New research co-funded by the Engineering and Physical Sciences Research Council (EPSRC) will focus on the cyber-security of the UK’s vital industrial control systems which run, for example, manufacturing plants, power stations, the electricity grid, and the rail network.
The research will help understand and mitigate threats from hackers or malware infiltrating the systems behind our critical national infrastructure.
The Research Institute in Trustworthy Industrial Control Systems (RITICS), based at Imperial College London, is co-ordinating the research with a £2.5 million investment into new projects at Queen’s University of Belfast, the University of Birmingham, City University London and Lancaster University.
The research investment comes from the Engineering and Physical Sciences Research Council and the UK’s National Cyber Security Programme. The Centre for the Protection of National Infrastructure (CPNI) and GCHQ are actively supporting the research.
The research teams will work with industry partners to understand and analyse the risks from cyber-attack, examine how risk is communicated to business and provide effective interventions to counter the risk. Metrics and software tools will be produced so that non-technical decision makers can assess cyber-security in the context of their business.
Historically industrial control systems were kept isolated to keep them secure. However, these systems are now connected into complex and interconnected networks via the internet. There are many business advantages from such interconnections, but there are also greater risks that need to be recognised and effectively managed.
Professor Chris Hankin, from the RITICS at Imperial College London, explained: “Where control systems are linked to the internet we need to understand how failures could cascade across the system. We will be looking at new ways of repairing damage to systems if an attack happens.”
“We need to address how to approach network maintenance for industrial control systems, particularly as most systems operate on a 24/7 basis. So we will be looking at how we can ensure better protection without compromising performance.”
The four new funded projects with quotes from the principal investigators below:
A Systematic Evaluation Process for Threats to Industrial Control Systems
£395,222 - Professor Clive Roberts, University of Birmingham
The University of Birmingham team will carry out a detailed security analysis of the National Grid and The Rail Safety and Standards Board to build an understanding of possible failures. Industry partners are TRL and Parsons Brinckerhoff.
Professor Roberts said: “The project will produce a systems engineering inspired analysis method that can be applied to critical infrastructure systems. This will take the form of a process that can be followed by industry and software modelling tools that allow susceptible subsystems to be identified, and solutions to be recommended.
“The approach will be applicable to both rail and power systems. Within the grant, the research team will work with industry to trial and validate the approach.”
“A cyber-attack on the railways wouldn’t affect safety as the trains are designed to be fail-safe but it would cause major disruption as trains would stop all over the network. At the moment the challenges are to understand the vulnerabilities,” said Roberts.
Communicating and evaluating cyber risk and dependencies
£402,738 - Professor R Bloomfield, City University London
The research focuses on risk evaluation and risk communication. The project partners are Adelard LLP and Alstom Group.
Professor Bloomfield said: “The research will produce a methodology supported with modelling software that will be able to be deployed in the risk assessment of critical infrastructures. It will take a scenario-based approach to risk assessment addressing uncertainties and doubts in intelligence, the systems themselves as well as the impact of attack.
“The risk communication is an important component of the project and will consider the needs of different stakeholders, not just highly technical people. Some of the modelling work will be published as case studies and made publicly available.”
Multi-faceted Metrics for ICS Business Risk Analysis
£393,867 - Professor Awais Rashid, Lancaster University
The multi-disciplinary team of researchers are working with industry partners: Airbus, Thales, Atkins-Global and Raytheon to provide decision makers with metrics to understand the business risks posed by cyber security breaches of industrial control systems.
Professor Rashid commented: “Our project is about understanding the cyber security risks at the intersection of people and technology. If you give people lots of technical metrics that they don’t understand you get poor decision making. Risk decisions are made not only at board and management level but also by those working with industrial control systems on a day-to-day basis.
“Our project will produce a software tool that will allow professionals to more effectively understand and visualise risks to industrial control systems. Given the long operational life of such systems, we will also study the implications of security decisions on them in 20-30 years’ time. This will provide much needed future-proofing.”
Converged Approach towards Resilient Industrial Control systems and Cyber Assurance
£394,306 - Professor Sakir Sezer, Queen’s University of Belfast
Researchers will investigate vulnerabilities within the national grid as wind or solar generated electricity comes on stream. Where the grid operates over the telecoms network it could be vulnerable. Project partners are Scottish and Southern Energy, Statnett and Thales Ltd.
Professor Sezer, QUB, said: “Presently, Ireland frequently operates with over 50% of electricity supplied by wind generation. Operating the system with such high levels of renewable generation is a challenge, and requires complex wide area monitoring and control.
“Should the telecoms systems that support the control system be compromised, the impact of the resultant loss of electricity supply would have far-reaching consequences for society. This would involve loss of consumer supply, supply to hospitals, industry, and would even affect the gas, water and sewage networks.
“The researchers will demonstrate assured and improved operational decision making and lay the groundwork for a new, cyber-threat resilient, control architecture for the grid.”
Photo credit for National Grid (top) and Windfarm: Queen’s University Belfast