Data available from mainstream online media – such as blogs, social networking websites, and specialist online publications – could be used by malevolent agents to mount a cyber-attack on UK critical national infrastructure (CNI), the findings of an investigative assessment to be presented next week will warn.
Key information regarding vulnerabilities in Industrial Control Systems (ICSs) and Supervisory Control and Data Acquisition (SCADA) systems is now openly available from a range of sources on the public Internet, according to ‘Using Open Source Intelligence to Improve ICS & SCADA Security’ from UK design and engineering consultancy Atkins, being presented as part of the IET seminar ‘Cyber Security for Industrial Control Systems’ on 6 February in London.
The investigation discovered that many industrial sector websites and academic papers, for example, also provide some information about potential attack vectors, including the identification of engineering staff, their social media information used to corroborate control systems data, and their suitability for social engineering attempts.
The identification of known vulnerabilities and exploits against specific types of control systems can also be accessed online, along with the identification of third-parties such as contractors and control system integrators, who have detailed knowledge and physical network access.
“To illustrate the increased threat to industrial control systems, the assessment used freely-available tools to demonstrate the identification of networked control systems, their vulnerabilities – and the exploits that may be used to attack them,” said Dr Richard Piggin, head of control systems security consulting at Atkins. “The research demonstrates the low level of technical knowledge that is required to successfully mount an attack against ICSs.”
The findings highlight the necessity to manage third-parties, especially their access and activities while on-site, Dr Piggin said: “In the control system context, suitable access control, including role-based access to software and systems with activity logging is recommended”.
The IET seminar Cyber Security for Industrial Control Systems takes place at the Holiday Inn Bloomsbury (London WC1N 1HT) on 5-6 February 2014.
Further information and registration details at: