Viruses and malware on personal computers can create real problems for users. But what happens when that computer controls a power station or water treatment works?
To understand cyber-attacks on infrastructure, one has to understand the difference between information technology (IT) and industrial control systems (ICS).
“The difference is, there’s something tangible behind [ICS], be it a sensor on a water pump, a control valve on an oil and gas system or a switching box on a transmission system,” says Atkins head of cyber security Andrew Wall. “They do real things in the world, whereas if we send an email to each other it’s just a bit of data floating around.”
The IT world has been evolving steadily over the last 30 years, leaving the ICS world lagging behind.
Operators of critical infrastructure in the UK are waking up to the prospect of a cyber-attack, which could have some very real consequences.
In 2015, a Ukrainian power network was subject to a major cyber-attack. Cyber criminals hacked into the systems, turned off the power and wiped the data from a proportion of the computer networks, ensuring that rebooting the system would have no effect. The authorities managed to restore power after a few hours using manual override switches.
“[Some] 1.4M people lost power for a good proportion of a day for very little effort,” says Wall. “Previously it’s taken a physical war to have that sort of scale of effect.”
1.4M people lost power for a good proportion of the day for very little effort
Andrew Wall, Atkins
Designing systems to protect critical infrastructure against such attacks is not easy. Unlike computer IT systems, which can either be simply rebooted or switched off and patched when a problem presents itself, critical infrastructure must remain on at all times. The lifespan of a critical infrastructure element is also longer than the life of an IT system, so different approaches are needed.
Wall points to the new nuclear power plant at Hinkley Point which has been in development for 10 years. It will take 10 years to build, operate for 50 years and then take 30 years to decommission.
100 year life cycle
“It’s a 100 year life cycle,” he says. “Where were we in a technology context 100 years ago? It’s that lifecycle change. We have to be able to evolve our defences.”
As a result, Wall suggests a layered approach should be taken, putting redundancy in the system. This would allow areas of a system to be upgraded while others continue in operation.
But who is cyber attacking our infrastructure?
Cyber attacker types
Cyber security specialist Kaspersky Lab UK future technologies projects director Andrey Nikishin explains there are four general categories of cyber attacker: “amateur” hackers wanting to prove themselves to their peers; professional hackers who ask for money or a ransom; governments; and cyber terrorists.
Nikishin says that systems have to be designed with all of these hackers in mind. For amateur and professional hackers the risk/reward ratio is often poor – there is little direct monetary incentive, and in cases of national infrastructure, the hacker’s activiy would be monitored by international agencies.
Government-supported hackers are generally only interested in stealing information.
Cyber terrorists seek to inflict damage on civilians and are perhaps the most dangerous. With this is mind, Nikishin says that the infratructure operators must get better at assessing the threat and take a more risk-based approach to protecting their systems.
“It’s like making everyone wear a bullet proof vest,” says Nikishin. “Theoretically there is a risk that we might get hit by a bullet, but the risk is low so we don’t bother wearing one. But for policemen, that’s obligatory for them because the risk is higher.”
Wall agrees. “If I wanted to attack [a water supplier] what’s the easiest way to do it?” he asks. “I could do a hoax telephone call saying I’ve put poison into a reservoir. They’ll shut it down and people will be without water. Do I need to spend a lot of time hacking into the system to stop the pumps working?
“It’s that risk maturity that the industry needs to get better at.”
Nikishin says that although sophistication of the attacks may have increased, they are often executed in the same manner as they were 10 years ago. This means older cyber security defences still work well.
Often, Nikishin says, it’s a case that these defences were simply never installed. “It’s time to start [using the existing systems], not to necessarily bring in something new.”
Threats to critical infrastructure control systems are still largely located in emails sent to employees. Hackers will persuade employees to open an attachment or link or infected flash drives. Nikishin says that training staff to be more savvy when opening links in emails goes a long way to being the first line of defence. Other ways to improve security include better password management, and installing firewalls to block malicious content.
He also feels there should be a baseline of protection which should be enforced for critical infrastructure. The UK Government is now taking action. It has set the National Cyber Security Centre, at Government Communications Headquarters (GCHQ). This, it hopes, will act as a bridge between it and industry, providing a unified source of advice and cyber security support, including cyber security incident management.
Nikishin says no amount of patches, firewalls or new government initiatives will ever fully protect infrastructure. “There is no such thing as 100% secure. It’s not a project, it’s a process,” he says. “It should be reassessed every day and embedded into the culture of the organisation. That’s the only way the company can fight against cyber attacks.”