Search within Atkins website
More specific search? Try these
Angles publication platform
Create PDF document
Add web pages to PDF bundle for download
How to use PDF generator
Pages in bundle
View / Manage bundle
15 Sep 2016
Insert banner title text here
Industrial control systems, which comprise a core part of our critical national infrastructure, are tempting targets for cyber-attack. Cyber security is therefore key, but how can good system design help to increase resilience and offer free cyber protection?
Although I would always advocate having every feasible layer of security in place to protect an organisation’s industrial control systems (ICS), what I’d like to share now are my thoughts on how good system design techniques can augment those other layers. Doing so is a capability that is often overlooked, which is surprising considering that this is often the last line of defence after all other layers of security have been compromised.
‘Out of the box’ settings
To fully appreciate what can, and should, be achieved through rigorous design, configuration and management, one first needs to understand the condition in which ICS components are often delivered. Vendors are motivated to make their equipment easy to configure, easy to integrate, and least likely to generate technical support workload or service returns. All of this helps to create a positive first impression with their customers. To this end, devices tend to have the simplest, most accessible configuration:
Although this is far from an exhaustive list, all of these are serious potential vulnerabilities. Default names will result in your system being easily discovered using open source methods. Default credentials will result in its compromise.
If they exist it is always worth using the vendor hardening guides to manage these risks.
Introduction of new features over time can catch out even the wary. My recommendation is to fully research all the features of your control hardware and software, as well as how to disable/secure/enable them effectively. Enable only what is needed. The temptation is always to leave well enough alone once working.
Several design choices can greatly assist with resistance to attack, post-event forensics and recovery from upset (both accidental and intentional). These include:
Take the opportunity to configure security, also known as hardening, very early in a project, when risk to delivery is low. It won’t happen later, after all!
Some kit is well-behaved and allows you to load/save configuration data. Other equipment will require that you painstakingly note it down and change it manually. Having found the best settings, manage them and ensure they stay that way. Some hardware can automatically load settings and programmes from non-volatile (NV) memory on replacement, and optionally on power cycle. Ensure the correct settings and programmes are stored in NV memory. Record (and check) versions and checksums where possible.
Keeping your industrial control assets up-to-date will have benefits outside of improved security. A good starting point to ongoing management includes:
The kind of information you need to secure a system can be a big help in maintenance. Understanding data flows and required services is really useful when it comes to troubleshooting. Making security an integral part of good system design will help to stop people seeing it as a tax.
All of these features require effort and carry some risk (locked out by your own security, for one). And while their implementation may not be completely ‘free’, you must balance the costs against the potential benefits – in cyber resilience, maintainability and Total Cost of Ownership.
Local contacts in our regional offices can be found in the Locations section.
Local language websites exist for Denmark, Sweden, Norway and Asia Pacific. To see a full list of our websites, go to the Our websites page.
In the Sector and Service part of the website, relevant regional contacts have been identified.
Faithful+Gould is a member of the Atkins group of companies.
Register for our news alerts and receive the latest news and events
Connect with us
Most computers will open PDF documents automatically, but you may need to download Adobe Reader.