Cyber security and critical national infrastructure

Cyber securityand Critical NationalInfrastructureDr Richard Piggin, AtkinsCyber security means different things to different people, but fundamentally it is a term for the defences whichshield computer systems from electronic attack. These range from small-scale email scams right through to thestate-sponsored disruption of the computer-based systems that run critical national infrastructure, infrastructurethat includes the electricity grid as well as the water and transport networks.As a result, a challenge faces the governments and organisations that manage national infrastructure to ensurethat their systems are adequately protected. Moreover, the steps that they put in place must provide protectionfrom a range of cyber threats, threats that are constantly evolving.Why cyber security is important fornational infrastructureIndustrial control systems (ICS) and supervisory control anddata acquisition systems (SCADA) are utilised throughoutnational infrastructure in water, electricity, gas, petroleum,pipelines and transport. They are ubiquitous in manufacturingand even drive things as diverse as theme park rides, bridgesand ski lifts.Industrial control systems are the foundation ofmanufacturing supply chains – yet they are vulnerableto cyber attacks.ICS and SCADA are the building blocks of automated systemswhere control or monitoring of a process is required. Manyalso have varying degrees of safety-related functionality, fromprotecting operators, users or customers to members of the public.The potential disruption resulting from a cyber event could besignificant, not just in terms of lost revenue, but in the damage tothe reputations of the affected brands. For example, 80% of theUK population rely on five supermarket retailers who hold onlyfour days’ worth of stock in their supply chain; so a cyber eventcould have a far reaching impact (1).The scale of the challengeTwo recent publications in the UK have underlined theimportance of protecting critical national infrastructure and thescale of the challenge in doing so.The UK Parliamentary Office for Science and Technology (POST),a body that provides independent analysis of policy issues with ascience and technology basis, published a briefing entitled ‘CyberSecurity in the UK’ (2). The briefing highlighted recent events incyber security and discussed the potential for large-scale attackson national infrastructure, emerging issues related to this, aswell as the implementation of cyber security. Topics included theresponsibility for UK cyber security, the types of attacks, industrialcontrol systems and the need to improve resilience, security andknowledge in both industry and government.This was followed by the UK Government’s Cyber SecurityStrategy (3), which outlines a programme of governmentactivity to work closely with companies responsible for criticalnational infrastructure systems. Moreover, it announcesthe government’s intention to work with a wider range ofcompanies than those currently associated with nationalinfrastructure; anywhere the threat to revenues and intellectualproperty is capable of causing significant economic damage isnow firmly on the government’s radar.

How is Atkins advancing cyber security?Atkins is leading innovations in cyber security. An example is the development of new sector – specific standards for securing ICS andSCADA. The goal is to improve the resilience of systems. This can be achieved through education and alerting organisations to thenecessity of protecting their systems efficiently – a cost which must be met despite the existence of more tangible business priorities.Since the approaches to ICS security differ from information assurance – given the emphasis upon different business goals – the newstandards provide a basis for applying proven methodologies and techniques to this specific area. Ongoing work is addressing thegaps in the Information Assurance framework (ISO 27000 series) and will provide a scheme for common programme managementthat incorporates the appropriate measures for SCADA and industrial control systems.The pace of technological change is relentless.Keeping pace will require people who have adeep understanding of cyberspace and how it isdeveloping.UK Cyber Security Strategy, Nov 2011References1. Defra Groceries Report 2006http://archive.defra.gov.uk/evidence/economics/foodfarm/reports/documents/Groceries%20paper%20May%202006.pdf2. POSTnote 389, September 20113. UK Cyber Security Strategy, Cabinet Office, November 2011Dr Richard Piggin is a Security Sector Manager at Atkins. He has anEngineering Doctorate in Industrial Control Systems Communicationsfrom the University of Warwick and has previously worked for severalcontrol system vendors in network, security and safety-related roles. Heis a UK expert to several IEC Cyber Security Working Groups involvedin producing IEC 62443 covering Industrial Automation and ControlSystems Security. At Atkins, Richard specialises in working with clients tomake their systems resilient against current and emerging threats.richard.piggin@atkinsglobal.comwww.atkinsglobal.com/security