Your browser is no longer supported

For the best possible experience using our website we recommend you upgrade to a newer version or another browser.

Your browser appears to have cookies disabled. For the best experience of this website, please enable cookies in your browser

We'll assume we have your consent to use cookies, for example so you won't need to log in each time you visit our site.
Learn more

Infrastructure Resilience | Cyber attacks

Istock 79020631 xxlarge cropped

Viruses and malware on personal computers can create real problems for users. But what happens when that computer controls a power station or water treatment works?

To understand cyber-attacks on infrastructure, one has to understand the difference between information technology (IT) and industrial control systems (ICS).

“The difference is, there’s something tangible behind [ICS], be it a sensor on a water pump, a control valve on an oil and gas system or a switching box on a transmission system,” says Atkins head of cyber security Andrew Wall. “They do real things in the world, whereas if we send an email to each other it’s just a bit of data floating around.”

Evolving world

The IT world has been evolving steadily over the last 30 years, leaving the ICS world lagging behind.

Operators of critical infrastructure in the UK are waking up to the prospect of a cyber-attack, which could have some very real consequences.

In 2015, a Ukrainian power network was subject to a major cyber-attack. Cyber criminals hacked into the systems, turned off the power and wiped the data from a proportion of the computer networks, ensuring that rebooting the system would have no effect. The authorities managed to restore power after a few hours using manual override switches.

“[Some] 1.4M people lost power for a good proportion of a day for very little effort,” says Wall. “Previously it’s taken a physical war to have that sort of scale of effect.”

1.4M people lost power for a good proportion of the day for very little effort

Andrew Wall, Atkins

Designing systems to protect critical infrastructure against such attacks is not easy.  Unlike computer IT systems, which can either be simply rebooted or switched off and patched when a problem presents itself, critical infrastructure must remain on at all times. The lifespan of a critical infrastructure element is also longer than the life of an IT system, so different approaches are needed.

Wall points to the new nuclear power plant at Hinkley Point which has been in development for 10 years. It will take 10 years to build, operate for 50 years and then take 30 years to decommission.

100 year life cycle

“It’s a 100 year life cycle,” he says. “Where were we in a technology context 100 years ago? It’s that lifecycle change. We have to be able to evolve our defences.”

As a result, Wall suggests a layered approach should be taken, putting redundancy in the system. This would allow areas of a system to be upgraded while others continue in operation.

But who is cyber attacking our infrastructure?

Cyber attacker types

Cyber security specialist Kaspersky Lab UK future technologies projects director Andrey Nikishin explains there are four general categories of cyber attacker: “amateur” hackers wanting to prove themselves to their peers; professional hackers who ask for money or a ransom; governments; and cyber terrorists.

Nikishin says that systems have to be designed with all of these hackers in mind. For amateur and professional hackers the risk/reward ratio is often poor – there is little direct monetary incentive, and in cases of national infrastructure, the hacker’s activiy would be monitored by international agencies.

Government-supported hackers are generally only interested in stealing information.

Cyber terrorists

Cyber terrorists seek to inflict damage on civilians and are perhaps the most dangerous. With this is mind, Nikishin says that the infratructure operators must get better at assessing the threat and take a more risk-based approach to protecting their systems.

“It’s like making everyone wear a bullet proof vest,” says Nikishin. “Theoretically there is a risk that we might get hit by a bullet, but the risk is low so we don’t bother wearing one. But for policemen, that’s obligatory for them because the risk is higher.”

Wall agrees. “If I wanted to attack [a water supplier] what’s the easiest way to do it?” he asks. “I could do a hoax telephone call saying I’ve put poison into a reservoir. They’ll shut it down and people will be without water. Do I need to spend a lot of time hacking into the system to stop the pumps working?

Risk maturity

“It’s that risk maturity that the industry needs to get better at.”

Nikishin says that although sophistication of the attacks may have increased, they are often executed in the same manner as they were 10 years ago. This means older cyber security defences still work well.

Often, Nikishin says, it’s a case that these defences were simply never installed. “It’s time to start [using the existing systems], not to necessarily bring in something new.”

Email threat

Threats to critical infrastructure control systems are still largely located in emails sent to employees. Hackers will persuade employees to open an attachment or link or infected flash drives. Nikishin says that training staff to be more savvy when opening links in emails goes a long way to being the first line of defence. Other ways to improve security include better password management, and installing firewalls to block malicious content.

He also feels there should be a baseline of protection which should be enforced for critical infrastructure. The UK Government is now taking action. It has set the National Cyber Security Centre, at Government Communications Headquarters (GCHQ). This, it hopes, will act as a bridge between it and industry, providing a unified source of advice and cyber security support, including cyber security incident management.

Nikishin says no amount of patches, firewalls or new government initiatives will ever fully protect infrastructure. “There is no such thing as 100% secure. It’s not a project, it’s a process,” he says. “It should be reassessed every day and embedded into the culture of the organisation. That’s the only way the company can fight against cyber attacks.”

Have your say

You must sign in to make a comment

Please remember that the submission of any material is governed by our Terms and Conditions and by submitting material you confirm your agreement to these Terms and Conditions. Please note comments made online may also be published in the print edition of New Civil Engineer. Links may be included in your comments but HTML is not permitted.