The UK's Critical National Infrastructure (CNI) is open to attack by anyone using material freely available on the web, according to Dr Richard Piggin, head of Control Systems Security Consulting with Atkins, the design and security systems specialist.
Presenting a report sponsored by the Institute of Engineering and Technology (IET) at a two-day conference on ‘CNI/SCADA-based system security - Cyber Security for Industrial Control Systems', Dr Piggin said that information on the Internet – including from blogs and social networks - can be used to mount a cyber-attack on the UK's energy and allied utility grids.
Perhaps more worryingly, he also suggested that researchers used freely available tools to identify the networked systems, their vulnerabilities and exploits that might be used to attack them.
"The research demonstrates the low level of technical knowledge that is required to successfully mount an attack against Industrial Control Systems," he said, adding that the findings highlight the necessity to manage third party access and activities.
Supervisory Control and Data Acquisition (SCADA) is a type of Industrial Control System (ICS) - computer-controlled systems that monitor and control industrial processes that exist on major systems, most notably in power stations, energy grids and other Critical National Infrastructure platforms.
Lancope CTO Tim Keanini said that as society grows more connected, including via social media networks, it becomes impossible to identify and protect all attack vectors.
A healthy balance of prevention and detection, he says, is required.
“While the CNI may turn out to be the ultimate target, defenders should not forget that it may be the most mundane and simple attack vector that may be exploited.”
“With so many moving parts in these complex systems, it may be a contractor that takes out the garbage that is your threat vector so you cannot leave any rock unturned when you perform your threat models,” he added.
Dwayne Melancon, CTO of fellow security vendor Tripwire, said that SCADA-based vulnerability information will always be available to those who know where to look.
“The discovery and disclosure is a normal part of information security, particularly when attackers are seeking information on recognisable abilities within their targets. The key is to ensure that agencies keep on top of the current vulnerabilities and the threat landscape,” he said.
“These organisations should ensure that they have a clear understanding of the risks, how their systems are configured, and how the vulnerabilities map to scenarios that could significantly impact their operations.”
The Tripwire CTO explained that carrying out a risk assessment, combined with a vulnerability assessment that priorities vulnerabilities based on the value of the assets involved in delivering service and potential mission impact from attacks is crucial.
“From a practical perspective, this is where you can gain real advantages from looking at security holistically. CNI managers should seek opportunities to use network segmentation, reduce the number of accounts that have access to critical data, and compartmentalise your network to minimise the amount of data the attackers can reach.”