PRINT BOOKMARK

Cyber resilience

We view cyber resilience as the ability of an organisation to understand the cyber threats it’s facing, to inform the known risks, to put in place proportionate protection, and to recover quickly from attack. Depending upon the client, robust cyber resilience ultimately provides cost-effective business or service continuity, sustained revenue, or the uninterrupted delivery of military effects. It also contributes toward the ongoing protection of the UK.

If you would like to download our free Cyber Resilient Infrastructure report, you can do so here.

MOST RECENT

The WannaCry or Wanna Decryptor malware has affected 150 countries, including the United Kingdom, United States, Spain, Russia, Taiwan, France, and Japan. Several variants have already been reported, all presently targeting Windows-based operating systems, including embedded versions. Further variations, which could target other operating systems such as Linux, are anticipated. Early indications suggested email phishing campaigns initially infected computers, using email attachments and malicious websites links have been confirmed. The worm then spreads across networks.

While assurances have been given regarding the loss of patient data, the malware provides backdoor access to victim’s computers, so data theft is a distinct possibility. Yet, the issue isn’t just about the security of patient information, it’s also about preventing patient harm.

This is not an isolated incident. Similar incidents have already occurred in the healthcare sector, even in the UK. Only a few hospitals were affected, attracting limited publicity and concern. Many more medical facilities belonging to the U.S. MedStar Health provider were severely disrupted last year. The impact of such attacks also feature in a new BSI publication on Medical Device Cyber Security, which describes the convergence of safety and security risk, along with defensive principles.

Other sectors have also been impacted  including UK,  French and Romanian car plants and the German rail operator. Spanish victims included telecoms multinational Telefonica, and utilities Iberdrola and Gas Natural. Critical infrastructure asset owners have been impacted by ransomware in the past, including several power utilities.

WannaCry screenshot

Organisations with unsupported operating systems or ineffective patching programmes will continue to be vulnerable. At best, it’s a race to patch against the inevitable malware opportunists, and remove specific network services. So, what can be done to avoid potential reputational damage, disruption, loss of information, financial loss, and impact on customer [patient] wellbeing? The mantra must be to be to get the basics right:

1. Backup systems, and exercise the plan for incident response, and restoration of compromised systems. Patch and update systems, although this can be a challenge for Cyber Physical Systems (controlling physical processes), with 24-7 operation 365 days a year, coupled with long lifecycles. Compensating measures must be put in place where patching and updating cannot be achieved in a timely fashion.  Network architecture implementations that protect and segregate vulnerable systems, with anomaly detection are common approaches, along with disabling unused services/protocols.

2. Address phishing as the route to initial infection. Education of staff will reduce the number of successful attempts, but is unlikely to protect against habitual clickers or well researched, and crafted, targeted spear-phishing. Therefore, other technical measures are needed to prevent malware being downloaded or malicious sites visited. Raise awareness amongst employees, particularly to operational and engineering staff, of recent threats and attacks.

3. Manage the supply chain. Address the security of embedded systems, that may have long lifecycles. What is the security model and how will this continue to offer proportional risk-based defence? Asset owners should stipulate their security requirements. Vendors should offer these by default, and they may even become a product differentiator in the short to medium term. Expect them to be included in future procurement specifications.

4. The UK’s National Cyber Security Centre has published specific guidance for administrators and home users that should be acted upon.

5. Visit the “No More Ransom” website, and please pass on the recommendation. The initiative seeks to help victims of ransomware retrieve their encrypted data without having to pay the criminals. It also offers prevention advice too.

Finally, new forms of malware are being discovered at an ever-increasing rate. CNI security postures needs to address the evolving risk with regular reviews.  Cyber security is still a journey, not a destination. Governance regimes need to reflect the salutary lessons identified when the dust settles.

Image of WannaCry screenshot in banner image provided by Kaspersky.

UK & Europe,

Having had time to digest the major themes in this report, I think that the Government at the time seemed determined to establish the Cyber Essentials scheme as key parts of UK SMEs cyber tool kits, and to leverage the insurance industry to secure that goal.

The message was that Cyber Essentials or Cyber Essentials Plus compliance would deserve a reduced premium, as well as enabling greater cyber-risk awareness among SMEs. The report indicated that cyber insurance firms were likely to offer support in becoming Cyber Essentials certified as part of the insurance process. This patently did not happen as planned, and the UK National Cyber Security Centre (NCSC) are yet to pick up the reins sufficiently to consider cyber insurance guidance.

The report was aimed squarely at SME cyber risk in the IT space, with brief mention that Cyber Essentials may not be appropriate, or rigorous enough, for many manufacturing industries. Regulated industries and critical infrastructure will have their own regimes to follow, so what for the SME manufacturing industries? The NIST cyber security framework or the SANS 20 controls are an excellent starting point, not to mention the many standards that exist such as ISO/IEC27001, ISA/IEC62443 etc.

An obvious barrier to widespread adoption of worthwhile, insurance-backed, cyber security in the industrial arena is having sufficiently good cyber forensic capability in place to be able to back up any claim. In the event of an incident, the bias for most manufacturing organisations is naturally toward production and not to preserving evidence; it may not even be obvious that a cyber event has occurred until later.

Bringing the insurance arena up to date, a recent (March 2017) report from Swiss Re: , a leading global re-insurer, explores the cyber insurance industry today and its recent evolution. This report, like many others, misses the point that the potential costs of a cyber breach are not rising – they always have been huge. What is changing fast is the democratisation of adversary capability, the ever-lowering of the bar to entry for ransomware and other malware. The report does correctly highlight the lack of mainstream cyber risk management practices, both pre and post-event, the still-immature market, and the dearth of understanding surrounding cyber events emanating from the culture of silence. All of these must be overcome collaboratively between insurers and the insured to enable proper transfer of residual risk.

A final ‘red flag’ from the Swiss Re: research is that of uninsurable risk. This is closely linked to critical infrastructure (utilities, major industry) where catastrophic loss could lead to Government intervention. Here, the low number of events to base assumptions on, coupled with the magnitude of consequential and accumulated losses naturally tends to limit the willingness of insurers to become involved. This surely must act as a spur for industry to enable insurers to evaluate the underwriting risks better by supplying better information about cyber events.

UK & Europe,

The most recent campaign is reported to have commenced on 6 December, continuing through to 20 December. Vsevolod Kovalchuk, a director at the Ukrainian national energy company Ukrenergo, told Reuters that the 200 megawatt interruption was equivalent to approximately a fifth of Kiev's night time energy consumption, and that the scale of the interruption was very rare.

The automation was shut down in the Pivnichna power transmission substation located north of Kiev. The remote terminal units (RTUs) opened circuit breakers, causing a power outage that lasted for 75 minutes. Power was restored manually, with full restoration early the following morning. Power loss was reported in northern Kiev and on the eastern bank of the Dnieper River and the surrounding area.

The Ukrenergo director described ‘external influences’ effecting workstations and SCADA (supervisory control and data acquisition) servers, and anomalies with transmission network data. Although investigations are ongoing, in the meantime researchers have confirmed significant similarities to the power outage a year earlier. This includes phishing attacks, with malware embedded in Microsoft document macros, and traces of BlackEnergy 3 malware used in the attacks targeting Ukraine Government organisations.

Oleksii Yasnskiy of ISSP labs, distinguished the more recent attacks, using significant obfuscation: “Being more complex and better organised.”

Marina Krotofil, a security researcher at Honeywell Industrial Cyber Security Lab contrasted the previous damaging attack: “They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.”

Ukrainian media and security researchers have also reported further cyber-attacks including distributed denial of service (DDoS) attacks on the Defence Ministry, government sites, financial sector, railways, ports and electrical power transmission.

The electricity sector in particular and governments as a whole will be disturbed with the escalation illustrated by further attacks. Particularly the attack on a power transmission substation, with the potential for much greater impact than previous attacks on distribution sub-stations. Whether or not this is perceived as a demonstration or testing of capability, it raises concerns. Given the motivation to attack critical infrastructure with apparent impunity and in contravention of international law, the intent highlights the need for effective cyber security and well developed incident response planning.  

Lessons will be drawn from both Ukraine attacks, including the methodologies utilised by the perpetrators and the opportunities to disrupt different stages of the attack. It is highly likely the investigation will indicate perpetrator presence on target networks and use of remote access to disrupt the substation automation. The capability demonstrated emphasises the importance of understanding normal network activity and recognising abnormalities. Both attacks also underline the need for mature incident response plans, which are regularly updated, tested and reviewed.       

Beyond the quick wins a system assessment will identify, there is much potentially applicable guidance that could be used to assist in responding to these developments and improve resilience.  

IEC 62443, the international standard specifically developed for industrial cyber security is one approach that has grown in substance and application. However, embarking on an implementation is a significant undertaking. This multipart standard has been revised and further developments will incorporate many distinct aspects of securing industrial systems that are applicable to critical infrastructure. High hazard industries will benefit from the approach to manage safety requirements alongside security in the forthcoming related specification (IEC TS 63069).  However, simply seeking to claim compliance with IEC 62443 would be an inappropriate response to securing critical systems.

Instead, asset owners, equipment vendors and system integrators should choose pertinent guidance to support their security strategy, and formulate a cyber security plan for implementation. Atkins recommends a lifecycle approach to engineering cyber security, underpinned by governance and a suitable security management system. An organisational cyber security capability assessment can be used to identify and prioritise areas for improvement to be addressed in the cyber security plan. The organisational assessments can be supplemented with technical assessments as appropriate. The applicable guidance can then be used to direct implementation depending on the entity’s role. An established cyber security framework, such as the NIST Cyber Security Framework (CSF), can draw together the application of good practice principles and assist organisations in the management of cyber risk in critical infrastructure.

Addressing cyber risk can be a daunting and confusing prospect for many organisations, and often appears intangible. An effective approach requires the organisation to understand their business risk, and target resources to those areas where they will have the most effect. There is no magic bullet, or technology solution that will reduce risk.  Frequently, in our experience, many cyber security challenges revolve around people, their awareness, communication, organisational structures and accountability. Senior management support is essential to realise meaningful improvements over the longer term.  

UK & Europe,

On 7 December, the Nuclear Threat Initiative (NTI) launched a new report entitled “Outpacing Cyber Threats: Priorities for Cyber Security at Nuclear Facilities”.

The development of the report was driven by the fear that we’re heading for a world where a cyber-attack on a nuclear facility could have devastating effects and that the increased digitalisation of nuclear facilities makes such an attack more likely.

Another key factor is the fear that potential attackers are increasingly at an advantage. The threat landscape is evolving rapidly both technically and in terms of potential aggressors. Attacks which would have taken nation state-level resources a few years ago are now within the reach of smaller, less well-resourced groups or even individuals.

The brief to the authors of the report was as simple as the problem statement – given a free hand, what can be done to reduce this risk over and above what is already being done? What could we do better or faster to reduce the likelihood of a cyber-attack causing a devastating incident? Four key ideas became the basis of the report. These were:

  • Institutionalise cyber security – treat cyber security in the same way that safety is treated in the nuclear industry
  • Mount an Active Defence – be able to detect and respond to an attack quickly rather than relying on static defences (such as firewalls and anti-malware) to keep you safe
  • Reduce complexity – limit the digital footprint in the most critical areas of the plant, avoiding digital technology entirely in some areas e.g. in favour of purely electromechanical devices
  • Pursue transformation – devise innovative approaches in both technology and in developing human resource to drive a step change reduction in the cyber risk to nuclear facilities.

Institutionalising cyber security is a fairly obvious and attractive objective. Although there have been  high profile nuclear accidents such as Three Mile Island, Chernobyl and Fukushima, the nuclear industry has an enviable safety record. In fact, you are probably safer on a nuclear plant than in a normal office environment.

The approach to physical and information security is also very obvious to anyone who has visited a nuclear facility. That can give the impression that everything is covered but until comparatively recently the approach to cyber security has been almost totally focused on avoiding the loss of Sensitive Nuclear Information (SNI). It seems paradoxical that the cyber security of critical control systems is not afforded the same importance. How can an insecure system be regarded as safe?

A malicious cyber-attack needs to be considered in the same way as any other event which may befall a nuclear facility. Many cyber-attacks have had consequences that the perpetrators did not intend e.g. early malware such as Sasser. The worry here is that we will have to wait for a series of incidents before we say enough is enough and give cyber security the same level of importance as safety.

The idea of Active Defence was also readily accepted in the development of the report. The same concept is expressed in the UK’s National Cyber Security Strategy 2016 to 2021, published in November. Active Defence does not mean returning fire. Rather it means that you cannot rely on protective technology such as firewalls (or data diodes or even air gaps), anti-virus software etc. to protect against attacks. It refers to an ability to detect threats and respond intelligently and quickly as required, limiting the effects of an attack.

Reducing complexity was probably the most difficult idea to accept. Everyone has gotten used to the benefits of digitalisation in the industrial arena and in their personal lives. Many times in my career I’ve heard comments along the lines of: “Over my dead body will you bring X onto my plant,” where X is connectivity to the enterprise network, the use of Windows etc. Every time the change has eventually come, so while resisting it is going to be hard, in some cases it may be the right choice.

Pursuing transformation is perhaps the vaguest recommendation but it may turn out to be the most important. Good cyber security of nuclear installations is hard enough to achieve in countries with a long established nuclear industry. Global warming is driving us to pursue nuclear power and renewables as our main energy sources so many states are now building nuclear facilities for the first time. We need a better, clearer way to ensure that such countries can ensure that they are as cyber secure as possible and this may need approaches which are radically different from the ones currently in use.

It’s always difficult to talk about the cyber security of control systems in any sector in a way which does not seem pessimistic but the above discussion and the report itself should not be seen as all doom and gloom. For those of us that have been involved in the quest for better control system cyber security for a long time there are encouraging signs of change. Indeed, in the UK the changes which the nuclear sector has undergone are now being used as a model for other sectors.  

If you'd like to read more about our views on how critical national infrastructure can become more cyber resilient, why not download our free report here.

UK & Europe,

According to the U.S. DOT, ITS consists of the “operational systems of various technologies that, when combined and managed, improve the operating capabilities of the overall system.” ITS continues to evolve and introduce new and exciting technologies and capabilities, including smart and connected vehicles, but ITS also encompasses smart phone applications, roadside networks, toll collection kiosks, CCTV cameras and traffic management centers to name a few examples.

Product vendors and technical experts are paying attention to security of individual products. This is a good start. However, our industry is clearly not yet mature on security matters. ITS may repeat errors made in other industry sectors. Technologists must learn the lessons of recent years where organizations such as Target, Saudi Aramco and the US Office of Personnel Management (OPM) suffered abuse of trusted access leading to financial theft, massive data deletion and sensitive information theft, respectively. These serve as examples of high-profile data breaches and hacking, but the stakes for ITS are much higher—namely the safety and trust of roadway users. Users implicitly trust that retailers are at least attempting to address their security and privacy concerns holistically and with due care. Users also trust that their governments will ensure the safety and security of the roadway infrastructure they use every day.

Security is a systemic concern involving what is seen (i.e. the product of concern such as a ‘smart’ vehicle), but also what is not seen; the people, processes and technology which permeate in and between organizations. Vehicle security is high-priority because the combination of the basic physics of a moving object and a hacker with malicious intent is a dangerous one. With the growth of vehicle-to-infrastructure (V2I) communications, there is some chance that an infrastructure attack may cause injuries or fatalities, though probably less chance than a direct vehicle attack.

What is the threat?

The source of threats to ITS infrastructure varies greatly, as do their motivations—from researchers looking to make a name for themselves, hackers motivated by greed, malice or politics, to nation states looking to create instability or an advantage during times of tension and uncertainty. Once hackers gain access to a network, they seek out where they can have the largest impact for their motives. Penetration of one piece of ITS equipment is a notable threat, but the ability to affect more than a single piece of equipment is much more significant and has been demonstrated by researchers.

How do we fix it?

Cyber security is an arms race. A robust cyber security program implements strong security practices to manage the risk of network compromise and data theft. Average adversaries are unable to achieve their aims and many sophisticated adversaries will give up or go elsewhere to easier targets. To address the specific threats and vulnerabilities in a systemic manner, here are ten enterprise IT security controls to consider:

1. Know your environment: The first step before building a comprehensive and holistic solution is for organizations to know what they have and it’s value, in order to prioritize available resources to protect critical infrastructure.

2. Start with the basics. Address basic steps such as those found in the CIS Critical Security Controls. For example, continuous monitoring and basic internal and external assessments will uncover weaknesses in a network.

3. Know and manage your information-system related risks. Entities which offer/use ITS systems must implement information security risk management programs to effectively secure their organization networks and ITS solutions. 

4. Use independent validation paths for information. Keep humans in the loop! Independent validation of operational data allows staff to see conflicts between compromised system data and field conditions.

5. Develop defense-in-depth and incident response as core capabilities. Just as roadway managers employ designs, plans and capabilities to respond to and manage physical roadway events (such as accidents or dangerous weather events), knowing these occur from time-to-time, roadway managers must also employ designs, plans and capabilities to respond to and manage security incidents which will occur from time-to-time. Assume an ITS device is going to be hacked (not if, but when), whether by an outsider or malicious insider. Force an attacker to conduct a new exploit when trying to move through the network, rather than finding one vulnerability and having unfettered access to everything.

6. Employ detection technology. For higher risk deployments, detection systems such as intrusion detection systems (IDS) and intrusion prevention systems (IPS) can be expensive but are necessary. These detection systems minimize the risk of a compromise due to an unknown vulnerability or method of attack.

7. Deploy physical security measures. Do not place only a $5 lock on $10,000 worth of equipment that anyone can walk up to on the roadside. Invest in high-tech locks, alarms, cameras and motion sensors that notify security personnel immediately of suspicious activity.

8. Protect wireless features. Wireless access offers tremendous convenience, but also allows hackers to threaten your network from a distance. Ensure that strong encryption and access control is used.

9. Develop and maintain business continuity and disaster recovery plans. These are vital to customer assets and systems. Review them regularly to address rapidly-changing threats, networks and ITS equipment.

10. Participate in information sharing with private groups, law enforcement and computer emergency response teams. Encourage communication with organizations such as Infragard, the Multi-State Information Sharing & Analysis Center (MS-ISAC), industrial control systems (ICS) organizations such as the Cyber Emergency Response Team (ICS-CERT) or the ICS Joint Working Group (ICSJWG). The benefits of engagement and partnership with these organizations far outweigh the minimal resources and effort needed to get involved.

For more information, download the Cyber Resilient Infrastructure Report or read my white paper "How to Avoid Repeating History in ITS Security" co-authored by Chris Waters, SC3.

North America,

Ford recently announced plans to develop high-volume, highly autonomous driverless vehicles, aiming to achieve SAE International’s level 4, enabling high system control of vehicles. News headlines over the last few years have highlighted the potential dangers to autonomous vehicles from cyber-attack or system failure. Major manufacturers have all reported issues and the well-tested Google car had its first crash in 2016 after several years of use. Experience tells us control software, and its decision-making logic, is not infallible. While incidents are rare, the potential remains for them to be catastrophic.

Automation at the levels envisaged by manufacturers is bordering on both the common place and science fiction. To me the SAE International levels are an Isaac Asimov-like ‘six laws of driving automation’; from no automation (level zero) through to full automation (level six) with various modes and capabilities being engaged across the driving range. For levels three to six, an increasingly bewildering range of technologies that make up vehicle systems could equate to the robotic ‘positronic brain’ in Asimov’s robots – the heart of autonomous decision-making for vehicle control, monitoring and performance.

Reading between the lines, no doubt Asimov’s robots were very heavily tested and the positronic brains put through their paces. It feels like the same may not be said for autonomous vehicles.

In technology terms alone, interconnectedness abounds both within and without the vehicle and the attack surface is staggering: infotainment systems, wireless sensors, diagnostic ports, infrared control, USB, Bluetooth, keyless entry and telematics services with in-car applications. Each of these systems is potentially complicated by various levels of product maturity and multivendor system solutions that in turn engage with other elements of a digital ecosystem.

While the core components in themselves may be robust, it is the link to other components outside the core elements that offer potential areas of weakness and vulnerability to cyber-attack from increasingly challenging threats. Should an attack or system failure occur, the impact is huge in terms of vehicle passengers and the manufacturer’s reputation. Securing these linkages across a diverse vendor base is a huge challenge. This patchwork build structure inevitably leads to weaknesses, many of which will be very familiar to veteran security hands:

  • Poor, or non-existent, product hardening including simple passwords or open communications
  • Lack of encryption across the vehicle network and through the telematics system
  • Poor segregation between components across the vehicle network.

These are security’s ‘grapes’, ripe for picking, followed by mayhem in the pressing shed. There is so much more that the manufacturers could do but at the moment they appear to choose not to.

While technology advances, bigger, more human-centric questions are raised. Trust is critical. Humans must believe that these autonomous systems will operate properly if the industry has a successful future. After all, just who would get into one if the destination could be changed and the doors locked to stop escape! Providing real assurance that a vehicle is safe and secure is paramount.

Also, its decision-making heart must also be able to make the same value judgements that humans make every day. Can it make decisions between life and death? What logic applies then? What humans do by reaction, wisdom or feeling needs replicating. We must have full confidence in the systems if we are to use them on our roads.

Just how do we provide this assurance? How happy do people need to be to give up their control?

The industry is confident it can overcome these challenges, but from a security perspective the way forward does not seem so assured. With a multitude of manufacturers and vendors each developing products in isolation or exclusive partnerships, this fragmentation hides potential vulnerabilities between systems and implementations. Over the last couple of years we’ve started to see some emerging security approaches beyond ISO 26262 but these don’t feel enough. Both the SAE and the IET have active groups exploring these issues so the problem is being worked on.

With all this new technology about, security needs to step back a bit and perhaps remember the 80-20 rule: As a starting point, implementing the 20% most important controls will likely manage 80% of the security risk. This basic approach can take security forward with a bit more pace – taking an overall look at vehicle cyber security through a framework model focused at increasing protection, resilience, awareness and confidence in the systems.

At the very least manufacturers and vendors could be prompted to assess the overall maturity of their cyber security within the operational systems of vehicles, the modules they plug in and how they then interact, including the information captured and its subsequent flow. These assessments can be used as a baseline to demonstrate what is being performed well, what security gaps exist and how these can be reduced to increase the overall security posture.

Taking things further through more regular reviews and updates of systems that include patching on the move, improvements in general and good housekeeping all go a long way to getting the 80-20 right and taking most vulnerabilities out of circulation. This can only lead to better human assurance that really builds confidence in these vehicles.

UK & Europe,

Although I would always advocate having every feasible layer of security in place to protect an organisation’s industrial control systems (ICS), what I’d like to share now are my thoughts on how good system design techniques can augment those other layers. Doing so is a capability that is often overlooked, which is surprising considering that this is often the last line of defence after all other layers of security have been compromised.

‘Out of the box’ settings

To fully appreciate what can, and should, be achieved through rigorous design, configuration and management, one first needs to understand the condition in which ICS components are often delivered. Vendors are motivated to make their equipment easy to configure, easy to integrate, and least likely to generate technical support workload or service returns. All of this helps to create a positive first impression with their customers. To this end, devices tend to have the simplest, most accessible configuration:

  • common addresses are used (192.168.y.x)
  • default names, usernames and passwords are set
  • methods of automatic configuration are enabled (BOOTP, DHCP for example)
  • a wide range of protocols are installed/enabled
  • a wide range of services are activated, whether they are needed or not (web server, for example)

Although this is far from an exhaustive list, all of these are serious potential vulnerabilities. Default names will result in your system being easily discovered using open source methods. Default credentials will result in its compromise.

If they exist it is always worth using the vendor hardening guides to manage these risks.

Introduction of new features over time can catch out even the wary. My recommendation is to fully research all the features of your control hardware and software, as well as how to disable/secure/enable them effectively. Enable only what is needed. The temptation is always to leave well enough alone once working.

Design

Several design choices can greatly assist with resistance to attack, post-event forensics and recovery from upset (both accidental and intentional). These include:

  • Correct initialisation of states and variables – set values explicitly at start-up
  • Strong typing of variables (in common with many programming languages)
  • Tight scoping of routines and variables (in common with many programming languages)
  • Boundary/limit checking (again, in common with regular programming)
  • Well defined and repeatable response to power cycles – hot, cold and warm restart behaviours
  • Known and repeatable procedures for bringing the process up from dark and cold
  • Independent logging of operator actions and equipment responses
  • Good User Interface / human factors design that minimises the chance of human error
  • Electronic signatures/ electronic records – record what happened and when.

Configuration control

Take the opportunity to configure security, also known as hardening, very early in a project, when risk to delivery is low. It won’t happen later, after all!

Some kit is well-behaved and allows you to load/save configuration data. Other equipment will require that you painstakingly note it down and change it manually. Having found the best settings, manage them and ensure they stay that way. Some hardware can automatically load settings and programmes from non-volatile (NV) memory on replacement, and optionally on power cycle. Ensure the correct settings and programmes are stored in NV memory. Record (and check) versions and checksums where possible.

Ongoing Management

Keeping your industrial control assets up-to-date will have benefits outside of improved security. A good starting point to ongoing management includes:

  • Survey/audit – know what assets you have and where they are
  • Information – subscribe to OEM updates to hear about patches, new features/releases and updated firmware
  • Adopt OEM security features – enable and actively manage them (code protection, security managers, access control passwords etc.)

The kind of information you need to secure a system can be a big help in maintenance. Understanding data flows and required services is really useful when it comes to troubleshooting. Making security an integral part of good system design will help to stop people seeing it as a tax.

All of these features require effort and carry some risk (locked out by your own security, for one). And while their implementation may not be completely ‘free’, you must balance the costs against the potential benefits – in cyber resilience, maintainability and Total Cost of Ownership.

UK & Europe,

Business operations, and the technology that supports it, are increasing in complexity. Securing these operations is becoming more difficult, in no small part due to the continuing demand to create more modern, efficient and effective infrastructure.

What we therefore need is better design. Design that is undertaken up front and early in the process. We believe that existing industry approaches only go so far. As an organisation that designs and engineers some of the most complex infrastructure on the planet, we have some views on securing this – the security design challenge.

Technology and security professionals are used to designing technical approaches by using shapes on network maps and schematics - typically detailing many layers, boxes and connections. We adopt a different approach. Although we start with an idea and develop it into a detailed set of requirements, our approach is based on a different form, one which can address diverse levels of analysis, encompass an organisations strategy and objectives, and focus on the people, process and technology required to realise those objectives.

A fundamental aspect to this approach is our belief that security is probably misunderstood in many organisations. To us it is a process and not a product. It should exist to protect assets of value, meaning that it is a relative concept, it has no intrinsic meaning outside the asset view. As an asset changes then so does the security around it based on organisational risk approaches.

If security design is so important what can hinder it? In our experience the key elements are:

  • A misunderstanding of the threat as a fixed ‘thing’ when it has many components – sources, agents, motivation, capability, resources – any of which can change at any time.
  • Too much focus on technology that sits in organisational silos as the single solution to cyber. This inevitably leads to people and processes being overlooked, especially when most cyber incidents involve human error.
  • Little common language across organisations. Despite the fact that ‘security is everyone's responsibility’, every industry, sector and technology is different. Just think of the same and different needs of Information Technology and Operational Technology.
  • Cyber is borderless. It does not matter what country, organisational or functional boundaries exist, so security governance needs to span across these areas to avoid gaps in security posture.
  • We have an unbalanced workforce. Yes there is a cyber skills shortage, but it’s worse than that: the workforce is dominated by IT, yet we needs skills from across a business to provide for effective cyber e.g. business change, process analyst, human factors specialist; it’s not all about technology.
  • Over time the business and countermeasures lag behind technology and the threat. With this in mind we must ask ourselves ‘is this a battle we can win?’ This means organisations should decide what risk they are willing to accept.

 

 

 

So what does ‘good’ look like? Security needs to be built in at every stage of engineering design and fully aligned to business requirements. It is therefore about:

  • Understanding the business goals and objectives
  • Determining the assets and their criticality to the business
  • Understanding the threats, risks and opportunities related to the business operations and assets
  • Developing the strategies, processes, mechanisms, standards and tools that will underpin the goals and risks
  • Developing the governance, management, roles and responsibilities that will underpin the processes and mechanisms
  • Understanding the geographies, sites, business units and infrastructure where security needs to be implemented
  • Understanding the business time aspects, calendars, processing schedules and sequences.

This approach provides traceability from the business to the security requirements so that security controls exist to serve a specific business purpose.

Design though is not a one-off activity. We can’t pat ourselves on the back and walk away happy once it’s delivered. Technology evolves, threats adapt and business needs change. Our designs need to evolve with this and security needs to be lived and operated – it should be the oil in the cogs of your machine.

UK & Europe,

The Civil Nuclear Cyber Security Strategy; (CNCSS) complements the existing National Cyber Strategy, and sets stretch goals in consultation with industry, to address the risks to the safe and secure operation of new civil nuclear facilities and the management of legacy and waste facilities.

Success will be demonstrated:

  • Strategically in transforming industry’s approach to cyber security -  the ability to deter and protect against a cyber-attack and ensure cyber resilience, the ability to detect, contain, mitigate the effects and recover from a cyber-attack
  • Operationally with the continued safe and secure operation of legacy and future nuclear facilities in the face of growing cyber threats
  • Tactically with the increasing capability, capacity and agility of stakeholders to deal with all aspects of the cyber security challenges faced by the UK civil nuclear sector.

The desired outcome is to deliver an industry which has a mature approach to understanding the cyber threat, and is able to produce solutions which efficiently and effectively address that threat. Specific outcomes are:

  • The continuing improvement in capability and capacity through training and exercising with increasing senior executive understanding and ownership of cyber security risk
  • Industry to adapt to a tailored outcome-focused approach, as part of a holistic cyber security posture
  • An industry with a mature approach to understanding cyber threat and delivering outcome-focused solutions which are approved by the regulator.

The strategy highlights four distinct activities to support delivery:

  1. Deliver a comprehensive understanding of the cyber vulnerabilities across the civil nuclear sector
  2. Continuously mitigate identified issues and vulnerabilities
  3. Improve the sector’s capability to detect, respond to, and recover from cyber incidents
  4. Ensure sufficient resources are allocated to cyber security and resilience.

Atkins recognises the imperative for the nuclear sector. Recent events illustrate the potential consequences to the UK nuclear industry: Fukushima Daiichi nuclear disaster and the resulting closure of the German nuclear industry. Reputational damage resulted from malware found on the Gundremmingen nuclear plant in western Bavaria, which entailed a precautionary reactor shutdown. Incidents affecting individual organisations may impact the sector nationally and internationally, undermining confidence.

Work is already ongoing in a sector that keenly appreciates the need for safe and secure operation that also safeguards public confidence. The nuclear industry has traditionally focused on safety to provide resilience and security. More dynamic approaches are required to stay ahead of the continuously evolving cyber threat, the increasing nation state capability and the terrorist potential. The implementation of new operational technology could increase opportunities for malicious intent.

The strategy reinforces key themes essential to successful cyber security implementation; dealing with the increasing threat, board awareness, governance, Operational Technology (OT) and IT, and the interdependence of safety and security. Delivery will demand transformation, whilst ensuring all sector participants are fully engaged, particularly in the supply chain. This will entail closer relationships with partnering companies, contractors and suppliers to provide the proportionate cascaded risk ownership, understanding and mitigation. The supply chain will also be called upon to develop capacity and capability where there are skills shortfalls, especially in direct support of nuclear asset owners.

Nuclear facilities are required to be secure by design, and implementation. This necessitates appropriate cyber security skills and the development of industry capability to manage these activities both internally and the supply chain. This will place a requirement upon the supply chain to demonstrate measures proportionate to the risk they own. The regulatory approach is now transitioning from compliance to risk-based assurance. Whilst there have been rapid developments in both generic and sector guidance, industry participants would welcome direction under the new regime.

The nuclear industry needs to be resilient against increasingly sophisticated attacks requiring identification of critical assets and proportional risk mitigation. Security and safety necessitate equal emphasis to address risks, requiring IT, Operational Technology and physical security collaboration to achieve resilience. The Government is rightly looking to raise awareness across industry, ensuring executives have the information they require to develop the cyber security programmes with the necessary leadership, governance and resources to succeed. Non-executive boards will have greater means to hold boards to account.

The cyber strategy implementation is equally ambitious for all parties. It needs to be, in order to meet the continuously evolving, uninhibited threat and maintain public confidence in the nuclear industry, which is essential for our economic well-being.

UK & Europe,

Last week the BBC reported on the Government’s new £1.9bn investment in preventing cyber-crime. The report came with a survey that revealed that two thirds of big companies have suffered a cyber breach in the last year.

Is this really news? The former MI5 chief’s recasting of Benjamin Franklin’s quote that: “There are now three certainties in life: death, taxes and a foreign intelligence agency on your network,” is never more true.

The survey doesn’t provide a great deal of granularity, referring to breaches in “UK big businesses” without detail of impact, organisational scale or sector.

Making the nation cyber resilient means protecting critical national infrastructure first. Infrastructure is waking up to the threats to industrial and process control systems, which are still considered to present softer targets despite the significant potential operational impact if compromised.

Furthermore, the survey appears to not consider the UK’s growing small and medium-sized enterprise (SME) community, which represents an increasingly critical component of any resilient nation.

In order to make sure that UK plc is not put at risk by cyber-attack it needs to make itself more resilient to the threats that it faces. This means focussing on the risks that impact greatest on the successful operation of the UK. There are three things we can highlight to help take us there:

1. Focus on critical infrastructure: Cyber sits very much at the heart of UK plc, but its infrastructure represents the vascular system carrying its lifeblood, communications and energy and carrying away waste products. Many of the companies supplying these services are not UK businesses at all.

2. Supply chain vulnerability: It is all very well considering the threats to large businesses but inevitably one of the biggest vulnerabilities that all organisations have is their supply chain. Every big business will have a hundred or more smaller companies representing critical links in their supply chain. Any business’ resilience is dependent on the resilience of those within its supply chain so the Government cannot ignore SMEs and just focus on the big players.

3. Cyber resilience is about leadership: Creating a cyber resilient organisation has to start at the top and work down. What is it that is important to the organisation and what needs protecting? To determine that you need to start with the top level organisational objectives. There are few businesses now for which cyber is not a key enabler; maybe none. Effective cyber security needs to be an objective on the CEO’s list of top level objectives.

The key thing for organisations is not investing a fortune in trying to preventing attacks but instead ensuring that their important assets are well protected once they are attacked or even breached. It’s essential to create organisational cyber resilience by understanding what is most important to delivering your mission and goals and converting that into a clear and simple set of controls to ensure that your critical physical and information assets are protected.

As Baroness Dido Harding, CEO of Talk Talk and perhaps the UK’s highest profile victim of cyber-attack, would testify, making your business cyber resilient is all about leadership and not about attempting to hold back the tide.

In a piece in the FT (paywall) she explained: “The danger is we are asking the wrong question: are we safe? It's a lazy question because the only really safe way is not being online. We tend to see security as a technology issue not a business one.”

The strength or weakness of our cyber security has the potential to impact everything we do. It therefore goes without saying that the person who is responsible for running and leading an organisation – regardless of size - should be caring most about it.

UK & Europe,

On 23 December 2015, Ukrainian media reported a cyber-attack had left half the homes and 1.4 million people in the Ivano-Frankivsk region without electricity. Although services were restored within a few hours, this was largely due to manual intervention rather than by recovering compromised automation systems. Slovakian security firm ESET later reported that the initial incident was not isolated, and that multiple electricity companies had been affected simultaneously. Reuters also reported similar malware was found in Kiev's Boryspil airport, on IT networks which included air traffic control. Ukraine blamed Russia.

This incursion is one of a few confirmed against the grid, although no direct causal link has been established between the malware and the outage. However, previous events have caused physical harm, including Stuxnet (2010) which targeted the Iranian nuclear programme, and the German blast furnace destruction (2014).

While physical damage is rare, reconnaissance of the power grid has been widely reported before, with warnings of conventional retaliation made by the US. These prompted President Obama to order the development of the Cyber Security Framework for critical infrastructure.

ICS-CERT, the US Industrial Control Systems Computer Emergency Response Team is working with Ukraine’s CERT-UA and has confirmed the presence of Black Energy 3 malware. The ICS-CERT alert is a further warning regarding an ongoing sophisticated malware campaign compromising Industrial Control Systems (ICS), dating back to 2011. Black Energy 2 (2014) used vulnerabilities in ICS products directly connected to the internet to deliver malware. It had reconnaissance functionality, without destructive modules deployed by the perpetrators. In contrast, the new Black Energy 3 variant appears to have been launched using a spear phishing campaign with a malicious Microsoft Office (MS Word) attachment. A further round of spear phishing attacks used a malicious Microsoft Excel macro, purporting to require a newer version Microsoft Office to thwart security.

By comparison, the Havex malware targeted and compromised Energy sector control systems in 2013 and 2014, using multiple infection routes including spear phishing, infected ICS software downloads from legitimate websites, and compromised industry websites. The malware was used for intelligence gathering. However, an unfortunate by-product from the adversary’s perspective was the noisy reconnaissance, which had the unintended consequence of causing a denial of service on the ICS communication servers.

Both the Havex Trojan and Black Energy perpetrators have been described as ‘sophisticated actors’. They also demonstrate a deep knowledge of industrial software and protocols in the development of ICS malware for reconnaissance, compromise and potentially physical damage.

Attribution and motivation can be problematic to ascertain, as some developing commentary suggests. However, publically available evidence clearly demonstrates increasing risk, with the recent US ICS-CERT year in review highlighting a 20% increase on reported ICS cyber incidents last year. It also confirmed cyber-attacks against manufacturing companies had doubled.

The increasing focus on cyber risk, incidents, and ICS vulnerabilities is bound to affect organisations operating control systems, and their stakeholders. Standard & Poor's Ratings Services has begun challenging banks on their cybersecurity readiness, even asking about board-level cyber expertise. Moody’s rating agency went so far as to issue a warning that they will consider cyber risk when setting company credit ratings, potentially making borrowing more expensive to higher risk organisations, particularly utility suppliers. Insurers would be fool hardy not to follow suit, although whether an assessment could potentially deem an organisation uninsurable or premiums more expensive is debatable.

All of these organisations are likely to demand evidence of an ICS-focused cyber security strategy, governance, supply chain management and appropriate risk-based measures to defend against cyber-attack. Most importantly, cyber events are inevitable and well developed incident response plans to enable rapid restoration of operations are essential.

So what measures might provide suitable evidence to third parties that ICS systems have appropriate protection measures?

Collaboration and information sharing are highly recommended via the UK Control Systems Information Exchanges and the Cyber-security Information Sharing Partnership (CiSP) to appreciate vulnerabilities, understand threats, learn from events and share good practice.

The UK CPNI has recently issued updated guidance on securing ICS, and there are more complex security standards that might be applicable. However, I suggest that a more simplistic approach is likely to be followed in the absence of suitable accreditation (such as a Cyber Essentials for ICS).

The Seven Steps to Effectively Defend Industrial Control Systems might be a starting point for manageable good practice along with an in depth defence strategy. These Steps describes strategies that would have detected or prevented ICS cyber incidents, illustrated using real events. The application of these strategies can dramatically improve security, and will serve as excellent evidence for ICS-specific cyber security. Similarly, the 10 basic cyber security measures developed for water utilities offers complementary guidance, with additional advice for successful programme implementation.

UK & Europe,

In November 2015, Chancellor George Osborne announced plans for a £1.9 billion investment in cyber security and the creation of the National Cyber Centre. In his speech he highlighted the need to protect our critical infrastructure; in particular those systems used to control physical entities, often now referred to as operational technology (OT). Following the recent Chatham House report into cyber security in the nuclear sector, the  European Union Agency for Network and Information Security (ENISA) has now published its report on control systems security. Titled “Is Europe ready to protect SCADA?” it focuses on Industrial Control Systems (ICS) Cyber Security Maturity Levels across Europe. The research describes national security postures and makes high level recommendations for improving OT security practices. Four 'maturity profiles' of Member States were identified within the study, including:

  • Leading: with strong legislation and supporting mechanisms dedicated to ICS cyber security improvement
  • Proactive Supporters: focused on strong Critical Infrastructure operator support and driving ICS cyber security improvement
  • Reactive Supporters: with a  focus on lessons learned and reactive means of improving ICS cyber security
  • Early Developers: in the process of developing legislation and supporting systems to protect ICS in critical infrastructure.

Individual Member States were not identified against a particular profile, however, the UK position is leading in support, given the history of developments that largely already correspond to the major recommendations outlined in government policy on cyber security. The UK has stopped short of specific regulation to date, instead favouring a risk-based voluntary approach. The UK Government is working with industry to promote and align best practices and standards with the US National Institute of Standards and Technology Cybersecurity Framework.

The study made six major recommendations to improve ICS cyber security maturity:

1. Align ICS efforts with national cyber security strategies and Critical Information Infrastructure Protection (CIIP) effort.

Currently the research showed ICS cyber security was not aligned to national strategies in some states, though the UK clearly leads the way here.

2. Develop good practices specific to ICS cyber security.

Some Member States do actively promote industry good practice, and again the UK leads with the recently published Security for Industrial Control Systems. It makes sense to utilise existing good practice across Europe, but, the issue for operators or asset owners will be navigating the plethora of guidance already available and dealing with the challenges of national compliance where mandated.

3. Standardise information-sharing among critical sectors and Member States.

This includes the recommendation to have a single platform and process, citing the US ICS-CERT example for incident reporting and focal point for good practice. An overarching national or EU-wide ICS CERT could be the focal point for sharing of best practice, threat and vulnerability warnings.

4. Build ICS cyber security awareness.

The recommendation is for a more reactive approach to promote continuous improvement for policy developers as well as asset owners. Focus provided by a local ICS-CERT could provide a platform for building local knowledge and growing awareness.

5. Foster expertise with ICS cyber security training and educational programmes.

This recommendation focused upon the common misunderstanding of IT security considerations being similar to OT environments leading to security, operational and potentially, safety flaws. The report recognises the scarcity of people that have a deep understanding of ICS systems and cyber security, and the need to develop programmes and facilities for training to fulfil the current and inevitable short fall as awareness grows.

6. Promote and support ICS cyber security research and test-beds by involving ICS experts and vendors in addressing current and future threats, whilst supporting innovation and encouraging security by design.

More Member States are working on legal instruments to mandate minimum security requirements.

As previously suggested by Andrew Cooke in Angles in November, no one really advocates increasing regulation. Our experience has shown that regulation can stifle innovation and good practice development, whilst affording a false illusion of security through compliance, which may not address the specific risks to an organisation. Indeed, given the disparate and distributed nature of operational technology it is hard to see how such regulation might be successfully enforced.

Experience tells us that excessive regulation can lead to increasingly ingenious circumvention. Therefore, a rational approach could be the continued development and promotion of international cyber security standards for control systems. The link between safety and security is never more apparent than in the area of OT where the impacts of a cyber-attack can be to affect safety and safeguarding measures, leading to significant hazards.

A risk-based approach to cyber security and the use of standards can encourage organisations to take a pragmatic approach and encourage greater adoption.

UK & Europe,

In 1909 EM Forster published a short story called ‘The Machine Stops’. It envisaged a world of connected communications, services delivered to consumers’ homes through wires, video conferencing and instant messaging. Most poignantly it described a system of social media with citizens “lecturing” and exchanging their thoughts and views, often sharing opinion and ignoring original thought.

Eventually something causes the machine to start failing and that failure spreads from one service to another until society breaks down and anarchy and death ensue.

But of course ‘The Machine Stops’ is just a story, an apocalyptic view of a fictional society in an imagined version of our planet and it couldn’t happen to us today, could it?

We’ve long recognised critical infrastructure as a set of services that provide the power, water and communications links that underpin our society. Although they have typically been considered to be a series of discrete services provided through different channels, there is now increasing understanding that critical national infrastructure is actually much more joined up.

It is in no small part the digitisation of infrastructure that is increasingly leading critical national infrastructure to become a system of systems; a single interconnected set of services with interdependencies that determine resilience and reliability of each.

This digitisation helps service providers to track and manage their assets more effectively. It can also put customers in control of the services they use, allowing greater choice and flexibility. However, it also puts more and more services online and it means that increasingly power, water and transportation services rely on communications systems for their operating platforms. Furthermore without power other utilities and communications systems can’t operate.

If a key transportation service suffers a security breach then potentially fuel can’t get to a power station or waste be removed. If a water pumping station’s systems are breached then water is not available for either sanitary purposes or for cooling systems for other parts of infrastructure.

All of a sudden Forster’s apocalyptic view become so much more real. But why does the interconnectivity of increasingly digitised services make the risk of a meltdown more likely?

In the first instance the risk is simply that our greater reliance on digital services means a security breach resulting in ‘denial of service’ is so much easier and potentially more probable that an attack on one part of the infrastructure will disrupt supply and therefore affect others.

Also, increasingly operational technology - the process and equipment control systems that run infrastructure - is connected to the broader network of systems. The risks and vulnerabilities to these systems are less widely understood and the equipment is in many cases less proactively managed and protected. The potential for proliferation of infection in the event of a cyber-attack is therefore much greater.

Finally, and crucially, the exchange of data and information between critical infrastructure is much higher as a result of this proliferation. The spread of a ‘Shamoon’ type virus could have devastating consequences and potentially threaten to severely disrupt infrastructure for long periods of time.

At Atkins, we’ve long advocated that organisations should be taking a holistic approach to their organisational security. That begins with ensuring that security measures are directly tied in to organisational objectives and that key performance indicators include security at the top level. The organisational risk management approach then considers all aspects of security in one place. These include physical security, cyber, industrial controls, behaviours and emergency planning and business continuity. This consolidated, top-down, risk management approach allows risks to be considered holistically, thereby creating a resilient organisation.

If we follow this approach through, then it can also be argued that if we consider our national infrastructure to be part of a holistic whole then the same approach should be taken to consider risk at a holistic infrastructure level. In this context our national infrastructure becomes a ‘system of systems’ and creating resilient infrastructure is a matter of dealing with risks to that.

The Centre for the Protection of National Infrastructure (CPNI) already has an important role in bringing together risk at the top level for UK infrastructure. This is recognised in this approach but the suggestion is that potentially now we need to look further ahead as convergence of infrastructure systems continues, service providers cross from one part of infrastructure to another and the risk to the nation continues to be more complex.

Forster’s apocalyptic view of the machine stopping may not be a realistic risk in the short term. However, making sure that we are aware of the risks to infrastructure as a whole and mitigating them from a holistic infrastructure perspective can only lead to a more resilient infrastructure, society and nation state.

UK & Europe,

We’ve seen the Chancellor visit GCHQ and announce additional funding of £1.9 billion to deliver a series of initiatives to protect the economy and infrastructure, along with Ed Vaizey, Minister for the Digital Economy proposing a cyber health check for FTSE 350 firms.

As a CEO, I of course welcome this as a positive intervention and one that should drive us forward as an industry to take a closer look at our own security. But as the designers, builders and operators of infrastructure that millions of people rely on every day, it’s also a chance to ask if we can honestly say we’re doing all we can to protect ourselves, our clients and the public.

In recent years we’ve all witnessed greater convergence of IT, enterprise technology and operational technology within our organisations. The pace of change has been really quite dramatic and shows no sign of slowing down anytime soon. It’s this connection between hardware and software that is making cyber attacks easier and more dangerous, penetrating to the core of our operations. What’s more worrying from an industry perspective is the potential impact of an attack on some of our Critical National Infrastructure, such as utilities, power networks and public transport. We design infrastructure to last decades, but hi-tech threats are constantly evolving. So how can we ensure we keep up with the security challenges facing our infrastructure and know we have done everything possible to protect our public services?

For me there are two steps we can take as an industry to truly embed a holistic approach to security. Firstly, we need to elevate the importance of cyber security to board level, just as safety is considered a top priority amongst senior leadership teams. In many cases this will mean investment, but like safety, this is a necessity rather than a luxury.

The second change we can make is around education, training and skills. In many cases cyber-attacks do not come through a failure in the technology we’ve put in place. Instead attackers frequently exploit the ignorance of a company’s employees to gain unfettered access to key systems. It’s for this reason that I believe we need to invest in training our people to understand and report security issues quickly.

In summary, we need to focus on the positives, learn from our mistakes and follow the Government’s timely investment and guidance to put security high up on the agenda where it increasingly belongs.

UK & Europe,

Since Talk Talk became the UK’s most high profile cyber security breach a little over a month ago public comment has focussed on how a large technology company could have such poor security. That a simple attack on their website resulted in the loss of customer account data was clearly a huge embarrassment to the company. The fact that the perpetrators were under sixteen only added to the public relations disaster. 

However, the real consequences of the breach are probably far more limited. Will Talk Talk survive the media onslaught? The chances are that they will. What will happen to the thousands of customers whose records were lost? Probably very little and once the media frenzy has passed, sporadic crimes resulting from the lost records will likely be swept under the carpet. 

Ministerial announcements often cause a similar media frenzy in an effort to demonstrate that “something is being done.” Last week saw announcements from both George Osbourne, speaking at GCHQ, and later Ed Vaizey, Minister for the Digital Economy, as to how the Government is going to support the fight against cybercrime. Osbourne’s announcement focussed on the “additional” funding that the Government is providing, whereas Vaizey’s was about imposing a mandatory cyber health check for FTSE 350 firms

Ministerial pronouncements rarely come with any great details and these are no different. They are, however, important steps forward in demonstrating that the Government does take cyber security seriously and is intent on protecting UK citizens both from terrorist attacks on their person and the national infrastructure. It is also key that Government is ensuring that the private sector takes their privacy seriously and protects customers from financial crime arising from companies not protecting their records appropriately. 

All this optimism though has to be tempered with a serious dose of reality. Much of the focus of GCHQ’s IA15 conference earlier this month focussed on the cyber security threat to our critical national infrastructure. The biggest risk to such infrastructure is the cyber security threat to the embedded industrial and process control systems in the plant and equipment that generates power, delivers water and controls transportation and communications systems. 

We have yet to hear whether the health check will cover those process control systems. However, the one thing that we do know is that many, if not most, of the companies providing those services in the UK are either privately owned or not in the ownership of UK companies and will not be covered by the proposed cyber health check. That includes all of the companies building new nuclear power stations. 

Few people favour more and more regulation. This week’s announcements are a great start from the Government in making sure that UK citizens and our critical national infrastructure are better protected from cyber-attack. However, much more is needed before we can all sleep safely in the knowledge that no one is going to steal our bank details from poorly protected retail companies and that the infrastructure that runs our lives is safe and secure from disruption.

UK & Europe,

A recent report from the BBC stated that ISIS is planning to unleash a number of deadly cyber-attacks against UK targets and has put the issue of cyber security at the forefront of many organisations’ minds. As a result many have begun to question if we are behind the curve in cyber security expertise, and if we recognise the organisational challenges? The phrase ‘cyber security skills’ is so broad as to be unhelpful. Do we know what specific skills we’re talking about; which specialisms we need to foster?

Last week I had the opportunity to debate this very topic with cyber security peers at the Information Assurance 2015 (IA15) event in London. Addressing the cyber security skills balance requires more than just evaluating a number of specialisms, with organisations needing to address a number of key challenges:

  1. Raising awareness of the risk: If an organisation is unaware of the level of risk they face to their systems or data from malicious cyber-attack, they are unlikely to invest in or employ the right people to protect them from those risks.
  2. Designing in security: Low awareness and expertise also causes inevitable procurement issues. An organisation cannot be considered an ‘intelligent customer’ if it does not fully understand its cyber security requirements. Off the shelf systems offered by many vendors may sound secure, but often key security features of those systems are not chosen for a number of reasons including lack of awareness, they cost too much or they don’t easily integrate with an organisation’s existing systems. 
  3. Culture: In order to be effective, security should be everyone’s responsibility. Developing awareness across every part of an organisation is a key skills challenge. Once a year online learning and testing is insufficient.
    We could learn much from how health and safety compliant cultures are fostered effectively in organisations across the UK. These include company policies on the use of equipment or facilities, the sharing of ‘safety moments’ at all meetings, and an awareness that failing to comply with agreed practices is frowned upon. Safety competence approaches can inform how we deal with security education, training and experience.
    Importantly, this culture needs to be driven and embraced at board level to be effective and pervasive. Research shows that some boards are not familiar with vulnerabilities in their industrial control systems and have therefore provided inadequate resources to address the issues. This is typically as a result of no, or low, perceived risk thanks to a lack of reporting, both internal and external, or staff governance.
  4. Usability: Although security is an organisational skills issue, those organisations don’t always make it easy for their staff. Many have a habit of making security difficult for legitimate users. Users don’t like to circumvent security, but poorly considered ‘more secure’ approaches will typically fail leading to less secure activities. A prime example would be adopting polices that enforce impractical password solutions causing users to end up writing those complex passwords down. New guidance on usable security policies has been issued by GCHQ  and I would recommend all organisations review these.
  1. Understand the competing requirements: Usability and IT objectives are often in conflict with control systems and safety. Restricting services could prevent safety-related actions taking place. For example, you cannot afford to enforce a complex password log-on in order to implement a safe shutdown in the event of an incident. The approach for objectives that meet organisational goals requires greater collaboration from skilled specialists across different domains - IT, OT and safety - by forming multidisciplinary teams to look at security. 
  2. Understanding the opportunities and risks of the internet of things (IoT): The speed of development within the Internet of Things is staggering, particularly across industry, and many view it as the fourth industrial revolution. However, by its very nature the IoT creates cyber security vulnerabilities in devices that IT specialists would not normally have considered before, such as cameras, building control systems or white goods. As effective cyber-attacks find backdoors through otherwise secure systems, expertise in fully evaluating the many and varied vulnerabilities across all devices that connect with an organisation’s network is essential.

In order to be effective an organisation’s cyber security needs to evolve. Security as a project is not an effective defence against a sophisticated enemy that is constantly developing their methodologies and looking for the next vulnerability to be exploited. It’s a journey. Learning from the mistakes of the past, like Heartbleed that redefine vulnerability and risk overnight are key. So is developing and maintaining the right balance of skills – within the IT team and across the organisation as a whole - to effectively address an organisation’s specific security risks and requirements.

UK & Europe,

The increasing digitisation of our national infrastructure offers many benefits to organisations and their customers. However, some fear that the systems used to control physical functions of this infrastructure, often now referred to as operational technology, could have the potential for a serious cyber-incident. The massive damage caused by a sophisticated cyber attack on a German steel mill last year illustrates the potential threat.

The Financial Times recently picked up on the report published by Chatham House on Cyber Security at Civil Nuclear Facilities Understanding the Risks, which considers the major cyber threats to civil nuclear facilities. This report comes hot on the heels of a review being undertaken by The Department for Energy and Climate Change into cyber risk in the civil nuclear sector in the UK.

Chatham House’s findings are generally consistent with our experience of other industrial sectors using control systems. Of course, a single incident in the nuclear sector carries greater consequences than other sectors and consequently generates greater public concern. However, what is less understood by the public is the systems used to control industrial plant are not the same as those used for safety critical control. The latter tend to be isolated systems, with rigorous access control, monitoring and working practices, not purely dependent upon digital technology for protection.

We work with almost all of the existing UK nuclear power generators and the nuclear new-build companies. In my experience, these organisations are ‘designing security in’ and developing best practice technical solutions to tackle threats.

The report highlights some challenges for the world-wide industry including:

  • Low levels of cyber incident disclosure, creating a false sense of security stifling appropriate security investment. However, full disclosure can lead to copying of tactics or techniques, thereby increasing risk.
  • Unsuitable risk assessments can lead to insufficient spending on cyber security. The issue of improving risk understanding at board level is a critical one. Our experience is that, in the UK, the nuclear industry is leading the adoption of good practice and boards are taking security and safety risk assessments very seriously. Integrating control system security and safety risk assessment and treatment is now a focus for good practice development and international standards committees.

The report goes on to identify other challenges:

  • Cultural challenges, including the difficulty in communications between plant engineering (operational technology) and information technology personnel, addressing the need for greater appreciation of cyber security, training and skills development. We have seen that this human element is already being addressed in the nuclear industry, particularly the cultural aspects of integration of formally disparate disciplines, as well as ensuring security roles and skills are developed to meet current and future needs.
  • Technical challenges, including control systems which were not initially designed securely. Standard IT security approaches are often difficult to implement in plants, due to technical validation requirements, potential downtime and the commercial imperative to remain operational. Yet, these generic findings do not illustrate the secure design developments and practices being undertaken by the UK nuclear industry and the supply chain.

The Chatham House report recommends that the nuclear industry should provide a balance between regulation and self-determined actions to avoid stagnation. It also recognises the need for risk-based approaches and innovation, whilst avoiding compliance-driven requirements that do not reflect the state-of-the-art, or the developing nature of threats and vulnerabilities.

In summary, though I’d broadly support the findings of the Chatham House report, I would emphasise that the UK nuclear industry is far from complacent. In fact, for all the reasons outlined above, it is world-leading in its approach to addressing cyber security threats.

UK & Europe,

How can we embrace technology – not for technology’s sake – but for the real benefit of our customers, our own companies and the communities we serve? Atkins’ CEO Uwe Krueger provides a perspective from the ENR Global Construction Summit in New York.

The nature of the construction industry is changing rapidly, driven by tougher market and trading conditions and by demands from clients for better value and more innovation. There are higher expectations from funding institutions for cost efficiency and project certainty. There is also political pressure, as governments seek better value for money.

We are also facing rapid growth in both population and urbanisation, creating an enormous infrastructure funding gap, but the challenge is not funding: financial institutions are willing to invest if they can see a clear investment case and cash stream – and a stable political and tax environment.

The challenge is matching capital to suitable, financeable projects.

What can the infrastructure industry do to attract investment into the sector? It has to improve and not be afraid to innovate.

For the investment community, risk is a key consideration. The technology used by our sector can play a critical role in identifying, and mitigating, risk and make a huge change in the pace of progress.

Risk can be mitigated, in part, by increasing certainty around project input costs (which reflect complexity of design and construction and engineering delivery risk). Innovative technology, in the form of digital engineering, can make a big difference.

Digital engineering in essence is the automation of all or parts of the life cycle of a built asset. With digital engineering and building information modelling (BIM), value creation can be mapped through the design, construction, operation, maintenance and renovation phases of any project.

The use of big data analysis can help our clients make better informed decisions, resulting in greater resilience in our infrastructure. More effective safety and security measures can be implemented based on the complete picture offered by digital engineering. Even productivity can be improved, as new tools – like BIM – enable project managers to improve efficiencies by collating all project information into one digital location.

New, advanced materials and production methods are being added to the mix: additive fabrication such as 3D printing processes are now being increasingly used in the construction industry to speed the building process.

From Crossrail to the redevelopment of Birmingham New Street station in the UK, digital modelling is at the heart of these projects. Cities must prepare for the coming technologies that will fundamentally change how people move and interact with their surroundings. We are only at the starting point to comprehend how smart phones and other intelligent personal devices will interact with infrastructure in the future.

So, which technologies and approaches should we apply? There are some important considerations:

Pace: we need to attract a new generation of technology savvy youngsters to our industry, to keep up with this evolving digital landscape.

Compromise: the available technologies, even in combination, don’t provide a “one-size fits all” solution – we need a trial and error approach. It is all about quantifying risk and the certainty of delivery for our clients.

Adaptation: the notion of “best practice” is shifting with each new tool – we need to get much more agile in the way we embrace technology.

If we, as an industry, take these opportunities seriously, we have the chance for a period of technology driven growth. We have the privilege to shape the environment where people live and work tomorrow, to attract the right people and to create the future with them.

Asia Pacific, Middle East & Africa, North America, Rest of World, UK & Europe,

The continuing digitisation of our infrastructure enhances our experience as citizens and defines our progress as a society. However, the increasing reports of cybercrime and the threat of disruption to supply have led to calls to resist this development and slow the pace of change. Yet the benefits of digitisation are too persuasive and both the expectation of the public and the need to continuously drive down costs mean we cannot stop or even slow down the tide.

The public is very familiar with the concept of the ’digital economy’. We accept that today we live much of our lives online; buying food, goods and services or communicating with friends and family. Though the term ‘digital infrastructure’ is less commonly heard or understood, it is fast becoming a reality that impacts our daily lives. It is the concept that underpins the way critical services are delivered to us today and in the future.

Digitisation of infrastructure helps service providers to track and manage their assets more effectively. It can also put customers in control of the services they use, allowing greater choice and flexibility. Examples of the latter include the sensors on trains and buses that allow us to track the arrival of public transport in real time or the internet-based services that allow us to select the telecommunications, power or water services we want.

As infrastructure becomes increasingly digitised it is essential that it also becomes more resilient. The recent breach of security at the Office for Personnel Management in Washington has highlighted how even the most secure systems are at risk from hackers, whether they are state-sponsored or just inquisitive enthusiasts. When some of the most heavily protected systems in the world are compromised it prompts us to look closer to home and to think about what digitisation of our infrastructure really means to our safety and security.

A recent report highlighted the approach that the UK National Crime Agency are employing to tackle botnets by focusing on closing down the vehicles that the criminals use to affect the crime. Making our infrastructure more resilient requires the same approach. We can’t slow the pace of digitisation so what we must do is to understand what the threats are that impact on the delivery of infrastructure services.

I believe that there are five key steps to making digital infrastructure more resilient:

  • Firstly we need to understand what the goals of infrastructure organisations are. Knowing these will allow each organisation to then consider what is required to deliver those goals, what the risks are to achieving them and what needs to be done to protect them.
  • Next we can look at the assets that are involved in delivering these goals – whether these are physical, information or people assets – and how they are secured. One key challenge for infrastructure organisations is that they often need to make those assets available to their customers in one form or another. This might either be information assets in term of costs, billing statements or access codes, or physical assets in the form of smart meters or transmission equipment.
  • We then need to understand the specific risks to those assets. What could potentially go wrong in delivering the services?
  • Once the risks have been identified we can understand the potential vulnerabilities implicit within those assets and the action required to mitigate those risks and vulnerabilities.
  • Finally, we can put in place a comprehensive plan to make sure that those risks are thoroughly mitigated and a system of reporting is implemented to ensure that incidents are identified and lessons learned.

In many ways it appears a simple solution to a highly complex problem. However thinking of infrastructure as a bundle of assets that need to be protected is the most effective way to ensure that risks are mitigated, breaches are reduced and criminals are deterred.

Asia Pacific, Middle East & Africa, North America, UK & Europe, Rest of World,

There have been a number of articles in the media recently highlighting the potential risks arising from implementing the European Rail Transport Management System (ERTMS) in the UK. ERTMS is the system that replaces traditional mechanical signalling systems with the IP-enabled systems.

The benefits of implementation are clear as it:

  • creates compatibility with European rail systems; important as increasingly rail journeys begin in the UK but end in Europe
  • brings efficiency with rail routing decisions being made centrally and implemented instantly
  • provides opportunity for greater business continuity with a number of national control centres offering redundancy
  • offers considerable capacity enhancement and much improved asset management and exploitation.

Of course if the control systems are managed across an IP network that is ultimately connected to the Internet then there is risk of compromise. The potential exists for someone to attempt to break in, whether they are hobbyist hackers, disaffected rail users or state-sponsored terrorists. The BBC recently quoted Professor David Stupples of City University pointing out that a hacker could cause a “nasty accident” or “major disruption.”

The vulnerabilities that could compromise ERTMS also threaten control systems managing infrastructure across the world, yet incidents to date have been few and far between. Furthermore control systems are not the only business management systems under threat as the ever growing reach of the Internet of Things (IoT) and Bring Your Own Device (BYOD) policies provide just as great a potential challenge.

Yet these threats and risks can all be mitigated. Good design lies at the heart of good security. While the ERTMS system is already complete, we do still have the opportunity to make sure the design of the systems around it and the way that people interact with them is effective.

An effective cyber security programme needs to be holistic; to consider risk from an organisational perspective. In this context, considering the risks to control systems as well as traditional enterprise IT is absolutely critical.

It also needs to consider employees and employee behaviours. Professor Stupples pointed out the potential impact of a disaffected employee taking maleficent action, yet in reality the consequences of discovery will be a significant deterrent to most. The greater risk is the prospect of unwitting employee behaviours resulting in vulnerabilities that could be exploited by outsiders. An assessment of employee risk should be used to identify particular areas of risk and specific targets for training. Comprehensive communications and training programmes can support this.

Ultimately, we can’t step away from building a more modern, efficient and effective infrastructure out of fear of the consequences. Avoiding a major security breach is a matter of careful threat and risk assessment, thorough vulnerability analysis and implementation of a planned programme of mitigation and protective measures. By embracing this approach we can safely leverage the benefits of implementing the most modern technology.

UK & Europe,

The most significant hack since Stuxnet targeted Iran’s uranium enrichment programme in 2010 caused massive damage to a German steelworks, according to a report published this week by the Federal Office for Information Security (BSI). Whilst the Sony hack caused the release of film star emails, a Bond film script and cancellation of film screenings, grabbing media attention, the significance of deliberate physical damage caused by sophisticated network intrusion has passed largely unnoticed (in mainstream media). This is probably the only publicly known incident where physical damage to a plant has been deliberately caused by malware since Stuxnet.

Full details have not been released, but the “The IT Security situation in Germany 2014” report highlights the significant impact an Advanced Persistent Threat attack has had on a steelworks, causing damage to a blast furnace by forcing an unscheduled shutdown. People often ask, why then are critical industrial processes connected directly to the internet? They aren’t intentionally. But, they are connected to business systems in order to manage production, obtain statistical, historical, and logging information for business process optimisation. The attackers exploited the internal connectivity of the corporate and industrial control networks.

The attack used a sophisticated spear phishing and social engineering campaign to obtain initial access and a presence on the corporate office network. The attackers then moved from the corporate networks on to the production networks to locate industrial control systems. Over time industrial control components were compromised and control system failures became increasingly apparent leading to loss of plant control. Failures ultimately caused an unscheduled shutdown of a blast furnace, preventing the normal safe ‘graceful’ shutdown, causing extensive damage and loss of production.

Like Stuxnet, the perpetrators exhibited advanced technical skills from multiple domains. Initially, undertaking a reconnaissance phase to identify individuals and an approach for the spear phishing and social engineering campaign. Then displaying corporate IT and security domain skills compromising corporate computers and networks, traversing to the process control networks. The attackers demonstrated a knowledge of both industrial control systems and the production process. The combination indicates that the group responsible had significant presence on the steelworks’ networks to navigate the corporate systems and the industrial control systems and form a detailed understanding of the automation controllers and production process. It is highly likely that intellectual property, propriety process knowledge and contract information was also stolen.

Critical infrastructure attacks this year includes Energetic Bear (aka Dragonfly), Sandworm and the recent revelations of Cleaver. However, these incursions appear to be early reconnaissance, with no physical affects. We have also seen designs and manuals of plant equipment owned by Korea Hydro and Nuclear Power Co (KHNP) in South Korea were put online by an unknown individual or group, followed by several threats to the infrastructure. It is acknowledged that should systems in utilities, energy, manufacturing, oil and gas be attacked, the damage and disruption could be enormous. This steelworks attack is the one of the first to cause significant physical damage. International respondents to a recent critical infrastructure survey in these sectors recognise the increased likelihood of successful attacks against their IT and industrial control systems, yet they admit more needs to be done, and many of respondents either did not know or were unsure about control system vulnerabilities, and had not informed senior executives of the risks.

Organisations are seeking to improve operations and converge IT and industrial control architectures to optimise business. Crucial to these improvements is enterprise access to operational information, without comprising security. Technology adoption in industrial control systems lags behind that of IT, due to the differing operational requirements. These include high-availability, safety and reliability coupled with significantly longer lifecycles; fifteen to twenty years is not uncommon, and can be even longer, far exceeding IT refresh or outsourcing cycles. To address these challenges requires a collaborative approach across multiple domains, recognising that industrial control system security awareness is potentially low across an organisation. An approach that combines converged governance and risk management, sustained by appropriate programme management, will enable a comprehensive understanding of organisational risk in order to secure vulnerable production systems.

Asia Pacific, Middle East & Africa, North America, Rest of World, UK & Europe,

CONTACT

Andrew Wall

Head of cyber security

+44 1242 54 6278