Richard Piggin

UK & Europe

Dr Richard Piggin is a capability manager at Atkins. He has an Engineering Doctorate in industrial networking from the University of Warwick and has since focused on networking, technology evangelism, international standards, safety and security. At Atkins, Richard is working with clients to make their Operational Technology resilient against current and emerging threats.

Find out more about where I work and any related career opportunities.

Please complete the form below to contact Richard Piggin.



The WannaCry or Wanna Decryptor malware has affected 150 countries, including the United Kingdom, United States, Spain, Russia, Taiwan, France, and Japan. Several variants have already been reported, all presently targeting Windows-based operating systems, including embedded versions. Further variations, which could target other operating systems such as Linux, are anticipated. Early indications suggested email phishing campaigns initially infected computers, using email attachments and malicious websites links have been confirmed. The worm then spreads across networks.

While assurances have been given regarding the loss of patient data, the malware provides backdoor access to victim’s computers, so data theft is a distinct possibility. Yet, the issue isn’t just about the security of patient information, it’s also about preventing patient harm.

This is not an isolated incident. Similar incidents have already occurred in the healthcare sector, even in the UK. Only a few hospitals were affected, attracting limited publicity and concern. Many more medical facilities belonging to the U.S. MedStar Health provider were severely disrupted last year. The impact of such attacks also feature in a new BSI publication on Medical Device Cyber Security, which describes the convergence of safety and security risk, along with defensive principles.

Other sectors have also been impacted  including UK,  French and Romanian car plants and the German rail operator. Spanish victims included telecoms multinational Telefonica, and utilities Iberdrola and Gas Natural. Critical infrastructure asset owners have been impacted by ransomware in the past, including several power utilities.

WannaCry screenshot

Organisations with unsupported operating systems or ineffective patching programmes will continue to be vulnerable. At best, it’s a race to patch against the inevitable malware opportunists, and remove specific network services. So, what can be done to avoid potential reputational damage, disruption, loss of information, financial loss, and impact on customer [patient] wellbeing? The mantra must be to be to get the basics right:

1. Backup systems, and exercise the plan for incident response, and restoration of compromised systems. Patch and update systems, although this can be a challenge for Cyber Physical Systems (controlling physical processes), with 24-7 operation 365 days a year, coupled with long lifecycles. Compensating measures must be put in place where patching and updating cannot be achieved in a timely fashion.  Network architecture implementations that protect and segregate vulnerable systems, with anomaly detection are common approaches, along with disabling unused services/protocols.

2. Address phishing as the route to initial infection. Education of staff will reduce the number of successful attempts, but is unlikely to protect against habitual clickers or well researched, and crafted, targeted spear-phishing. Therefore, other technical measures are needed to prevent malware being downloaded or malicious sites visited. Raise awareness amongst employees, particularly to operational and engineering staff, of recent threats and attacks.

3. Manage the supply chain. Address the security of embedded systems, that may have long lifecycles. What is the security model and how will this continue to offer proportional risk-based defence? Asset owners should stipulate their security requirements. Vendors should offer these by default, and they may even become a product differentiator in the short to medium term. Expect them to be included in future procurement specifications.

4. The UK’s National Cyber Security Centre has published specific guidance for administrators and home users that should be acted upon.

5. Visit the “No More Ransom” website, and please pass on the recommendation. The initiative seeks to help victims of ransomware retrieve their encrypted data without having to pay the criminals. It also offers prevention advice too.

Finally, new forms of malware are being discovered at an ever-increasing rate. CNI security postures needs to address the evolving risk with regular reviews.  Cyber security is still a journey, not a destination. Governance regimes need to reflect the salutary lessons identified when the dust settles.

Image of WannaCry screenshot in banner image provided by Kaspersky.

UK & Europe,

The most recent campaign is reported to have commenced on 6 December, continuing through to 20 December. Vsevolod Kovalchuk, a director at the Ukrainian national energy company Ukrenergo, told Reuters that the 200 megawatt interruption was equivalent to approximately a fifth of Kiev's night time energy consumption, and that the scale of the interruption was very rare.

The automation was shut down in the Pivnichna power transmission substation located north of Kiev. The remote terminal units (RTUs) opened circuit breakers, causing a power outage that lasted for 75 minutes. Power was restored manually, with full restoration early the following morning. Power loss was reported in northern Kiev and on the eastern bank of the Dnieper River and the surrounding area.

The Ukrenergo director described ‘external influences’ effecting workstations and SCADA (supervisory control and data acquisition) servers, and anomalies with transmission network data. Although investigations are ongoing, in the meantime researchers have confirmed significant similarities to the power outage a year earlier. This includes phishing attacks, with malware embedded in Microsoft document macros, and traces of BlackEnergy 3 malware used in the attacks targeting Ukraine Government organisations.

Oleksii Yasnskiy of ISSP labs, distinguished the more recent attacks, using significant obfuscation: “Being more complex and better organised.”

Marina Krotofil, a security researcher at Honeywell Industrial Cyber Security Lab contrasted the previous damaging attack: “They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.”

Ukrainian media and security researchers have also reported further cyber-attacks including distributed denial of service (DDoS) attacks on the Defence Ministry, government sites, financial sector, railways, ports and electrical power transmission.

The electricity sector in particular and governments as a whole will be disturbed with the escalation illustrated by further attacks. Particularly the attack on a power transmission substation, with the potential for much greater impact than previous attacks on distribution sub-stations. Whether or not this is perceived as a demonstration or testing of capability, it raises concerns. Given the motivation to attack critical infrastructure with apparent impunity and in contravention of international law, the intent highlights the need for effective cyber security and well developed incident response planning.  

Lessons will be drawn from both Ukraine attacks, including the methodologies utilised by the perpetrators and the opportunities to disrupt different stages of the attack. It is highly likely the investigation will indicate perpetrator presence on target networks and use of remote access to disrupt the substation automation. The capability demonstrated emphasises the importance of understanding normal network activity and recognising abnormalities. Both attacks also underline the need for mature incident response plans, which are regularly updated, tested and reviewed.       

Beyond the quick wins a system assessment will identify, there is much potentially applicable guidance that could be used to assist in responding to these developments and improve resilience.  

IEC 62443, the international standard specifically developed for industrial cyber security is one approach that has grown in substance and application. However, embarking on an implementation is a significant undertaking. This multipart standard has been revised and further developments will incorporate many distinct aspects of securing industrial systems that are applicable to critical infrastructure. High hazard industries will benefit from the approach to manage safety requirements alongside security in the forthcoming related specification (IEC TS 63069).  However, simply seeking to claim compliance with IEC 62443 would be an inappropriate response to securing critical systems.

Instead, asset owners, equipment vendors and system integrators should choose pertinent guidance to support their security strategy, and formulate a cyber security plan for implementation. Atkins recommends a lifecycle approach to engineering cyber security, underpinned by governance and a suitable security management system. An organisational cyber security capability assessment can be used to identify and prioritise areas for improvement to be addressed in the cyber security plan. The organisational assessments can be supplemented with technical assessments as appropriate. The applicable guidance can then be used to direct implementation depending on the entity’s role. An established cyber security framework, such as the NIST Cyber Security Framework (CSF), can draw together the application of good practice principles and assist organisations in the management of cyber risk in critical infrastructure.

Addressing cyber risk can be a daunting and confusing prospect for many organisations, and often appears intangible. An effective approach requires the organisation to understand their business risk, and target resources to those areas where they will have the most effect. There is no magic bullet, or technology solution that will reduce risk.  Frequently, in our experience, many cyber security challenges revolve around people, their awareness, communication, organisational structures and accountability. Senior management support is essential to realise meaningful improvements over the longer term.  

UK & Europe,

The Civil Nuclear Cyber Security Strategy; (CNCSS) complements the existing National Cyber Strategy, and sets stretch goals in consultation with industry, to address the risks to the safe and secure operation of new civil nuclear facilities and the management of legacy and waste facilities.

Success will be demonstrated:

  • Strategically in transforming industry’s approach to cyber security -  the ability to deter and protect against a cyber-attack and ensure cyber resilience, the ability to detect, contain, mitigate the effects and recover from a cyber-attack
  • Operationally with the continued safe and secure operation of legacy and future nuclear facilities in the face of growing cyber threats
  • Tactically with the increasing capability, capacity and agility of stakeholders to deal with all aspects of the cyber security challenges faced by the UK civil nuclear sector.

The desired outcome is to deliver an industry which has a mature approach to understanding the cyber threat, and is able to produce solutions which efficiently and effectively address that threat. Specific outcomes are:

  • The continuing improvement in capability and capacity through training and exercising with increasing senior executive understanding and ownership of cyber security risk
  • Industry to adapt to a tailored outcome-focused approach, as part of a holistic cyber security posture
  • An industry with a mature approach to understanding cyber threat and delivering outcome-focused solutions which are approved by the regulator.

The strategy highlights four distinct activities to support delivery:

  1. Deliver a comprehensive understanding of the cyber vulnerabilities across the civil nuclear sector
  2. Continuously mitigate identified issues and vulnerabilities
  3. Improve the sector’s capability to detect, respond to, and recover from cyber incidents
  4. Ensure sufficient resources are allocated to cyber security and resilience.

Atkins recognises the imperative for the nuclear sector. Recent events illustrate the potential consequences to the UK nuclear industry: Fukushima Daiichi nuclear disaster and the resulting closure of the German nuclear industry. Reputational damage resulted from malware found on the Gundremmingen nuclear plant in western Bavaria, which entailed a precautionary reactor shutdown. Incidents affecting individual organisations may impact the sector nationally and internationally, undermining confidence.

Work is already ongoing in a sector that keenly appreciates the need for safe and secure operation that also safeguards public confidence. The nuclear industry has traditionally focused on safety to provide resilience and security. More dynamic approaches are required to stay ahead of the continuously evolving cyber threat, the increasing nation state capability and the terrorist potential. The implementation of new operational technology could increase opportunities for malicious intent.

The strategy reinforces key themes essential to successful cyber security implementation; dealing with the increasing threat, board awareness, governance, Operational Technology (OT) and IT, and the interdependence of safety and security. Delivery will demand transformation, whilst ensuring all sector participants are fully engaged, particularly in the supply chain. This will entail closer relationships with partnering companies, contractors and suppliers to provide the proportionate cascaded risk ownership, understanding and mitigation. The supply chain will also be called upon to develop capacity and capability where there are skills shortfalls, especially in direct support of nuclear asset owners.

Nuclear facilities are required to be secure by design, and implementation. This necessitates appropriate cyber security skills and the development of industry capability to manage these activities both internally and the supply chain. This will place a requirement upon the supply chain to demonstrate measures proportionate to the risk they own. The regulatory approach is now transitioning from compliance to risk-based assurance. Whilst there have been rapid developments in both generic and sector guidance, industry participants would welcome direction under the new regime.

The nuclear industry needs to be resilient against increasingly sophisticated attacks requiring identification of critical assets and proportional risk mitigation. Security and safety necessitate equal emphasis to address risks, requiring IT, Operational Technology and physical security collaboration to achieve resilience. The Government is rightly looking to raise awareness across industry, ensuring executives have the information they require to develop the cyber security programmes with the necessary leadership, governance and resources to succeed. Non-executive boards will have greater means to hold boards to account.

The cyber strategy implementation is equally ambitious for all parties. It needs to be, in order to meet the continuously evolving, uninhibited threat and maintain public confidence in the nuclear industry, which is essential for our economic well-being.

UK & Europe,

On 23 December 2015, Ukrainian media reported a cyber-attack had left half the homes and 1.4 million people in the Ivano-Frankivsk region without electricity. Although services were restored within a few hours, this was largely due to manual intervention rather than by recovering compromised automation systems. Slovakian security firm ESET later reported that the initial incident was not isolated, and that multiple electricity companies had been affected simultaneously. Reuters also reported similar malware was found in Kiev's Boryspil airport, on IT networks which included air traffic control. Ukraine blamed Russia.

This incursion is one of a few confirmed against the grid, although no direct causal link has been established between the malware and the outage. However, previous events have caused physical harm, including Stuxnet (2010) which targeted the Iranian nuclear programme, and the German blast furnace destruction (2014).

While physical damage is rare, reconnaissance of the power grid has been widely reported before, with warnings of conventional retaliation made by the US. These prompted President Obama to order the development of the Cyber Security Framework for critical infrastructure.

ICS-CERT, the US Industrial Control Systems Computer Emergency Response Team is working with Ukraine’s CERT-UA and has confirmed the presence of Black Energy 3 malware. The ICS-CERT alert is a further warning regarding an ongoing sophisticated malware campaign compromising Industrial Control Systems (ICS), dating back to 2011. Black Energy 2 (2014) used vulnerabilities in ICS products directly connected to the internet to deliver malware. It had reconnaissance functionality, without destructive modules deployed by the perpetrators. In contrast, the new Black Energy 3 variant appears to have been launched using a spear phishing campaign with a malicious Microsoft Office (MS Word) attachment. A further round of spear phishing attacks used a malicious Microsoft Excel macro, purporting to require a newer version Microsoft Office to thwart security.

By comparison, the Havex malware targeted and compromised Energy sector control systems in 2013 and 2014, using multiple infection routes including spear phishing, infected ICS software downloads from legitimate websites, and compromised industry websites. The malware was used for intelligence gathering. However, an unfortunate by-product from the adversary’s perspective was the noisy reconnaissance, which had the unintended consequence of causing a denial of service on the ICS communication servers.

Both the Havex Trojan and Black Energy perpetrators have been described as ‘sophisticated actors’. They also demonstrate a deep knowledge of industrial software and protocols in the development of ICS malware for reconnaissance, compromise and potentially physical damage.

Attribution and motivation can be problematic to ascertain, as some developing commentary suggests. However, publically available evidence clearly demonstrates increasing risk, with the recent US ICS-CERT year in review highlighting a 20% increase on reported ICS cyber incidents last year. It also confirmed cyber-attacks against manufacturing companies had doubled.

The increasing focus on cyber risk, incidents, and ICS vulnerabilities is bound to affect organisations operating control systems, and their stakeholders. Standard & Poor's Ratings Services has begun challenging banks on their cybersecurity readiness, even asking about board-level cyber expertise. Moody’s rating agency went so far as to issue a warning that they will consider cyber risk when setting company credit ratings, potentially making borrowing more expensive to higher risk organisations, particularly utility suppliers. Insurers would be fool hardy not to follow suit, although whether an assessment could potentially deem an organisation uninsurable or premiums more expensive is debatable.

All of these organisations are likely to demand evidence of an ICS-focused cyber security strategy, governance, supply chain management and appropriate risk-based measures to defend against cyber-attack. Most importantly, cyber events are inevitable and well developed incident response plans to enable rapid restoration of operations are essential.

So what measures might provide suitable evidence to third parties that ICS systems have appropriate protection measures?

Collaboration and information sharing are highly recommended via the UK Control Systems Information Exchanges and the Cyber-security Information Sharing Partnership (CiSP) to appreciate vulnerabilities, understand threats, learn from events and share good practice.

The UK CPNI has recently issued updated guidance on securing ICS, and there are more complex security standards that might be applicable. However, I suggest that a more simplistic approach is likely to be followed in the absence of suitable accreditation (such as a Cyber Essentials for ICS).

The Seven Steps to Effectively Defend Industrial Control Systems might be a starting point for manageable good practice along with an in depth defence strategy. These Steps describes strategies that would have detected or prevented ICS cyber incidents, illustrated using real events. The application of these strategies can dramatically improve security, and will serve as excellent evidence for ICS-specific cyber security. Similarly, the 10 basic cyber security measures developed for water utilities offers complementary guidance, with additional advice for successful programme implementation.

UK & Europe,

In November 2015, Chancellor George Osborne announced plans for a £1.9 billion investment in cyber security and the creation of the National Cyber Centre. In his speech he highlighted the need to protect our critical infrastructure; in particular those systems used to control physical entities, often now referred to as operational technology (OT). Following the recent Chatham House report into cyber security in the nuclear sector, the  European Union Agency for Network and Information Security (ENISA) has now published its report on control systems security. Titled “Is Europe ready to protect SCADA?” it focuses on Industrial Control Systems (ICS) Cyber Security Maturity Levels across Europe. The research describes national security postures and makes high level recommendations for improving OT security practices. Four 'maturity profiles' of Member States were identified within the study, including:

  • Leading: with strong legislation and supporting mechanisms dedicated to ICS cyber security improvement
  • Proactive Supporters: focused on strong Critical Infrastructure operator support and driving ICS cyber security improvement
  • Reactive Supporters: with a  focus on lessons learned and reactive means of improving ICS cyber security
  • Early Developers: in the process of developing legislation and supporting systems to protect ICS in critical infrastructure.

Individual Member States were not identified against a particular profile, however, the UK position is leading in support, given the history of developments that largely already correspond to the major recommendations outlined in government policy on cyber security. The UK has stopped short of specific regulation to date, instead favouring a risk-based voluntary approach. The UK Government is working with industry to promote and align best practices and standards with the US National Institute of Standards and Technology Cybersecurity Framework.

The study made six major recommendations to improve ICS cyber security maturity:

1. Align ICS efforts with national cyber security strategies and Critical Information Infrastructure Protection (CIIP) effort.

Currently the research showed ICS cyber security was not aligned to national strategies in some states, though the UK clearly leads the way here.

2. Develop good practices specific to ICS cyber security.

Some Member States do actively promote industry good practice, and again the UK leads with the recently published Security for Industrial Control Systems. It makes sense to utilise existing good practice across Europe, but, the issue for operators or asset owners will be navigating the plethora of guidance already available and dealing with the challenges of national compliance where mandated.

3. Standardise information-sharing among critical sectors and Member States.

This includes the recommendation to have a single platform and process, citing the US ICS-CERT example for incident reporting and focal point for good practice. An overarching national or EU-wide ICS CERT could be the focal point for sharing of best practice, threat and vulnerability warnings.

4. Build ICS cyber security awareness.

The recommendation is for a more reactive approach to promote continuous improvement for policy developers as well as asset owners. Focus provided by a local ICS-CERT could provide a platform for building local knowledge and growing awareness.

5. Foster expertise with ICS cyber security training and educational programmes.

This recommendation focused upon the common misunderstanding of IT security considerations being similar to OT environments leading to security, operational and potentially, safety flaws. The report recognises the scarcity of people that have a deep understanding of ICS systems and cyber security, and the need to develop programmes and facilities for training to fulfil the current and inevitable short fall as awareness grows.

6. Promote and support ICS cyber security research and test-beds by involving ICS experts and vendors in addressing current and future threats, whilst supporting innovation and encouraging security by design.

More Member States are working on legal instruments to mandate minimum security requirements.

As previously suggested by Andrew Cooke in Angles in November, no one really advocates increasing regulation. Our experience has shown that regulation can stifle innovation and good practice development, whilst affording a false illusion of security through compliance, which may not address the specific risks to an organisation. Indeed, given the disparate and distributed nature of operational technology it is hard to see how such regulation might be successfully enforced.

Experience tells us that excessive regulation can lead to increasingly ingenious circumvention. Therefore, a rational approach could be the continued development and promotion of international cyber security standards for control systems. The link between safety and security is never more apparent than in the area of OT where the impacts of a cyber-attack can be to affect safety and safeguarding measures, leading to significant hazards.

A risk-based approach to cyber security and the use of standards can encourage organisations to take a pragmatic approach and encourage greater adoption.

UK & Europe,

A recent report from the BBC stated that ISIS is planning to unleash a number of deadly cyber-attacks against UK targets and has put the issue of cyber security at the forefront of many organisations’ minds. As a result many have begun to question if we are behind the curve in cyber security expertise, and if we recognise the organisational challenges? The phrase ‘cyber security skills’ is so broad as to be unhelpful. Do we know what specific skills we’re talking about; which specialisms we need to foster?

Last week I had the opportunity to debate this very topic with cyber security peers at the Information Assurance 2015 (IA15) event in London. Addressing the cyber security skills balance requires more than just evaluating a number of specialisms, with organisations needing to address a number of key challenges:

  1. Raising awareness of the risk: If an organisation is unaware of the level of risk they face to their systems or data from malicious cyber-attack, they are unlikely to invest in or employ the right people to protect them from those risks.
  2. Designing in security: Low awareness and expertise also causes inevitable procurement issues. An organisation cannot be considered an ‘intelligent customer’ if it does not fully understand its cyber security requirements. Off the shelf systems offered by many vendors may sound secure, but often key security features of those systems are not chosen for a number of reasons including lack of awareness, they cost too much or they don’t easily integrate with an organisation’s existing systems. 
  3. Culture: In order to be effective, security should be everyone’s responsibility. Developing awareness across every part of an organisation is a key skills challenge. Once a year online learning and testing is insufficient.
    We could learn much from how health and safety compliant cultures are fostered effectively in organisations across the UK. These include company policies on the use of equipment or facilities, the sharing of ‘safety moments’ at all meetings, and an awareness that failing to comply with agreed practices is frowned upon. Safety competence approaches can inform how we deal with security education, training and experience.
    Importantly, this culture needs to be driven and embraced at board level to be effective and pervasive. Research shows that some boards are not familiar with vulnerabilities in their industrial control systems and have therefore provided inadequate resources to address the issues. This is typically as a result of no, or low, perceived risk thanks to a lack of reporting, both internal and external, or staff governance.
  4. Usability: Although security is an organisational skills issue, those organisations don’t always make it easy for their staff. Many have a habit of making security difficult for legitimate users. Users don’t like to circumvent security, but poorly considered ‘more secure’ approaches will typically fail leading to less secure activities. A prime example would be adopting polices that enforce impractical password solutions causing users to end up writing those complex passwords down. New guidance on usable security policies has been issued by GCHQ  and I would recommend all organisations review these.
  1. Understand the competing requirements: Usability and IT objectives are often in conflict with control systems and safety. Restricting services could prevent safety-related actions taking place. For example, you cannot afford to enforce a complex password log-on in order to implement a safe shutdown in the event of an incident. The approach for objectives that meet organisational goals requires greater collaboration from skilled specialists across different domains - IT, OT and safety - by forming multidisciplinary teams to look at security. 
  2. Understanding the opportunities and risks of the internet of things (IoT): The speed of development within the Internet of Things is staggering, particularly across industry, and many view it as the fourth industrial revolution. However, by its very nature the IoT creates cyber security vulnerabilities in devices that IT specialists would not normally have considered before, such as cameras, building control systems or white goods. As effective cyber-attacks find backdoors through otherwise secure systems, expertise in fully evaluating the many and varied vulnerabilities across all devices that connect with an organisation’s network is essential.

In order to be effective an organisation’s cyber security needs to evolve. Security as a project is not an effective defence against a sophisticated enemy that is constantly developing their methodologies and looking for the next vulnerability to be exploited. It’s a journey. Learning from the mistakes of the past, like Heartbleed that redefine vulnerability and risk overnight are key. So is developing and maintaining the right balance of skills – within the IT team and across the organisation as a whole - to effectively address an organisation’s specific security risks and requirements.

UK & Europe,

The increasing digitisation of our national infrastructure offers many benefits to organisations and their customers. However, some fear that the systems used to control physical functions of this infrastructure, often now referred to as operational technology, could have the potential for a serious cyber-incident. The massive damage caused by a sophisticated cyber attack on a German steel mill last year illustrates the potential threat.

The Financial Times recently picked up on the report published by Chatham House on Cyber Security at Civil Nuclear Facilities Understanding the Risks, which considers the major cyber threats to civil nuclear facilities. This report comes hot on the heels of a review being undertaken by The Department for Energy and Climate Change into cyber risk in the civil nuclear sector in the UK.

Chatham House’s findings are generally consistent with our experience of other industrial sectors using control systems. Of course, a single incident in the nuclear sector carries greater consequences than other sectors and consequently generates greater public concern. However, what is less understood by the public is the systems used to control industrial plant are not the same as those used for safety critical control. The latter tend to be isolated systems, with rigorous access control, monitoring and working practices, not purely dependent upon digital technology for protection.

We work with almost all of the existing UK nuclear power generators and the nuclear new-build companies. In my experience, these organisations are ‘designing security in’ and developing best practice technical solutions to tackle threats.

The report highlights some challenges for the world-wide industry including:

  • Low levels of cyber incident disclosure, creating a false sense of security stifling appropriate security investment. However, full disclosure can lead to copying of tactics or techniques, thereby increasing risk.
  • Unsuitable risk assessments can lead to insufficient spending on cyber security. The issue of improving risk understanding at board level is a critical one. Our experience is that, in the UK, the nuclear industry is leading the adoption of good practice and boards are taking security and safety risk assessments very seriously. Integrating control system security and safety risk assessment and treatment is now a focus for good practice development and international standards committees.

The report goes on to identify other challenges:

  • Cultural challenges, including the difficulty in communications between plant engineering (operational technology) and information technology personnel, addressing the need for greater appreciation of cyber security, training and skills development. We have seen that this human element is already being addressed in the nuclear industry, particularly the cultural aspects of integration of formally disparate disciplines, as well as ensuring security roles and skills are developed to meet current and future needs.
  • Technical challenges, including control systems which were not initially designed securely. Standard IT security approaches are often difficult to implement in plants, due to technical validation requirements, potential downtime and the commercial imperative to remain operational. Yet, these generic findings do not illustrate the secure design developments and practices being undertaken by the UK nuclear industry and the supply chain.

The Chatham House report recommends that the nuclear industry should provide a balance between regulation and self-determined actions to avoid stagnation. It also recognises the need for risk-based approaches and innovation, whilst avoiding compliance-driven requirements that do not reflect the state-of-the-art, or the developing nature of threats and vulnerabilities.

In summary, though I’d broadly support the findings of the Chatham House report, I would emphasise that the UK nuclear industry is far from complacent. In fact, for all the reasons outlined above, it is world-leading in its approach to addressing cyber security threats.

UK & Europe,

The most significant hack since Stuxnet targeted Iran’s uranium enrichment programme in 2010 caused massive damage to a German steelworks, according to a report published this week by the Federal Office for Information Security (BSI). Whilst the Sony hack caused the release of film star emails, a Bond film script and cancellation of film screenings, grabbing media attention, the significance of deliberate physical damage caused by sophisticated network intrusion has passed largely unnoticed (in mainstream media). This is probably the only publicly known incident where physical damage to a plant has been deliberately caused by malware since Stuxnet.

Full details have not been released, but the “The IT Security situation in Germany 2014” report highlights the significant impact an Advanced Persistent Threat attack has had on a steelworks, causing damage to a blast furnace by forcing an unscheduled shutdown. People often ask, why then are critical industrial processes connected directly to the internet? They aren’t intentionally. But, they are connected to business systems in order to manage production, obtain statistical, historical, and logging information for business process optimisation. The attackers exploited the internal connectivity of the corporate and industrial control networks.

The attack used a sophisticated spear phishing and social engineering campaign to obtain initial access and a presence on the corporate office network. The attackers then moved from the corporate networks on to the production networks to locate industrial control systems. Over time industrial control components were compromised and control system failures became increasingly apparent leading to loss of plant control. Failures ultimately caused an unscheduled shutdown of a blast furnace, preventing the normal safe ‘graceful’ shutdown, causing extensive damage and loss of production.

Like Stuxnet, the perpetrators exhibited advanced technical skills from multiple domains. Initially, undertaking a reconnaissance phase to identify individuals and an approach for the spear phishing and social engineering campaign. Then displaying corporate IT and security domain skills compromising corporate computers and networks, traversing to the process control networks. The attackers demonstrated a knowledge of both industrial control systems and the production process. The combination indicates that the group responsible had significant presence on the steelworks’ networks to navigate the corporate systems and the industrial control systems and form a detailed understanding of the automation controllers and production process. It is highly likely that intellectual property, propriety process knowledge and contract information was also stolen.

Critical infrastructure attacks this year includes Energetic Bear (aka Dragonfly), Sandworm and the recent revelations of Cleaver. However, these incursions appear to be early reconnaissance, with no physical affects. We have also seen designs and manuals of plant equipment owned by Korea Hydro and Nuclear Power Co (KHNP) in South Korea were put online by an unknown individual or group, followed by several threats to the infrastructure. It is acknowledged that should systems in utilities, energy, manufacturing, oil and gas be attacked, the damage and disruption could be enormous. This steelworks attack is the one of the first to cause significant physical damage. International respondents to a recent critical infrastructure survey in these sectors recognise the increased likelihood of successful attacks against their IT and industrial control systems, yet they admit more needs to be done, and many of respondents either did not know or were unsure about control system vulnerabilities, and had not informed senior executives of the risks.

Organisations are seeking to improve operations and converge IT and industrial control architectures to optimise business. Crucial to these improvements is enterprise access to operational information, without comprising security. Technology adoption in industrial control systems lags behind that of IT, due to the differing operational requirements. These include high-availability, safety and reliability coupled with significantly longer lifecycles; fifteen to twenty years is not uncommon, and can be even longer, far exceeding IT refresh or outsourcing cycles. To address these challenges requires a collaborative approach across multiple domains, recognising that industrial control system security awareness is potentially low across an organisation. An approach that combines converged governance and risk management, sustained by appropriate programme management, will enable a comprehensive understanding of organisational risk in order to secure vulnerable production systems.

Asia Pacific, Middle East & Africa, North America, Rest of World, UK & Europe,