Data available from mainstream online media could be used to mount a cyber-attack on UK critical national infrastructure.
The warning came in an investigative assessment presented at the IET Cyber Security for Industrial Control Systems seminar on 6 February.
Key information about vulnerabilities in industrial control systems (ICSs) and Scada (supervisory control and data acquisition) systems is available from a range of sources, according to the report ‘Using Open Source Intelligence to Improve ICS & Scada Security’ by design and engineering consultancy Atkins.
The investigation discovered that many industrial-sector websites and academic papers, for example, provide information about potential attack vectors, including the identification of engineering staff, their social media information used to corroborate control systems data, and their suitability for social engineering attempts.
The identification of known vulnerabilities and exploits against specific types of control systems can also be accessed online, along with the identification of third parties such as contractors and control system integrators, who have detailed knowledge and network access.
To illustrate the increased threat to industrial control systems, the Atkins team used freely-available tools to demonstrate the identification of networked control systems, their vulnerabilities, and the exploits that may be used to attack them.
“The research demonstrates the low level of technical knowledge required to mount an attack against ICSs,” said Dr Richard Piggin, head of control systems security consulting at Atkins.
The lack of availability of specialist understanding in relation to ICS operating environments could give rise to other potential security risks, Piggin continued. “Fragmented team working – caused by demarcation or a lack of clear technology ownership – can lead to potential security weaknesses,” he pointed out.