The Cyber Technology Institute at De Montfort University (DMU), Leicester, is a recognised centre of excellence in cyber security research with strong industry links, and security for Industrial Control Systems as its flagship specialisation area.
The Industrial Control Systems security challenge
Industrial Control Systems (ICS) are ubiquitous to modern life yet they remain unknown to many who rely on them. These systems control our critical national infrastructure, such as electricity generation, chemical processing, water treatment and nuclear power, and the manufacturing systems of organisations everywhere.
These systems are often focused on creating a product, ranging from fully formed cars to individual units of electricity. To improve the efficiency of the process to create these products, more and more systems are becoming connected to the internet, either directly or through links within the organisation’s enterprise network.
ICS are, along with many Internet of Things devices, often referred to as cyber-physical systems. This means that cyber attacks no longer only impact the cyber domain but can have a physical impact in the real world, as evidenced by the Stuxnet and Triton attacks.
Unfortunately, many of these systems have been in place for many of years which, when coupled with regulatory or safety requirements of the systems themselves, means securing them presents a unique challenge at both a technical and human level.
Technical constraints
ICS previously relied on security through obscurity; with an extremely high entry barrier to understanding the systems and their protocols, the chances of a major cyber attack were low. In recent times, this barrier has come down significantly. Information on the protocols is widely available, services acting as “Google for ICS and IoT devices” allow for quick discovery, and past exploits are incorporated into open source penetration testing toolkits, making it easier than ever for malicious actors to attack a system.
Security vulnerabilities have been reported in control systems and there has been an observable increase in cyber threats in recent years. Unlike IT systems, where patches to mitigate vulnerabilities can be installed within short timescales, patching is often only possible by halting activity on operational devices and therefore is further time-constrained in many cases. These changes to an ICS must also be rigorously tested before deployment to ensure the risk of unintended consequences is contained, as the impact can extend to physical damage, denial of national infrastructure, and environmental as well as financial loss. Changes also need to be certified with the relevant regulatory body, adding cost and often significant delays.
Human Factors
The challenge is not limited purely to the technical aspects of ICS. Often the people responsible for the security of these systems lack the resources required to keep them safe. Many IT cyber security professionals do not understand the requirements of ICS, where continuity of process is key. Even with everyone on board, the lack of a shared technical language can lead to confusion and delay, with team members talking at cross-purposes or unsure of what is being proposed.
How can DMU help?
DMU’s Cyber Technology Institute (CTI) provides world-leading research by delivering practical solutions for industrial issues to develop a smart, safe and secure cyberspace. This work has led to DMU being recognised as an Academic Centre of Excellence in Cyber Security Research by the National Cyber Security Centre (NCSC); one of only two Academic Centres of Excellence in Industrial Control System Cyber Security in Europe by Airbus; and being admitted to the Research Institute for Trustworthy InterConnected Cyber Physical Systems (RITICS), funded by NCSC and the Engineering and Physical Sciences Research Council (EPSRC). The CTI offers an MSc in cyber security closely aligned with our research, with its modules taught in blocks that are frequently taken by our industry partners as continuous professional development modules.
Industry requirements are at the centre of our cyber security research, which focuses on organisational relevance, supported through the centre’s exceptionally strong industrial advisory group consisting of Airbus, BT, Deloitte UK and Rolls-Royce.
One example is the Agile Incident Response 4 Industrial Control Systems, an NCSC/EPSRC-funded project. Rigid, procedural incident response processes are increasing the predictability of the defence efforts and make it more difficult to protect the remaining infrastructure and business functions in the context of fast-pivoting and multi-pronged cyber attacks. This is exacerbated when incident response crosses IT/operational technology (OT) boundaries and communication between stakeholders, often from different disciplines and organisational hierarchies, is frequently impeded and situational awareness is decreased.
Agile approaches, on the other hand, welcome changing requirements and are driven by value and the understanding of the system by a cross-functional team that can manage conflicting stakeholder requirements. This approach is therefore geared to environments where change is constant and the environment and objectives are not clearly identified or defined. This work is producing a framework that advocates the integration and evaluation of agile methods and practices, used in, eg SCRUM and KANBAN, to provide a security incident response team with the ability to respond quickly to changes while maintaining the focus on the business and its value-chains.
By its very nature incident response needs to be adaptive to a highly dynamic nature of cyber attack and anticipate further exploitation paths of the adversary, and requires a cross-disciplinary team effort to respond more effectively.
To validate the framework, the team have run a series of cyber warfare training exercises involving a professional OT red team and a blue team of industry professionals from cyber security and from engineering, media and psychology. Utilising our new state-of-the-art Research Security Operations Centre, these live, real-time events have allowed us to tailor the tools and techniques to work with existing practices to increase team situational awareness and reduce response times. The framework is being developed in a modular fashion, allowing organisations to tailor their approach to meet their own needs and Agile maturity level.
Dr Richard Smith is associate professor in cyber security and deputy director of the CyberTechnology Institute at De Montfort University.