Amidst growing concerns over cyber-security, the EPSRC and the UK National Cyber security programme have announced a £2.5m research programme aimed at helping to protect factories and critical infrastructure from cyber-attacks.
Coordinated by Imperial College’s Research Institute in Trustworthy Industrial Control Systems (RITICS) the three-year program will see teams from a number of UK universities work with industry partners to improve the understanding of the threats posed by cyber-attacks and, ultimately, develop solutions that can help repel them.
Explaining the background to the funding, the leader of one of the teams, Lancaster University’s Prof Awais Rashid said: ‘We hear a lot about cyber–attacks, but one of the things we’ve ended up ignoring for a long time is a lot of the industrial control systems used in, for example, power plants, water treatment facilities, and the power grid.’
Rashid said that whilst many early industrial control systems had little or no connectivity to the outside world, current systems are increasingly interconnected. And whilst this level of connectivity opens up a host of opportunities (such as enabling engineers to remotely interrogate, monitor and even control systems via their smart phones) the openness of current systems can pose serious threats to their security and resilience.
Whilst innovations like the Shodan search engine – which allows users to locate devices that are connected to the internet – have helped industry understand the need to improve security, Rashid told The Engineer that there is still plenty of work to be done. ‘People don’t realise that they have a lot of vulnerabilities – we’ve done tests, and systems are sometimes really, really open and organisations don’t realise’
Under the latest program, different teams will be looking at different aspects of the problem. Whilst Birmingham University will carry out a security analysis of the National Grid and the UK rail network, researchers from London’s City University will be looking at how risk is communicated to different stakeholders within an organisation. Elsewhere, a team from Queens University Belfast will investigate vulnerabilities within the national grid as wind or solar generated electricity comes on stream.
Rashid’s group – which is working with Airbus, Thales, Atkins-Global and Raytheon – will be looking at developing new tools that will enable non-technical decision makers to assess cyber-security in the context of their business.
‘People make decisions about industrial control systems on a regular basis, he said, but a lot of the metrics you use to make decisions are either very technical or very singular and hide a lot of the context making it hard to make decisions. Our project is really about understanding the risks and developing new types of metrics that can communicate those risks more effectively.’