- Zurich, Canton of Zürich (CH)
The successful candidate is expected to develop a strong and visible research programme in the area of control and diagnostics of building systems
- Recruiter: ETH Zurich
We are looking for an electrical engineer with around 4- 6 years of design experience to join and work with an able and talented group of engineers..
- Recruiter: Max Fordham LLP
- England, Cumbria, Barrow-In-Furness
- Competitive package
As an Engineering Manager - Naval Architecture you will be managing the Whole Boat Architecture and Concepts team tasked with supporting the delivery of the remaining Astute submarines, and developing new technology for future submarine programmes.
- Recruiter: BAE Systems
- Bootle, Cheltenham and London
- Competitive + Benefits
With expertise and influence, you’ll set the standard for nuclear safety.
- Recruiter: Office for Nuclear Regulation
- Albany or Palmerston North
This role offers an outstanding opportunity to lead and further develop a well-established and internationally recognized School.
- Recruiter: Massey University
- City of Westminster, London (Greater)
- Circa £65,000 (There may be more for an exceptional candidate)
You will lead on a number of engineering infrastructure and associated workstreams under direction from the Deputy Director
- Recruiter: House of Commons
- South West England
Exciting opportunities have arisen within as we expand to meet the growing demands of the UK Submarine Programme.
- Recruiter: Babcock
- Humber Refinery, South Killingholme, North Lincolnshire DN40 3DW
- £60k - 75k plus extensive Compensation and benefits package, dependent upon experience
Experienced Process Control Leader providing leadership and technical support for Oil Refinery. Extensive Compensation and benefits package.
- Recruiter: Phillips 66
- Warwick, Warwickshire
You will be required to lead the regional Customer Services strategy and resources to maximise Customer satisfaction.
- Recruiter: Siemens
- England, Hampshire, Portsmouth
Communications Engineer Would you like to play a key role supporting the UK's Maritime Communications Infrastructure? We currently have a vacancy for a Communications Engineer at our site in Portsmouth. As a Communications Engineer, you will be carrying o
- Recruiter: BAE Systems
How to disarm an infrastructure hacker
The media has been full of reports of cyber-attacks on critical infrastructure, but the fear is that there is far worse to come.
"We are at the beginning of a new and dangerous era of cyber warfare." That is the chilling warning from Mikko Hyponnen, chief research officer at Internet security company F-Secure.
Hyponnen believes that the days of the mischievous teen hacker can be consigned to the 1990s and that far darker motives drive the hackers of today, whether they are criminals, activists, terrorists or, more worryingly, state-sponsored groups.
A quick scan of recent headlines makes it difficult to disagree with that assessment, with a multitude of attacks reported on critical infrastructure. Top of the list when it comes to media attention is the Stuxnet virus. This has been the culprit in three high-profile instances of cyber terrorism – in Estonia, in Iran (on a nuclear facility) and in Saudi Arabia (on oil infrastructure).
Late last year hackers used the Shamoon worm to attack Saudi Armco in an attempt to halt fuel production. Whilst the attack on a company that produces 10 per cent of the world's oil failed to stem the flow, it crippled the company's network and infected some 30,000 computers. The blame was laid firmly at the door of an activist group calling itself Cutting Sword of Justice. Although they failed to interfere with production, the organisation claimed to have accessed important documents that they threatened to leak at a future date. Earlier this year an American power plant was disabled by a malicious attack that was carried into its control system via a USB stick.
A public transportation system was the victim of an attack in 2008 when a Polish teenager hacked the control network and turned a Polish tram system into his own private, full-size train set. The 14-year-old modified a TV remote control so that it could be used to change points on the system. Four trams were derailed, though fortunately no one was killed.
Of course, the UK is not immune to such attacks. "On average over 30,000 malicious emails are blocked at the gateway to the government's secure Internet every month," Chloe Smith, minister for political and constitutional reform revealed at this year's Infosec event. "These are likely to contain sophisticated malware, often sent by highly capable cyber criminals and state-sponsored groups."
In the UK government's national security strategy, cyber-attacks are categorised as a 'tier-one' threat to the country's national security, alongside international terrorism.
The UK Strategic Defence Review has allocated £650m over four years to establish a new National Security Programme that will work to identify and analyse attacks. The review also extended the role of the Centre for the Protection of National Infrastructure (CPNI). The CPNI works with the operators of essential services and with government departments to identify infrastructure at risk and help protect it.
Another vital cog in the UK anti-cyber arsenal is fabled GCHQ. Best known for its foreign intelligence role it is perhaps not so widely known that GCHQ also has a clear security mission. Its precise mandate is "to provide advice and assistance about... cryptography and other matters relating to the protection of information and other material".
"My perspective on 'cyber' comes from bringing together both sides of GCHQ's mission: the intelligence mission illuminates some of the capabilities ' and sometimes the intentions of adversaries to use cyber techniques," Iain Lobban, director of GCHQ recently said at the International Institute for Strategic Studies (IISS). "It allows us to detect some of their activities. And the information assurance mission gives us knowledge of where our own government and critical national infrastructure systems, and those of our Allies, may be vulnerable to cyber exploitation.
"It is true that we have seen worms cause significant disruption to government systems – both those targeted deliberately against us, and those picked up from the Internet accidentally. It is true that we have seen the use of cyber techniques by one nation on another to bring diplomatic or economic pressure to bear. Cyberspace lowers the bar for entry to the espionage game, both for states and for criminal actors.
"Much attention has been paid in the media to the potential for cyber-attacks to seriously disrupt critical national infrastructure. I would not wish to talk about the steps we take with the Security Service to reduce specific vulnerabilities. But the threat is a real and credible one. We already provide expert advice and incident response to the operators of critical services. We must continue to strengthen these capabilities and be swifter in our response, aiming to match the speed at which cyber events happen. We need to consider the value of receiving in return a direct feed of information from the operators with that same sort of timeliness so that we are aware of the attacks that they are seeing on their systems as they happen. Of course that would need to be in proportion to the threat faced. But such feeds could give us the opportunity to respond, if necessary, with some active defensive techniques, as well as to spread knowledge of the threat quickly to others who may be vulnerable. For me this points to a different sort of partnership between the national security agencies and the key industry players. Our systems will need to be more interconnected. And we may need to establish different financial models to underpin a national capability which will be both public and private."
Richard Piggin, security expert at Atkins Global, believes that cyber security means different things to different people, but fundamentally it is a term for the defences which shield computer systems from electronic attack. "These range from small-scale email scams right through to the state-sponsored disruption of the computer-based systems that run critical national infrastructure, infrastructure that includes the electricity grid as well as the water and transport networks," he says.
Critical national infrastructure – whether in power, water, sewerage, petroleum, pipelines and transport – rely on industrial control systems (ICS) and supervisory control and data acquisition systems (SCADA). Even beyond these they are deeply embedded in activities from manufacturing to theme-park rides.
"ICS and SCADA are the building blocks of automated systems where control or monitoring of a process is required," Piggin explains. "Many also have varying degrees of safety-related functionality, from protecting operators, users or customers to members of the public."
The potential vulnerability of ICS systems was highlighted by Stuxnet, a very sophisticated tailored attack against specific systems (the Iranian enrichment facilities). However, much of the potential vulnerability is the capability of the controllers to be legitimately programmed to perform control functionality in infrastructure applications.
However, disruption from a cyber-event could be devastating. For example, around 80 per cent of the UK population relies on five supermarket retailers who hold only four days' worth of stock in their supply chain; so a cyber-event could have a far-reaching impact.
"Based on our data and expertise we see the constant rise of the intensity of attacks of all kinds, including targeted attacks on critically important systems," Costin Raiu, director of global research and analysis team at Kaspersky Lab, explains. "Unfortunately, it is hard to come up with exact data for attacks on industrial systems, as there is no existing practice of registering and analysing such incidents and disclosing data about them publicly.
"We can definitely say that there were tens of incidents involving critical infrastructure last year."
Overall, modern industrial systems employ a highly complex infrastructure, comprised of modern as well as legacy hardware and software, specialised controller systems as well as traditional computers. Thanks to such complexity, establishing a proper protection for the entire infrastructure of for example, a hospital computer system or electric plant, is not an easy task.
Even generic, widespread and non-intelligent malware may and does affect critical infrastructure, let alone targeted attacks for the purposes of cyber-espionage and sabotage. The latter, being the worst-case scenario, may result in serious consequences for hundreds of millions of people who are highly dependent on technology in their life.
One more unpleasant thing about attacks on critical infrastructure is that mitigation options are rather different from the ones used in normal computer environments. "When an attack is detected on a regular corporate network, the best option might be to isolate or shut down the affected node temporarily, to prevent further consequences," Raiu says. "Typical industrial systems cannot be isolated or turned off easily in the same manner. The personnel responsible for the reliability of an industrial system have to ensure that no critical failures occur, despite the attack."
The most serious threats are the ones able to affect the availability of hardware of software systems, used to control technological processes. The second most critical type of threat is when a criminal group targets the integrity of information, circulating in the industrial computer network. Both threats may be classified as external, although attacks of this type may originate from both the Internet and inside the protected network perimeter.
There are many possible ways to attack critical infrastructure. "One example is the ability to remotely control the equipment, for instance when enabled by the equipment manufacturer," Raiu adds. "Another is the default passwords used to access critical nodes, lack of security mechanisms like authentication in technological data exchange protocols. Of course, security of industry is affected by inefficient policies employed by the system owner, lack of personnel discipline, insufficient knowledge in the level of security among engineers responsible for deployment and maintenance of an industrial system."
The topicality of this problem is understood by the governments worldwide and international bodies. "In our view, protection of critical infrastructure requires a joint effort from governmental organisations, technology and security experts, vendors of hardware and software solutions. Only the joint operations will prevent a significant risk of attacks on critical infrastructure, being a part of an ongoing cyber war."
According to Raiu there are many steps which can be implemented in order to increase the security of critical infrastructures, and they range from simple to complex.
He says that the easy steps are to define a good, thorough security policy for the whole organisation and deploy firewalls that separate critical networks from the public Internet. In addition, there is the pressing need to deploy advanced security software, monitoring traffic and keep detailed logs.
When it comes to harder steps, top of the list is to upgrade all versions of Windows to Windows 7 x64 (64 bits) as well as to remove Internet Explorer in favour of a more secure browser such as Chrome. He also recommends removing Java from all PCs along with old hardware that can't be properly secured. Other measures include implementing a 'whitelisting' policy by banning all unknown programs, deploying 'honeypots' inside the organisation to track attacks and educating the personnel about security threats
"But the most essential problem for critical industrial systems is trustworthy monitoring," Raiu continues. "Operators of such systems have to be able to get precise information about system nodes, such as the telemetry from certain controllers, for example. This alone will not prevent the attack but will allow the personnel to identify the cause of the breach and take measures.
"Otherwise, if the attackers are able to falsify the monitoring data, there is no way to reveal the fact of the attack in the first place. The Secure OS approach solves this problem by enabling an additional, highly secure and fully trustworthy control layer. Combined with more traditional security technologies, such as proper evaluation of risks, development of mitigation tactics, deployment of security policies and timely software updates, Secure OS will offer more efficient protection for the critical infrastructure systems."
"As the dust settles after the referendum result, we consider what happens next. We also look forward to an international summer of sport."
- Flight MH370: chief investigator believes plane plunged into sea at 400km/hr
- Origin of Jupiter’s mysterious hot spot found
- Ocean computer simulation reveals alternative MH370 location
- Technology translates donkey speech into human sentences
- Porsche gears up for all-electric model as parent company VW cleans up its act
- Apple’s future lies with AI and augmented reality, says CEO