• Cyber resilience risk video
  • Cyber Resilient Infrastructure Report

Cyber Resilience

Print Bookmark

The way we live and work is being revolutionised by the digital age. Data volumes are growing exponentially, people are expecting more seamless customer experiences, and businesses need protection from an evolving range of cyber threats.

About

At Atkins, we believe that organisations underpinned by an effective cyber resilience strategy and approach have the power to deliver seamless customer experiences through continuous service delivery while knowing that their business will remain operational in the event of a cyber-attack.

Our role is to advise clients on how to protect their organisation from cyber threats, today and into the future, building customer trust and resilient operations, which all support your bottom line and key business drivers.

FEATURES

Return to top ^

Expertise

We’re uniquely placed within the market. Our diverse range of cyber and engineering expertise enables us to quickly understand your organisation’s priorities, helping you to make informed business decisions around cyber security investments.

We use a proven approach – Identify, Develop, Deliver – which is applied against individual business drivers. These provide cyber resilience services that enable you to understand your current level of cyber security maturity and create a clear strategic path to achieve your objectives.

We offer flexible and scalable services that deliver improved resilience, reduced investment costs and optimised business operations.

Delivering value to our clients

 

Our services deliver added value to our clients by addressing five major cyber security concerns:

  • Understanding – Helping you fully understand the complexity of becoming cyber resilient in today’s digital age
  • Impact – Enabling you to understand the potential operational impact of having weak cyber resilience
  • Maturity – Providing clarity on how mature your business is in the context of cyber resilience
  • Risk – Advising you on how to reduce business risks and make improved cyber security investment decisions thanks to improved understanding and context setting
  • Evolving threat - Helping you set out your strategy to future proof your business against the continuously evolving threat landscape.


Approach
 

As a recognised supplier of cyber security services to HM Government and the UK Ministry of Defence, we have developed a tried and tested approach to helping clients understand, prepare for and be resilient to the growing cyber threat.

We do so through a three-stage approach, click on the image below for more information:  

 

 

 

Contact us today to find out how we can help your organisation become cyber resilient.

 

Return to top ^

Angles

> View all

Suzanne Murtha
08 Aug 2017

When? I’m an IOO, do I have to act today? To begin, the legislation we describe in detail below is being considered by the US House of Representatives. The US Senate is also working on their own version of AV-related bills, so as fast-moving as these bills are, they still need to clear the House and the Senate. It is reasonable to think that some version of AV-related federal legislation won’t clear both chambers immediately and the Senate bill(s) will be introduced sometime in September 2017. What exactly is this?  On July 27 in a 54-0 vote, the House Energy and Commerce Committee unanimously passed the DECAL Act (HR 3388), a bill related to automated vehicles. We haven’t seen the Senate version yet, and the House bill was not approved by the full House. Here are some key considerations for the DECAL Act: Congress clearly wants the federal government to take the lead on any public policy regarding automated vehicles. Congress also wants to define the role of states and IOOs, including: Vehicle registration Licensing Driver education and training Insurance Law enforcement Crash investigations  Safety and emissions inspections

North America ,

Richard Piggin
19 May 2017

The WannaCry or Wanna Decryptor malware has affected 150 countries, including the United Kingdom, United States, Spain, Russia, Taiwan, France, and Japan. Several variants have already been reported, all presently targeting Windows-based operating systems, including embedded versions. Further variations, which could target other operating systems such as Linux, are anticipated. Early indications suggested email phishing campaigns initially infected computers, using email attachments and malicious websites links have been confirmed. The worm then spreads across networks. While assurances have been given regarding the loss of patient data, the malware provides backdoor access to victim’s computers, so data theft is a distinct possibility. Yet, the issue isn’t just about the security of patient information, it’s also about preventing patient harm. This is not an isolated incident. Similar incidents have already occurred in the healthcare sector, even in the UK. Only a few hospitals were affected, attracting limited publicity and concern. Many more medical facilities belonging to the U.S. MedStar Health provider were severely disrupted last year. The impact of such attacks also feature in a new BSI publication on Medical Device Cyber Security, which describes the convergence of safety and security risk, along with defensive principles. Other sectors have also been impacted  including UK,  French and Romanian car plants and the German rail operator. Spanish victims included telecoms multinational Telefonica, and utilities Iberdrola and Gas Natural. Critical infrastructure asset owners have been impacted by ransomware in the past, including several power utilities. Organisations with unsupported operating systems or ineffective patching programmes will continue to be vulnerable. At best,

UK & Europe ,

Philip Barton
17 Mar 2017

Having had time to digest the major themes in this report, I think that the Government at the time seemed determined to establish the Cyber Essentials scheme as key parts of UK SMEs cyber tool kits, and to leverage the insurance industry to secure that goal. The message was that Cyber Essentials or Cyber Essentials Plus compliance would deserve a reduced premium, as well as enabling greater cyber-risk awareness among SMEs. The report indicated that cyber insurance firms were likely to offer support in becoming Cyber Essentials certified as part of the insurance process. This patently did not happen as planned, and the UK National Cyber Security Centre (NCSC) are yet to pick up the reins sufficiently to consider cyber insurance guidance. The report was aimed squarely at SME cyber risk in the IT space, with brief mention that Cyber Essentials may not be appropriate, or rigorous enough, for many manufacturing industries. Regulated industries and critical infrastructure will have their own regimes to follow, so what for the SME manufacturing industries? The NIST cyber security framework or the SANS 20 controls are an excellent starting point, not to mention the many standards that exist such as ISO/IEC27001, ISA/IEC62443 etc. An obvious barrier to widespread adoption of worthwhile, insurance-backed, cyber security in the industrial arena is having sufficiently good cyber forensic capability in place to be able to back up any claim. In the event of an incident, the bias for most manufacturing organisations is naturally toward production and not to preserving evidence;

UK & Europe ,

Lee Woodcock
07 Mar 2017

Reflecting on the past few months, it’s prompted me to think about Smart Cities, a phrase that’s not new, has promised so much and in my view, delivered so little. But, with a surge of new technology, digital disruption, entry of new market players and budget challenges for the public sector – could this be the catalyst for change? With this in mind, coupled with new themes and trends emerging globally across the industry, I wanted to take a moment and make five Intelligent Mobility predictions for 2017… Data Exploitation and Visualisation: This year we will see the emergence of new platforms, at pace. Data is arguably the life blood of a modern transport systems and critically important to unlocking value from new transport schemes, mobility solutions and customer tailored services. It will be through inter-operability, we see a drive towards ‘Platform as a Service’ across the sector which is here to critically disrupt the way we currently model, plan and deliver transport services globally in cities and urban areas. Journey Management: We will witness the breakdown of silos across the transport system, with the deployment of critical technology solutions that cut across organisational and operational barriers. The surge of new payment systems will start to deliver seamless and positive customer journey experiences through account based ticketing systems. This will mean no more management of multiple Apps or cards – one account for the individual or family, think Sky-Go package. Connected and Autonomous Vehicles: A huge amount of R&D is currently underway globally,

Group ,

Projects

> View all

As part of its focus on continually improving its people, processes and information, EDF recognised the need to gain a better understanding of its staff’s security awareness and training needs so that a specific programme could be developed to meet their continual learning requirement in this area. Atkins worked closely with the client for over three years providing professional advice, analysis and solutions through the full lifecycle of organisational learning and development. This work included development of better learning and development solutions for a range of requirements, such as: • Support for the design and implementation of a structured training programme for the internal regulation department of around 60 people • Design and support of training-related management information and reporting • Design and implementation of a major e-learning PC-based training package on Basic Nuclear Principles Refreshment to be used by over 400 people on a cyclical basis • Participation in key self-assessments relating to organisational learning and development improvements that will support the re-accreditation of the Engineering Support training programme against industry standards. These support services were key to EDF achieving training standards accreditation for one of the largest single training programmes in the world. This has in turn provided credibility for lifetime extension programmes for the company’s existing nuclear fleet and new build programmes. Our support has meant that EDF can clearly demonstrate that they have control of their nuclear resources in a measurable and systematic programme which has a clear view of the challenges in addressing an aging demographic and a finite industry

UK ,

Horizon was particularly aware of the issues surrounding the UK approach to security of control and protection systems. Realising that it did not possess detailed knowledge of evolving best practice and regulatory requirements, our client wished to undertake a comprehensive review of relevant standards, guidance and approaches, as well the expectations of bodies that provided security advice. Atkins was chosen to undertake this security standards review. Our work addressed UK best practice and other well established industry methods from around the world. Nuclear best practice was also discussed, including the US NRC 5.71 Regulatory Guide, which had already adopted international good practice, albeit through a very prescriptive implementation. We reviewed the best practice and standards utilised for securing Industrial Control Systems (ICS) and produced a comprehensive overview, assessment and recommendations on future practice. Our review included: The ISO/IEC 27001/27002 series: • ISA99 – Industrial Automation and Control System Security • IEC 62443 – Industrial Communication Networks Network and System Security • NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security • NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities. At the end of the comprehensive review, Atkins produced two briefing papers. The first of these covered ICS security best practice, emerging developments and a forward-looking strategy. The second paper concentrated upon nuclear safety protection systems. The briefing papers, follow up presentations, and meetings provided Horizon with a detailed understanding of the security and safety practices which they then used to inform their strategic planning.

UK ,

HE partnered with their Netherlands equivalent, Rijkswaterstaat (RWS), to help overcome their legacy system drawbacks. Both wished to develop a future operating model that delivered a modern and open technology platform and effective supply chain that would improve the resilience and efficiency of their road networks. Atkins were tasked with developing the security requirements for the Advanced Traffic Management System (ATMS) operating model, and supporting its delivery through an open tender process to enable appropriate suppliers to provide the new solution. We worked in collaboration with HE and RWS, integrating our subject matter experts into the project team. This allowed us to agree a joint security approach which would took into account the different cultural, business, security and legislative concerns that the two partners faced. By working closely with all stakeholders, we determined the existing operational structures, business goals and service requirements. We reviewed UK and Dutch security standards and Governmental requirements and negotiated a joint approach to meet these. Finally, we developed a ‘to-be’ security operating model to meet business requirements for input into ‘Pre-qualification questionnaire’ (PQQ) and ‘Invitation to tender’ (ITT) contract phases and proposed and agreed approaches for the formal accreditation of ATMS. Our security-focused business systems analysis and requirements development led to a detailed set of building block deliverables at functional and technical levels. These included the specific application, infrastructure, hosting and platform components. The completion of this project provided HE and RWS with a pragmatic and realistic view of the threat environment for information assets with a

UK ,

The client had found it difficult, expensive and disruptive to their programme portfolio to maintain and manage a pool of experienced security consultants with the necessary analysis and security artefact-creation skills required to support the accreditation decision. Due to the finite resource, deciding which projects would benefit most from the IA consultants’ skills was also proving challenging. As a result, there was a risk of critical systems either remaining unaccredited or being accredited on the basis of an inadequate risk assessment. We worked with the client to develop a new managed service approach to the provision of security that brought together all the necessary expertise into a single team. Through the creation and implementation of a security catalogue, we provided key security and accreditation activities for the client. These covered business impact identification, risk assessment, threat and vulnerability analysis, and current and new service/system ‘as-is’ security reviews. Also included were estate and system architecture advice and design, policy and standards gap analyses, and accreditation and risk management. In addition, our (previously CLAS) accredited security consultants provided specialist security support or management to particular projects over an extended period. Through the implementation of managed accreditor services we coached, mentored and trained the client’s junior accreditors. This proved to increase the client’s capabilities in accreditation and developed the organisation’s information risk management maturity. Our managed security consultancy service provided specialist advice to the client that is now an embedded part of the enterprise architecture. Our specialist expertise was also applied to the client’s department-wide information assurance enhancement

UK ,

As a significant element of the IT estate was legacy, the key challenge our client faced was understanding where information assets were stored and processed. This knowledge gap meant that DWP was unable to properly quantify and understand their risk exposure to help develop effective mitigation strategies. DWP therefore approached Atkins to perform a threat and risk assessment of their IT estate, specifically looking at key information assets and how they were stored, accessed, transmitted and processed. Atkins worked closely with DWP across a four month programme to provide a snapshot threat, security risk, and maturity assessment of key information assets across the IT estate. We identified IT and business stakeholders for engagement and reviewed DWP security approaches, policies, procedures and IT architecture to obtain the wider IT estate view. Quantitative and qualitative data was also collected on the shape of the IT estate through documentation reviews, workshops and interviews. This was then employed to identify the flow of data, potential threats and vulnerabilities. Finally, we identified key security risks and opportunities to reduce and mitigate these. We then developed strategic recommendations for the ownership and management of key information assets. As a result of this work, senior stakeholders obtained a quantified view of information asset risk across the DWP IT estate. Our threat assessment recognised what would make DWP an attractive target, as well as highlighting the key threat actors and the likely attack vectors. Clear and concise prioritised expert guidance was also provided relating to information asset risk mitigation activities. This informed

UK ,

Without a clear and deep understanding of their current cyber posture, the client’s leadership team were unable to identify their risk exposure or to develop an effective strategy for cyber resilience. Atkins were selected to perform a cyber risk assessment to identify the key challenges, threats and risks to Government-provisioned services, broader critical national infrastructure and key economic activity. The review would need to establish a realistic picture of the client’s level of resilience and their capability to respond to a serious cyber-attack. Working in collaboration with the client and key stakeholders, we developed a snapshot cyber threat and risk assessment. This provided a measurement of maturity assessment relating to their key assets. A series of sequenced and integrated work packages were also created. These focused on identifying Government and business stakeholders for engagement and reviewing existing security approaches, strategies and policies to obtain a wider national view. The work packages also involved collecting and analysing data on the state of the nation through events, workshops, interviews and reviews, and identifying key security threats, risks and opportunities to reduce risk and improve resilience. As a result of the risk assessment activity, potential threats, attack vectors and vulnerabilities were also highlighted, along with identification of what would make the client an attractive target. Our client’s senior stakeholders obtained a realistic view of the maturity of their cyber defence, with key areas of weakness and strength identified across Government and business sectors. Clear and concise prioritised expert recommendations, based on the client’s technology, people and processes, were then provided

UK ,

The Defence Science and Technology Laboratory (Dstl) wished to commission collaborative research for the Ministry of Defence (MOD) into the relationship between people and cyber/ information assurance. Particular focus was required on the human and cultural issues relevant to risk and friction points associated with the design of policy and procedure. Atkins collaborated with University College London (UCL), bringing together industry, commercial and academic expertise to undertake this research. A set of customised assessments were developed to be undertaken by MOD staff using a specialised tool. This helped to identify an individual’s security understanding within their working environment, to highlight skills and knowledge gaps and focus on behaviours that may pose a risk to security compliance. Through this research it was identified that current security practice reduces productivity by introducing rules that often create a conflict with the individual’s primary task and are consequently circumvented. The work conducted represented new and innovative thinking leading to a number of achievable recommendations across the MOD. These would ultimately lead to a new paradigm in the way systems, policies and procedures were developed and implemented. Research outcomes of the identification of friction, and understanding of what is causing it, can also form the basis for a potentially lower friction solution that operators can comply with.

UK ,

A UK critical national infrastructure energy company wished to secure its Industrial Control Systems (ICS) and SCADA from this potential threat. They particularly wished to understand which ICS information was available in the public domain that could be obtained by a potential adversary. Atkins was appointed to undertake an open source vulnerability assessment on behalf of the client, thanks to our deep knowledge of ICS security. We undertook an analytical investigation using mainstream media, blogs, social media, sector-specific journals, academic material, web 2.0 and industrial sector websites. Each threat was assessed and recommendations were proposed to both reduce the open source footprint and mitigate against the risk. Our assessment was divided into various categories, including mapping, social media, ICS, and outward-facing IT architecture. To illustrate the increased threat to ICS to the client, freely available tools were used to demonstrate the identification of networked control systems, their vulnerabilities and how they might be exploited. As a result of our assessment, our client’s new understanding of the potential threats to their ICS and adoption of our recommended mitigation measures has helped to improve security and safety for their company. Our vulnerability assessment ensured our client’s corporate risk assessment process was more effective and allowed them to take a more considered stance on mitigation and planning for attack. Our assessment also identified a number of vulnerabilities in critical systems that they were subsequently able to patch, helping to protect both revenues and shareholder returns. Given our client’s status as part of the nation's infrastructure,

UK ,

Return to top ^

Contacts

Andrew Wall

View my profile

Richard Piggin

View my profile

Ian Buffey

View my profile

Dave Butler

View my profile

Return to top ^