Andrew Cooke

UK & Europe

Andrew Cooke was Atkins’ client director for infrastructure in its aerospace, defence, security and technology division. Andrew joined Atkins in 2001 as a business strategist in its Management Consultancy business. He led its security and intelligence practice from 2005 to 2009, was the regional director for the company's Middle East management consultancy division and business development director for its security business. Andrew is a Fellow of the Chartered Association of Certified Accountants and holds an MBA from Cranfield University.

Please complete the form below to contact Andrew Cooke.



Last week the BBC reported on the Government’s new £1.9bn investment in preventing cyber-crime. The report came with a survey that revealed that two thirds of big companies have suffered a cyber breach in the last year.

Is this really news? The former MI5 chief’s recasting of Benjamin Franklin’s quote that: “There are now three certainties in life: death, taxes and a foreign intelligence agency on your network,” is never more true.

The survey doesn’t provide a great deal of granularity, referring to breaches in “UK big businesses” without detail of impact, organisational scale or sector.

Making the nation cyber resilient means protecting critical national infrastructure first. Infrastructure is waking up to the threats to industrial and process control systems, which are still considered to present softer targets despite the significant potential operational impact if compromised.

Furthermore, the survey appears to not consider the UK’s growing small and medium-sized enterprise (SME) community, which represents an increasingly critical component of any resilient nation.

In order to make sure that UK plc is not put at risk by cyber-attack it needs to make itself more resilient to the threats that it faces. This means focussing on the risks that impact greatest on the successful operation of the UK. There are three things we can highlight to help take us there:

1. Focus on critical infrastructure: Cyber sits very much at the heart of UK plc, but its infrastructure represents the vascular system carrying its lifeblood, communications and energy and carrying away waste products. Many of the companies supplying these services are not UK businesses at all.

2. Supply chain vulnerability: It is all very well considering the threats to large businesses but inevitably one of the biggest vulnerabilities that all organisations have is their supply chain. Every big business will have a hundred or more smaller companies representing critical links in their supply chain. Any business’ resilience is dependent on the resilience of those within its supply chain so the Government cannot ignore SMEs and just focus on the big players.

3. Cyber resilience is about leadership: Creating a cyber resilient organisation has to start at the top and work down. What is it that is important to the organisation and what needs protecting? To determine that you need to start with the top level organisational objectives. There are few businesses now for which cyber is not a key enabler; maybe none. Effective cyber security needs to be an objective on the CEO’s list of top level objectives.

The key thing for organisations is not investing a fortune in trying to preventing attacks but instead ensuring that their important assets are well protected once they are attacked or even breached. It’s essential to create organisational cyber resilience by understanding what is most important to delivering your mission and goals and converting that into a clear and simple set of controls to ensure that your critical physical and information assets are protected.

As Baroness Dido Harding, CEO of Talk Talk and perhaps the UK’s highest profile victim of cyber-attack, would testify, making your business cyber resilient is all about leadership and not about attempting to hold back the tide.

In a piece in the FT (paywall) she explained: “The danger is we are asking the wrong question: are we safe? It's a lazy question because the only really safe way is not being online. We tend to see security as a technology issue not a business one.”

The strength or weakness of our cyber security has the potential to impact everything we do. It therefore goes without saying that the person who is responsible for running and leading an organisation – regardless of size - should be caring most about it.

UK & Europe,

In 1909 EM Forster published a short story called ‘The Machine Stops’. It envisaged a world of connected communications, services delivered to consumers’ homes through wires, video conferencing and instant messaging. Most poignantly it described a system of social media with citizens “lecturing” and exchanging their thoughts and views, often sharing opinion and ignoring original thought.

Eventually something causes the machine to start failing and that failure spreads from one service to another until society breaks down and anarchy and death ensue.

But of course ‘The Machine Stops’ is just a story, an apocalyptic view of a fictional society in an imagined version of our planet and it couldn’t happen to us today, could it?

We’ve long recognised critical infrastructure as a set of services that provide the power, water and communications links that underpin our society. Although they have typically been considered to be a series of discrete services provided through different channels, there is now increasing understanding that critical national infrastructure is actually much more joined up.

It is in no small part the digitisation of infrastructure that is increasingly leading critical national infrastructure to become a system of systems; a single interconnected set of services with interdependencies that determine resilience and reliability of each.

This digitisation helps service providers to track and manage their assets more effectively. It can also put customers in control of the services they use, allowing greater choice and flexibility. However, it also puts more and more services online and it means that increasingly power, water and transportation services rely on communications systems for their operating platforms. Furthermore without power other utilities and communications systems can’t operate.

If a key transportation service suffers a security breach then potentially fuel can’t get to a power station or waste be removed. If a water pumping station’s systems are breached then water is not available for either sanitary purposes or for cooling systems for other parts of infrastructure.

All of a sudden Forster’s apocalyptic view become so much more real. But why does the interconnectivity of increasingly digitised services make the risk of a meltdown more likely?

In the first instance the risk is simply that our greater reliance on digital services means a security breach resulting in ‘denial of service’ is so much easier and potentially more probable that an attack on one part of the infrastructure will disrupt supply and therefore affect others.

Also, increasingly operational technology - the process and equipment control systems that run infrastructure - is connected to the broader network of systems. The risks and vulnerabilities to these systems are less widely understood and the equipment is in many cases less proactively managed and protected. The potential for proliferation of infection in the event of a cyber-attack is therefore much greater.

Finally, and crucially, the exchange of data and information between critical infrastructure is much higher as a result of this proliferation. The spread of a ‘Shamoon’ type virus could have devastating consequences and potentially threaten to severely disrupt infrastructure for long periods of time.

At Atkins, we’ve long advocated that organisations should be taking a holistic approach to their organisational security. That begins with ensuring that security measures are directly tied in to organisational objectives and that key performance indicators include security at the top level. The organisational risk management approach then considers all aspects of security in one place. These include physical security, cyber, industrial controls, behaviours and emergency planning and business continuity. This consolidated, top-down, risk management approach allows risks to be considered holistically, thereby creating a resilient organisation.

If we follow this approach through, then it can also be argued that if we consider our national infrastructure to be part of a holistic whole then the same approach should be taken to consider risk at a holistic infrastructure level. In this context our national infrastructure becomes a ‘system of systems’ and creating resilient infrastructure is a matter of dealing with risks to that.

The Centre for the Protection of National Infrastructure (CPNI) already has an important role in bringing together risk at the top level for UK infrastructure. This is recognised in this approach but the suggestion is that potentially now we need to look further ahead as convergence of infrastructure systems continues, service providers cross from one part of infrastructure to another and the risk to the nation continues to be more complex.

Forster’s apocalyptic view of the machine stopping may not be a realistic risk in the short term. However, making sure that we are aware of the risks to infrastructure as a whole and mitigating them from a holistic infrastructure perspective can only lead to a more resilient infrastructure, society and nation state.

UK & Europe,

Since Talk Talk became the UK’s most high profile cyber security breach a little over a month ago public comment has focussed on how a large technology company could have such poor security. That a simple attack on their website resulted in the loss of customer account data was clearly a huge embarrassment to the company. The fact that the perpetrators were under sixteen only added to the public relations disaster. 

However, the real consequences of the breach are probably far more limited. Will Talk Talk survive the media onslaught? The chances are that they will. What will happen to the thousands of customers whose records were lost? Probably very little and once the media frenzy has passed, sporadic crimes resulting from the lost records will likely be swept under the carpet. 

Ministerial announcements often cause a similar media frenzy in an effort to demonstrate that “something is being done.” Last week saw announcements from both George Osbourne, speaking at GCHQ, and later Ed Vaizey, Minister for the Digital Economy, as to how the Government is going to support the fight against cybercrime. Osbourne’s announcement focussed on the “additional” funding that the Government is providing, whereas Vaizey’s was about imposing a mandatory cyber health check for FTSE 350 firms

Ministerial pronouncements rarely come with any great details and these are no different. They are, however, important steps forward in demonstrating that the Government does take cyber security seriously and is intent on protecting UK citizens both from terrorist attacks on their person and the national infrastructure. It is also key that Government is ensuring that the private sector takes their privacy seriously and protects customers from financial crime arising from companies not protecting their records appropriately. 

All this optimism though has to be tempered with a serious dose of reality. Much of the focus of GCHQ’s IA15 conference earlier this month focussed on the cyber security threat to our critical national infrastructure. The biggest risk to such infrastructure is the cyber security threat to the embedded industrial and process control systems in the plant and equipment that generates power, delivers water and controls transportation and communications systems. 

We have yet to hear whether the health check will cover those process control systems. However, the one thing that we do know is that many, if not most, of the companies providing those services in the UK are either privately owned or not in the ownership of UK companies and will not be covered by the proposed cyber health check. That includes all of the companies building new nuclear power stations. 

Few people favour more and more regulation. This week’s announcements are a great start from the Government in making sure that UK citizens and our critical national infrastructure are better protected from cyber-attack. However, much more is needed before we can all sleep safely in the knowledge that no one is going to steal our bank details from poorly protected retail companies and that the infrastructure that runs our lives is safe and secure from disruption.

UK & Europe,

The continuing digitisation of our infrastructure enhances our experience as citizens and defines our progress as a society. However, the increasing reports of cybercrime and the threat of disruption to supply have led to calls to resist this development and slow the pace of change. Yet the benefits of digitisation are too persuasive and both the expectation of the public and the need to continuously drive down costs mean we cannot stop or even slow down the tide.

The public is very familiar with the concept of the ’digital economy’. We accept that today we live much of our lives online; buying food, goods and services or communicating with friends and family. Though the term ‘digital infrastructure’ is less commonly heard or understood, it is fast becoming a reality that impacts our daily lives. It is the concept that underpins the way critical services are delivered to us today and in the future.

Digitisation of infrastructure helps service providers to track and manage their assets more effectively. It can also put customers in control of the services they use, allowing greater choice and flexibility. Examples of the latter include the sensors on trains and buses that allow us to track the arrival of public transport in real time or the internet-based services that allow us to select the telecommunications, power or water services we want.

As infrastructure becomes increasingly digitised it is essential that it also becomes more resilient. The recent breach of security at the Office for Personnel Management in Washington has highlighted how even the most secure systems are at risk from hackers, whether they are state-sponsored or just inquisitive enthusiasts. When some of the most heavily protected systems in the world are compromised it prompts us to look closer to home and to think about what digitisation of our infrastructure really means to our safety and security.

A recent report highlighted the approach that the UK National Crime Agency are employing to tackle botnets by focusing on closing down the vehicles that the criminals use to affect the crime. Making our infrastructure more resilient requires the same approach. We can’t slow the pace of digitisation so what we must do is to understand what the threats are that impact on the delivery of infrastructure services.

I believe that there are five key steps to making digital infrastructure more resilient:

  • Firstly we need to understand what the goals of infrastructure organisations are. Knowing these will allow each organisation to then consider what is required to deliver those goals, what the risks are to achieving them and what needs to be done to protect them.
  • Next we can look at the assets that are involved in delivering these goals – whether these are physical, information or people assets – and how they are secured. One key challenge for infrastructure organisations is that they often need to make those assets available to their customers in one form or another. This might either be information assets in term of costs, billing statements or access codes, or physical assets in the form of smart meters or transmission equipment.
  • We then need to understand the specific risks to those assets. What could potentially go wrong in delivering the services?
  • Once the risks have been identified we can understand the potential vulnerabilities implicit within those assets and the action required to mitigate those risks and vulnerabilities.
  • Finally, we can put in place a comprehensive plan to make sure that those risks are thoroughly mitigated and a system of reporting is implemented to ensure that incidents are identified and lessons learned.

In many ways it appears a simple solution to a highly complex problem. However thinking of infrastructure as a bundle of assets that need to be protected is the most effective way to ensure that risks are mitigated, breaches are reduced and criminals are deterred.

Asia Pacific, Middle East & Africa, North America, UK & Europe, Rest of World,

There have been a number of articles in the media recently highlighting the potential risks arising from implementing the European Rail Transport Management System (ERTMS) in the UK. ERTMS is the system that replaces traditional mechanical signalling systems with the IP-enabled systems.

The benefits of implementation are clear as it:

  • creates compatibility with European rail systems; important as increasingly rail journeys begin in the UK but end in Europe
  • brings efficiency with rail routing decisions being made centrally and implemented instantly
  • provides opportunity for greater business continuity with a number of national control centres offering redundancy
  • offers considerable capacity enhancement and much improved asset management and exploitation.

Of course if the control systems are managed across an IP network that is ultimately connected to the Internet then there is risk of compromise. The potential exists for someone to attempt to break in, whether they are hobbyist hackers, disaffected rail users or state-sponsored terrorists. The BBC recently quoted Professor David Stupples of City University pointing out that a hacker could cause a “nasty accident” or “major disruption.”

The vulnerabilities that could compromise ERTMS also threaten control systems managing infrastructure across the world, yet incidents to date have been few and far between. Furthermore control systems are not the only business management systems under threat as the ever growing reach of the Internet of Things (IoT) and Bring Your Own Device (BYOD) policies provide just as great a potential challenge.

Yet these threats and risks can all be mitigated. Good design lies at the heart of good security. While the ERTMS system is already complete, we do still have the opportunity to make sure the design of the systems around it and the way that people interact with them is effective.

An effective cyber security programme needs to be holistic; to consider risk from an organisational perspective. In this context, considering the risks to control systems as well as traditional enterprise IT is absolutely critical.

It also needs to consider employees and employee behaviours. Professor Stupples pointed out the potential impact of a disaffected employee taking maleficent action, yet in reality the consequences of discovery will be a significant deterrent to most. The greater risk is the prospect of unwitting employee behaviours resulting in vulnerabilities that could be exploited by outsiders. An assessment of employee risk should be used to identify particular areas of risk and specific targets for training. Comprehensive communications and training programmes can support this.

Ultimately, we can’t step away from building a more modern, efficient and effective infrastructure out of fear of the consequences. Avoiding a major security breach is a matter of careful threat and risk assessment, thorough vulnerability analysis and implementation of a planned programme of mitigation and protective measures. By embracing this approach we can safely leverage the benefits of implementing the most modern technology.

UK & Europe,