• Cyber Resilient Infrastructure Report

Information Communications

Print Bookmark

Atkins design, develop and protect complex communications networks and are involved in mission-critical systems on which the world depends. 

About

To stay competitive in the global market the UK’s digital infrastructure needs to be amongst the very best in the world.

At Atkins, complex communications networks are what we do. We design them using wireless and fibre-optic technology, develop specialist software for them and protect them by understanding and countering threats.

Over the years, we’ve won awards for our work and built up tremendous expertise to become true thought leaders in information communications. Our work has taken broadband to remote islands and the latest biometric technologies to airports for identity assurance. Atkins is involved in mission-critical systems on which the world depends.

We can help, whatever the challenge. Listening and understanding are first principles, innovation second nature. We always remember how important our relationship and collaboration with our client, is in successfully delivering a project.

FEATURES

Expertise

Our breadth of technical expertise and comprehensive knowledge of our chosen markets ensure our projects achieve maximum benefit for our clients.

Mapping and geospatial analysis

We specialise in the capture and use of geospatial data, and in the design and implementation of geographical information systems (GIS).

Converged networks

We have designed and implemented voice, data and video high bandwidth networks delivering improved efficiency and savings to clients.

Industrial automation systems

We are world leaders in the design and implementation of advanced process automation monitoring and visualisation systems, providing vertical integration of information from the shop floor to boardroom.

Identity assurance

We are experts in the design, building and implementation of enterprise identity assurance solutions, using the latest and most appropriate biometric technologies.

Advanced network design

We are able to solve the most complex of communications and network challenges involving a mixture of wireless and fibre-optic technologies.

Software development

We have a team of software development engineers building applications to overcome complex business and operational challenges.

Infrastructure support services

We support a huge range of clients examining and completing development projects in the UK with a comprehensive range of utility management services. These include the collection and collation of accurate utility plant location.

Angles

View all

Richard Piggin
26 Jan 2017

The most recent campaign is reported to have commenced on 6 December, continuing through to 20 December. Vsevolod Kovalchuk, a director at the Ukrainian national energy company Ukrenergo, told Reuters that the 200 megawatt interruption was equivalent to approximately a fifth of Kiev's night time energy consumption, and that the scale of the interruption was very rare. The automation was shut down in the Pivnichna power transmission substation located north of Kiev. The remote terminal units (RTUs) opened circuit breakers, causing a power outage that lasted for 75 minutes. Power was restored manually, with full restoration early the following morning. Power loss was reported in northern Kiev and on the eastern bank of the Dnieper River and the surrounding area. The Ukrenergo director described ‘external influences’ effecting workstations and SCADA (supervisory control and data acquisition) servers, and anomalies with transmission network data. Although investigations are ongoing, in the meantime researchers have confirmed significant similarities to the power outage a year earlier. This includes phishing attacks, with malware embedded in Microsoft document macros, and traces of BlackEnergy 3 malware used in the attacks targeting Ukraine Government organisations. Oleksii Yasnskiy of ISSP labs, distinguished the more recent attacks, using significant obfuscation: “Being more complex and better organised.” Marina Krotofil, a security researcher at Honeywell Industrial Cyber Security Lab contrasted the previous damaging attack: “They could do many more things, but obviously they didn’t have this as an intent. It was more like a demonstration of capabilities.” Ukrainian media and security researchers have also

UK & Europe ,

Roger Cruickshank
19 Dec 2016

Only last week the headline ‘look no hands’ was pasted across a Dubai newspaper, confirming that a car had driven the 100 km journey itself between Dubai and Abu Dhabi.  Maybe the introduction of mainstream driverless cars isn’t too far off after all.  Dubai actually already has the longest Connected and Autonomous vehicle (CAV), in the form of its Metro, which has been running with ‘no hands’ since 2009.  And those in the taxi business might say that the ability to order and direct a vehicle  is a proxy CAV; the International Road Transport Union (IRU)  recently revealed that their UpTop scheme (bringing global taxi apps onto one platform) has attracted more than double the number of vehicles using Uber. The notion of driverless is not new: besides several metros around the world, driverless lifts and elevators have been around for decades, as has the autopilot button that gets pressed when we fly across the globe. We’ve in fact been using driverless transport for years with a strong safety record.  But CAVs (and their offshoots) are likely to have a greater impact than the first jet airliners of the early 1960s.  At Atkins, a design, engineering and project management consultancy, we consider that this new means of travel and the data generated by its introduction, will touch every part of the built environment - a real eye opener.  We are ourselves leading the UK development of an independent test site for, and a market leading capability in, autonomous vehicles, investigating the

Middle East , North America , UK & Europe ,

Caroline Bimson
02 Dec 2016

We’re all aware of the opportunities to be unlocked, including the services needing fundamental improvement, the efficiencies and savings that could be gained, the possibilities for enhanced citizen engagement and the power of data that could be released through digital change. However, we’re also all aware of the huge mistakes that have been made, the money wasted, and the disappointment felt by many over the failed execution of ambitious promises. Based on our extensive experience of managing complex change in local and central government, we believe that it’s possible to move from rhetoric to reality. In order to achieve this there are three key paradigm shifts required for delivering complex change simply. These are: Don’t start with digital Keep it simple, keep it purposeful Future proof from the start Our evidence comes from the award-winning and successful transformation of several local authority services. Originally initiated under the Connect Digitally programme, which closed in 2012, they continue to deliver better outcomes and savings today and are being reused for new services. In this, our first of three linked articles, we reflect on the first paradigm shift and specifically our digital experiences and the lessons we’ve learned through implementation. Don’t start with digital Never start with the technology. Start with the business and policy needs and outcomes. Start with the people who need to be involved, with researching the benefits and disadvantages. Start with understanding the level of trust/distrust, and with clarity on the governance required. A lack of

UK & Europe ,

Russell Cameron
18 Nov 2016

We all recognise that the physical and digital worlds are colliding. Increasing digitisation in the way that businesses operate has resulted in new players coming to market with disruptive business models. These include the likes of Uber and Airbnb; companies that don’t actually own any assets but are taking a competitive lead in their respective market places through innovative digital service offerings. We are already seeing the global technology leaders and disruptive start-ups entering our markets too. Digitisation creates efficiencies, and potentially unlocks agility, responsiveness and adaptability, all of which are big drivers for the future of the delivery of infrastructure projects. Intelligent infrastructure You can see the appeal to infrastructure asset owners. The digitisation of infrastructure helps service providers to track and manage their assets more effectively, as well as to focus more on the total lifecycle of infrastructure programmes. Digitisation also allows for the optimisation of the performance of assets, both for the asset owners and the ultimate end users/customers of those services. Across our critical national infrastructure, we’re also seeing the worlds of IT and Operational Technology (OT) coming together to drive greater efficiency. OT includes the hardware and software that controls or monitors the state of a physical system, such as water supply. However, the digitisation of OT is a particular challenge given the sheer range of often aging systems – all of which are now being connected to the internet and are expected to run at 100% uptime. Ensuring that they continue to do so safely and securely is

UK & Europe ,

Projects

View all

As part of its focus on continually improving its people, processes and information, EDF recognised the need to gain a better understanding of its staff’s security awareness and training needs so that a specific programme could be developed to meet their continual learning requirement in this area. Atkins worked closely with the client for over three years providing professional advice, analysis and solutions through the full lifecycle of organisational learning and development. This work included development of better learning and development solutions for a range of requirements, such as: • Support for the design and implementation of a structured training programme for the internal regulation department of around 60 people • Design and support of training-related management information and reporting • Design and implementation of a major e-learning PC-based training package on Basic Nuclear Principles Refreshment to be used by over 400 people on a cyclical basis • Participation in key self-assessments relating to organisational learning and development improvements that will support the re-accreditation of the Engineering Support training programme against industry standards. These support services were key to EDF achieving training standards accreditation for one of the largest single training programmes in the world. This has in turn provided credibility for lifetime extension programmes for the company’s existing nuclear fleet and new build programmes. Our support has meant that EDF can clearly demonstrate that they have control of their nuclear resources in a measurable and systematic programme which has a clear view of the challenges in addressing an aging demographic and a finite industry

UK ,

Horizon was particularly aware of the issues surrounding the UK approach to security of control and protection systems. Realising that it did not possess detailed knowledge of evolving best practice and regulatory requirements, our client wished to undertake a comprehensive review of relevant standards, guidance and approaches, as well the expectations of bodies that provided security advice. Atkins was chosen to undertake this security standards review. Our work addressed UK best practice and other well established industry methods from around the world. Nuclear best practice was also discussed, including the US NRC 5.71 Regulatory Guide, which had already adopted international good practice, albeit through a very prescriptive implementation. We reviewed the best practice and standards utilised for securing Industrial Control Systems (ICS) and produced a comprehensive overview, assessment and recommendations on future practice. Our review included: The ISO/IEC 27001/27002 series: • ISA99 – Industrial Automation and Control System Security • IEC 62443 – Industrial Communication Networks Network and System Security • NIST SP 800-82 Guide to Industrial Control Systems (ICS) Security • NRC Regulatory Guide 5.71 Cyber Security Programs for Nuclear Facilities. At the end of the comprehensive review, Atkins produced two briefing papers. The first of these covered ICS security best practice, emerging developments and a forward-looking strategy. The second paper concentrated upon nuclear safety protection systems. The briefing papers, follow up presentations, and meetings provided Horizon with a detailed understanding of the security and safety practices which they then used to inform their strategic planning.

UK ,

HE partnered with their Netherlands equivalent, Rijkswaterstaat (RWS), to help overcome their legacy system drawbacks. Both wished to develop a future operating model that delivered a modern and open technology platform and effective supply chain that would improve the resilience and efficiency of their road networks. Atkins were tasked with developing the security requirements for the Advanced Traffic Management System (ATMS) operating model, and supporting its delivery through an open tender process to enable appropriate suppliers to provide the new solution. We worked in collaboration with HE and RWS, integrating our subject matter experts into the project team. This allowed us to agree a joint security approach which would took into account the different cultural, business, security and legislative concerns that the two partners faced. By working closely with all stakeholders, we determined the existing operational structures, business goals and service requirements. We reviewed UK and Dutch security standards and Governmental requirements and negotiated a joint approach to meet these. Finally, we developed a ‘to-be’ security operating model to meet business requirements for input into ‘Pre-qualification questionnaire’ (PQQ) and ‘Invitation to tender’ (ITT) contract phases and proposed and agreed approaches for the formal accreditation of ATMS. Our security-focused business systems analysis and requirements development led to a detailed set of building block deliverables at functional and technical levels. These included the specific application, infrastructure, hosting and platform components. The completion of this project provided HE and RWS with a pragmatic and realistic view of the threat environment for information assets with a

UK ,

The client had found it difficult, expensive and disruptive to their programme portfolio to maintain and manage a pool of experienced security consultants with the necessary analysis and security artefact-creation skills required to support the accreditation decision. Due to the finite resource, deciding which projects would benefit most from the IA consultants’ skills was also proving challenging. As a result, there was a risk of critical systems either remaining unaccredited or being accredited on the basis of an inadequate risk assessment. We worked with the client to develop a new managed service approach to the provision of security that brought together all the necessary expertise into a single team. Through the creation and implementation of a security catalogue, we provided key security and accreditation activities for the client. These covered business impact identification, risk assessment, threat and vulnerability analysis, and current and new service/system ‘as-is’ security reviews. Also included were estate and system architecture advice and design, policy and standards gap analyses, and accreditation and risk management. In addition, our (previously CLAS) accredited security consultants provided specialist security support or management to particular projects over an extended period. Through the implementation of managed accreditor services we coached, mentored and trained the client’s junior accreditors. This proved to increase the client’s capabilities in accreditation and developed the organisation’s information risk management maturity. Our managed security consultancy service provided specialist advice to the client that is now an embedded part of the enterprise architecture. Our specialist expertise was also applied to the client’s department-wide information assurance enhancement

UK ,

As a significant element of the IT estate was legacy, the key challenge our client faced was understanding where information assets were stored and processed. This knowledge gap meant that DWP was unable to properly quantify and understand their risk exposure to help develop effective mitigation strategies. DWP therefore approached Atkins to perform a threat and risk assessment of their IT estate, specifically looking at key information assets and how they were stored, accessed, transmitted and processed. Atkins worked closely with DWP across a four month programme to provide a snapshot threat, security risk, and maturity assessment of key information assets across the IT estate. We identified IT and business stakeholders for engagement and reviewed DWP security approaches, policies, procedures and IT architecture to obtain the wider IT estate view. Quantitative and qualitative data was also collected on the shape of the IT estate through documentation reviews, workshops and interviews. This was then employed to identify the flow of data, potential threats and vulnerabilities. Finally, we identified key security risks and opportunities to reduce and mitigate these. We then developed strategic recommendations for the ownership and management of key information assets. As a result of this work, senior stakeholders obtained a quantified view of information asset risk across the DWP IT estate. Our threat assessment recognised what would make DWP an attractive target, as well as highlighting the key threat actors and the likely attack vectors. Clear and concise prioritised expert guidance was also provided relating to information asset risk mitigation activities. This informed

UK ,

Without a clear and deep understanding of their current cyber posture, the client’s leadership team were unable to identify their risk exposure or to develop an effective strategy for cyber resilience. Atkins were selected to perform a cyber risk assessment to identify the key challenges, threats and risks to Government-provisioned services, broader critical national infrastructure and key economic activity. The review would need to establish a realistic picture of the client’s level of resilience and their capability to respond to a serious cyber-attack. Working in collaboration with the client and key stakeholders, we developed a snapshot cyber threat and risk assessment. This provided a measurement of maturity assessment relating to their key assets. A series of sequenced and integrated work packages were also created. These focused on identifying Government and business stakeholders for engagement and reviewing existing security approaches, strategies and policies to obtain a wider national view. The work packages also involved collecting and analysing data on the state of the nation through events, workshops, interviews and reviews, and identifying key security threats, risks and opportunities to reduce risk and improve resilience. As a result of the risk assessment activity, potential threats, attack vectors and vulnerabilities were also highlighted, along with identification of what would make the client an attractive target. Our client’s senior stakeholders obtained a realistic view of the maturity of their cyber defence, with key areas of weakness and strength identified across Government and business sectors. Clear and concise prioritised expert recommendations, based on the client’s technology, people and processes, were then provided

UK ,

The Defence Science and Technology Laboratory (Dstl) wished to commission collaborative research for the Ministry of Defence (MOD) into the relationship between people and cyber/ information assurance. Particular focus was required on the human and cultural issues relevant to risk and friction points associated with the design of policy and procedure. Atkins collaborated with University College London (UCL), bringing together industry, commercial and academic expertise to undertake this research. A set of customised assessments were developed to be undertaken by MOD staff using a specialised tool. This helped to identify an individual’s security understanding within their working environment, to highlight skills and knowledge gaps and focus on behaviours that may pose a risk to security compliance. Through this research it was identified that current security practice reduces productivity by introducing rules that often create a conflict with the individual’s primary task and are consequently circumvented. The work conducted represented new and innovative thinking leading to a number of achievable recommendations across the MOD. These would ultimately lead to a new paradigm in the way systems, policies and procedures were developed and implemented. Research outcomes of the identification of friction, and understanding of what is causing it, can also form the basis for a potentially lower friction solution that operators can comply with.

UK ,

A UK critical national infrastructure energy company wished to secure its Industrial Control Systems (ICS) and SCADA from this potential threat. They particularly wished to understand which ICS information was available in the public domain that could be obtained by a potential adversary. Atkins was appointed to undertake an open source vulnerability assessment on behalf of the client, thanks to our deep knowledge of ICS security. We undertook an analytical investigation using mainstream media, blogs, social media, sector-specific journals, academic material, web 2.0 and industrial sector websites. Each threat was assessed and recommendations were proposed to both reduce the open source footprint and mitigate against the risk. Our assessment was divided into various categories, including mapping, social media, ICS, and outward-facing IT architecture. To illustrate the increased threat to ICS to the client, freely available tools were used to demonstrate the identification of networked control systems, their vulnerabilities and how they might be exploited. As a result of our assessment, our client’s new understanding of the potential threats to their ICS and adoption of our recommended mitigation measures has helped to improve security and safety for their company. Our vulnerability assessment ensured our client’s corporate risk assessment process was more effective and allowed them to take a more considered stance on mitigation and planning for attack. Our assessment also identified a number of vulnerabilities in critical systems that they were subsequently able to patch, helping to protect both revenues and shareholder returns. Given our client’s status as part of the nation's infrastructure,

UK ,

Products

CIRRUSmaps™

CIRRUSmapsTM  

CIRRUSmaps™ is a flexible web mapping platform to help you turn location based data into valuable business information.
www.cirrusmaps.co.uk

FARYNOR

Farynor  

FARYNOR is a comprehensive and adaptable Fire Safety Records Management System. It is available as a ‘software as a service’ on the UK Government G-Cloud.
www.farynor.co.uk

JOURNEY PLANNING PORTAL (JPP)

Journey Planning Portal  

The Journey Planning Portal (JPP) is a web application for employers to communicate with their employees directly on reduce their carbon footprint by encouraging sustainable travel.
http://journeyplanningportal.com

LOCARD FORENSIC CASE MANAGEMENT

LOCARD  

LOCARD is the most advanced truly integrated Forensic Case Management System on the market. It is available as a ‘software as a service’ on the UK Government G-Cloud.
www.locard.co.uk

MALPAS

Malpas  

MALPAS is one of the world’s most rigorous and advanced software analysis and verification toolsets.
www.malpas-global.com

READY TO DIG

Ready to dig  

Atkins is the UK’s leading provider of utility reports. We also provide a wide range of utility management services across the lifecycle of a project.
www.utilitymanagementsolutions.co.uk/readytodig/

Locations

For more information on our work and experience in this sector please contact:

United Kingdom

Map of Bristol BS32 4RZ, UK

Dave Clark
Divisional business development director

500 Park Avenue
Aztec West
Almondsbury
Bristol BS32 4RZ
United Kingdom
Tel: +44 7834566727
Email: David.K.Clark@atkinsglobal.com

Defence CIDA course developer/lecturer:
Kevin Lindborg MIET
Tel: +44 7711 316162
Email: kevin.lindborg@atkinsglobal.com

Resources

In this section you can find technical papers, thought leadership articles and brochures produced by Atkins for the information communications sector.

Title Format Size
Welcome to broadband country pdf 256KB

In this section you can find technical papers, thought leadership articles and brochures produced by Atkins for the information communications sector.

Title Format Size
Western Isles video wmv 9.6MB

Careers

View all