Critical infrastructure hack data found in public domain

28 January 2014
James Hayes
Mobile version
Share |
Generic close-up view of concerned-looking male computer user

The Atkins investigation highlights the need to securely manage third-party relationships around industrial control systems

Data available from mainstream online media – such as blogs, social networking websites, and specialist online publications – could be used by malevolent agents to mount a cyber-attack on UK critical national infrastructure (CNI), the findings of an investigative assessment to be presented next week will warn.

Key information regarding vulnerabilities in Industrial Control Systems (ICSs) and Supervisory Control and Data Acquisition (SCADA) systems is now openly available from a range of sources on the public Internet, according to ‘Using Open Source Intelligence to Improve ICS & SCADA Security’ from UK design and engineering consultancy Atkins, being presented as part of the IET seminar ‘Cyber Security for Industrial Control Systems’ on 6 February in London.

The investigation discovered that many industrial sector websites and academic papers, for example, also provide some information about potential attack vectors, including the identification of engineering staff, their social media information used to corroborate control systems data, and their suitability for social engineering attempts.

The identification of known vulnerabilities and exploits against specific types of control systems can also be accessed online, along with the identification of third-parties such as contractors and control system integrators, who have detailed knowledge and physical network access.

“To illustrate the increased threat to industrial control systems, the assessment used freely-available tools to demonstrate the identification of networked control systems, their vulnerabilities – and the exploits that may be used to attack them,” said Dr Richard Piggin, head of control systems security consulting at Atkins. “The research demonstrates the low level of technical knowledge that is required to successfully mount an attack against ICSs.”

The findings highlight the necessity to manage third-parties, especially their access and activities while on-site, Dr Piggin said: “In the control system context, suitable access control, including role-based access to software and systems with activity logging is recommended”.

The IET seminar Cyber Security for Industrial Control Systems takes place at the Holiday Inn Bloomsbury (London WC1N 1HT) on 5-6 February 2014.

Further information and registration details at:

http://conferences.theiet.org/cyber-ics

Share |

Latest Issue

E&T cover image 1404

"Power cuts might seem like a 1970s fad, but they could be on the way back. How can we prevent them happening again?"

E&T videos

TomTom mapping the neighbourhood

E&T jobs

E&T Marketplace

The essential source of engineering products and suppliers.

E&T podcast

Tune into our latest podcast

iTunes logo

Subscribe

Choose the way you would like to access the latest news and developments in your field.

Subscribe to E&T