Your mobile still has some charge but you can’t make a call because the line’s dead, along with your Wi-Fi and landline. Outside, it’s gridlock – all the traffic lights are out of action, staff are turning away passengers at the railway station. No trains. No power. No signalling. Too early to say when things will be back to normal…

The scenario described above may sound unlikely. But it is no longer impossible – 2014 has already seen extensive cyber-espionage campaigns launched against energy sector companies both in the US and Europe – attacks which gave hackers the opportunity to mount sabotage operations against their targets.

Earlier this year, the US Department of Homeland Security reported that a public utility had been compromised when a sophisticated threat actor gained unauthorised access to its control network. This wasn’t just a one-off: during 2013, the Department dealt with more than 170 reported cyber-attacks against the energy, water and transport sectors.

Critical infrastructure at risk

Water, gas, electricity and transport networks are vital for economic and social wellbeing. But they’ve never been more vulnerable – and in many cases, all that’s needed to hack them is a PC and an internet connection.

Industrial control systems (ICSs) are the crux of the problem. These systems are used to provide centralised control of remote devices, such as valves, pumps and switches. The ability to orchestrate the operation of such devices, which number in the thousands in large networks, is vital for the normal operation of utilities and transport systems.

“In the past, industrial control systems benefited from security through obscurity – nobody knew they were there,” says Dr Ian Buffey, technical director for Atkins’ industrial control systems cyber security. “They ran on obscure platforms and, crucially, they were typically not connected to anything. But that’s changed.”

The ICS domain is enormous and embraces a wide range of technologies, including supervisory control and data acquisition systems and distributed control systems. Elements such as programmable logic controllers and remote telemetry units are also part of the equation.

As industrial control systems have grown in size and complexity, providing communications links has become increasingly expensive. So instead of continuing to use isolated proprietary networks and protocols to run them, operators have increasingly opted for the ubiquitous, low-cost connectivity offered by the internet. And that introduces a whole new raft of vulnerabilities.

“Around the time of 9/11, people started looking at vulnerability to threats and realised these systems were now connected,” says Dr Buffey. “They were running on commodity hardware and operating systems, and to a large extent commodity software as well. So they’d moved from being these really obscure things to basically the same kind of things many people ran on their office desktops.”

Unlike attacks on corporate IT networks, where confidential data is usually the target, the purpose of infiltrating an ICS system is to cause disruption. Typically, this is achieved with malware and attempts to infect systems may persist for weeks or even months. But in some cases, all an attacker needs is a web browser – and access is instant.

This is possible because a growing number of ICS endpoints are IP-addressable. In many cases, security on these devices is poor or non-existent because internet connectivity was added by the manufacturer as an afterthought. And thanks to one search engine, described by CNN as the “scariest” on the internet, identifying those vulnerable ICS devices online is easy.

Wireless connections are another weak link. In some control systems, radio transceivers are used to monitor variables such as temperature and pressure. By transmitting fake readings, a hacker can fool the central control system into shutting down critical operations with potentially disastrous results.

Isolating control systems from public networks doesn’t necessarily solve the problem. Malware infections can be introduced easily via portable media, either maliciously or accidentally. Stuxnet, a computer worm that targets control systems, is typically introduced via an infected USB stick. And there’s always the risk that a rogue member of staff – or negligence – could disrupt the operation of industrial control systems.

“The human factor is a real challenge,” says Roger Cumming, technical director of Atkins’ security business. “You’ve got equipment that needs to run 24 hours a day. You’ve got engineers working shifts and lots of different people who will need to engage with a particular control system. And if you’re wearing a huge pair of industrial gloves, you’re going to have to take them off to touch the keyboard. So one of the challenges is authenticating yourself in a way that’s suitable for the environment.”

The longevity of control systems creates problems of its own. “The lifetime of some these components can be 20 years. People don’t replace them for security reasons and they’re often more scared of the cure than they are of the threat,” says Dr Buffey. “And as systems grow, you end up with a lot of different products from different vendors all at different stages in the life cycle.”

Given the risks, why has so little been done to protect industrial control systems? “Control systems tend to be brittle,” he observes. “It’s hard enough to get them going and once they’re working, people tend to leave them alone. If there’s any kind of resilience testing, it’s done early in the life of the system.”

Highlighting the dangers

To articulate these problems, Atkins has developed an ICS demonstrator that illustrates some of the challenges involved in protecting control systems used in three types of infrastructure: rail, power and water.

The demonstrator, built by Atkins’ specialist model-making department, can be controlled remotely over the internet with the results observed via webcam. “You can dial up this model using a broadband connection and alter the security configuration,” says Cumming. “This makes it possible to explore the impacts of good and bad security procedures – and to observe the consequences of a cyber-attack.”

The demonstrator highlights the way critical infrastructure systems are increasingly interconnected: disruption of the electricity grid, for example, has the potential to unleash havoc on rail networks – which rely on electricity whether they are electrified or not – as well as gas and water distribution networks which depend on electrical energy to operate high-performance pumps, compressors and valves.

It’s not only critical infrastructure systems that are vulnerable. The rise of the internet-of-things and the race to adopt machine-to-machine technologies means that risks are accelerating everywhere. With smart energy meters now being rolled-out in homes throughout the developed world, the potential impact of a wide-spreading worm or piece of malware is now greater than ever.

“The cyber security world is possibly ten years behind corporate IT security in terms of the understanding what the issues are and the spread of protective measures,” says Cumming. “Tackling the problem starts with raising the level of awareness.”

Download PDF