Industrial cybersecurity

With cybersecurity grabbing the headlines, a group of UK universities begin timely research on security for major national systems in the digital age

Typing ‘cybersecurity’ into Google’s tool Ngram Viewer (a tool which reveals the popularity of particular words over time), reveals that ‘cybersecurity’ barely registers in publications until the late 1990s. Then in 1998, the line on the Ngram graph begins to take off – at the moment the internet began to change how we connect with each other. 10 years later, the Institute for Security Science and Technology was set up at Imperial College, London, and two years later Professor Chris Hankin became its Director. 

Professor Hankin is co-ordinating a group of researchers from five universities funded by an Engineering and Physical Sciences Research Council (EPRSC ) grant of £2.5 million. They’re examining the cyber-security around UK’s vital industrial control systems and collectively are part of The Research Institute in Trustworthy Industrial Control Systems (RITICS) based at Imperial. 

There’s been a wave of news stories recently around leaks and exposures of information due to the breakdown of cybersecurity. Wired magazine in the UK recently reported on a cybersecurity breach in 2012 of a company that makes smart-grid control software used in sections of the US electricity grid and in oil and gas pipelines. The social, economic and environmental impact of such attacks are being played out as contemporary nightmares by Hollywood in films such as Die Hard 4 and the recently released Michael Mann film Black Hat, lauded for its accuracy and topicality. 

The EPRSC project is addressing long-term trends in how networks are constructed and controlled. ‘Historically there has always been a certain amount of automated control of industrial processes and manufacturing’, explains Professor Hankin, ‘and also of the critical national infrastructure.’ These would have been largely self-contained control systems, but that’s changing. ‘Because of an economic driver there happened to be an increasing use of off-the-shelf components to build these systems. Typically as of today, what we see is that some of the controllers used in those process control systems are effectively fully functional computers.’ 

Connected and vulnerable

These control systems can communicate wirelessly or are linked through the internet. While maintenance of these systems can be done remotely (security patches for example) the systems are more vulnerable. ‘Systems which used to be deemed isolated and standalone are now increasingly connected to the rest of the world – and therefore vulnerable to the kind of cyber attacks that we see happening in enterprise IT systems or personal IT systems.’ Another challenge is that key industrial systems need to operate 24 hours-a-day, 7 days-a-week, and can’t be taken down for patching or for software updates. 

Moreover, unlike conventional enterprise information technology systems, industrial systems are installed with an expectation that they will last for 20 years or longer. ‘The desktop computers that we have on our desks tend to get renewed on a much quicker cycle, every three to five years,’ says Porfessor Hankin, ‘so you have a legacy issue. Some of the systems that are deployed are now running very old software, going forward there’ll be the need to think about systems that are going to operate for long periods of time.’ 

Assessing the business risk

There are three key issues the group the Research Institute in Trustworthy Industrial Control Systems are addressing. ‘When you see cyber attacks, the cyber attack isn’t the endgame,’ explains Hankin, ‘the endgame is the sabotage or whatever the attacker can do to the underlying system that is being controlled. Understanding the link between cyber and physical is very important and is something we don’t properly understand right now. The second question is the ‘risk’ issue, how can we actually understand the cyber-threat and translate them into business risk so that the boards of companies can understand the need to invest. The third question is about what kind of novel technology is needed to develop to mitigate the effect of the cyber-threat that we are seeing and how can we better protect the systems that are being built against cyber threat.’ 

The teams in these five universities are exploring different dimensions of these questions. Birmingham University is exploring how to understand the harm that might arise from the cyber threat, looking at the railways and the national grid, City University London and Lancaster University are looking at the risk issue, around the interdependence of industrial control systems linked via the internet, and how to communicate risk to business. ‘Queen’s University Belfast is looking at the third question, the novel mechanisms and mitigations that can be put in place. They are particularly focussed on energy, and power distribution, a slant that they have is that there is lot of renewable energy being used in Northern Ireland and that raises issues around resilience and vulnerability.’ A key concern is how failure cascades when things go wrong.

Diverse Engineer Interest

‘For us here at Imperial it brings us very much in contact with the engineers,’ says Hankin. At the University they have people involved in Chemical Engineering who are interested in issues around chemical plants, people in Civil Engineering involved in the transport system and people in Electrical Engineering in engineering in power distribution etc. The EPSRC is also opening up open an international dimension with potential partnerships. 

As ubiquitous computing, wearable technology and the internet of things emerges cyber security as an issue is only going to become more of an issue. Professor Hankin observes while the first phase of funding will run for three years from last October, ‘we anticipate we will have a sustainable future. This isn’t an area that is going to go away.’