UK critical national infrastructure (CNI) is at risk of cyber attack, says a report by engineering consultancy Atkins.
Data available from online media – such as blogs, social networking sites and specialist publications – could be used to mount a cyber attack on UK infrastructure, according to the report commissioned by the Institution of Engineering and Technology (IET).
“Key information regarding vulnerabilities in company systems is now openly available from a range of sources on the internet,” said the report, entitled Using Open Source Intelligence to Improve ICS & SCADA Security.
The research, published at the IET’s Cyber Security for Industrial Control Systems seminar in London, found many industrial sector websites and academic papers provide information which identifies CNI-related staff and their social media information.
Known vulnerabilities and exploits against specific types of control systems can also be accessed online, the report said, along with the identification of third parties such as contractors, who have detailed knowledge and physical network access.
Richard Piggin, head of control systems security consulting at Atkins, said: “To illustrate the increased threat to industrial control systems, the assessment used freely available tools to demonstrate the identification of networked control systems, their vulnerabilities – and the exploits that may be used to attack them.
Read more about critical infrastructure
- UK must legislate on critical cyber security, says ViaSat
- US researchers find 25 security vulnerabilities in SCADA systems
- Critical infrastructure providers are less engaged with government cyber protection
- Government to monitor companies supporting critical national infrastructure
- Is UK critical national infrastructure properly protected?
- Cyber security study reveals mismatch between awareness and preparedness
- Critical infrastructure security in dire need for standards
“The research demonstrates the low level of technical knowledge that is required to successfully mount an attack against industrial control systems.”
According to Piggin, the research findings highlight the necessity to manage third parties, especially their access and activities while onsite.
“In the control system context, suitable access control, including role-based access to software and systems with activity logging is recommended,” said Piggin.
The IET said the UK is one of the most internet-based major economies and, while this provides the basis for industry to expand and grow, it is essential connections between the internet and industrial control systems are protected adequately.
In the light of the research findings – that open source tools makes it easier to locate and attack or interfere with poorly protected control systems – the IET said it is essential to raise awareness of the issue and promote the development of suitably skilled cyber security professionals.