06 February 2014
Data available from mainstream online media, such as blogs, social networking websites, and specialist online publications, could be used to mount a cyber-attack on UK critical national infrastructure, according to an investigative report to be published today.
Key information regarding vulnerabilities in company systems is now openly available from a range of sources on the internet, according to ‘Using Open Source Intelligence to Improve ICS & SCADA Security’, a report carried out by design and engineering consultancy Atkins.
The research, published today at the Institution of Engineering and Technology (IET’s) ‘Cyber Security for Industrial Control Systems’ seminar, discovered that many industrial sector websites and academic papers also provide some information which identifies staff and their social media information used to corroborate control systems data.
The identification of known vulnerabilities and exploits against specific types of control systems can also be accessed online, along with the identification of third-parties such as contractors, who have detailed knowledge and physical network access.
Dr Richard Piggin, Head of Control Systems Security Consulting at Atkins, said: “To illustrate the increased threat to industrial control systems, the assessment used freely-available tools to demonstrate the identification of networked control systems, their vulnerabilities – and the exploits that may be used to attack them.
“The research demonstrates the low level of technical knowledge that is required to successfully mount an attack against Industrial Control Systems.”
The findings highlight the necessity to manage third-parties, especially their access and activities while on-site, Dr Piggin said: “In the control system context, suitable access control, including role-based access to software and systems with activity logging is recommended”.
Hugh Boyes from the IET said: “The UK has been proclaimed as the ‘most internet-based major economy’. Whilst this provides a basis for industry to expand and grow, it is essential that any connections between the Internet and Industrial Control Systems are adequately protected.
“However, there continues to be real and growing threats to our interests in cyberspace. The availability of these open source tools makes it easier to locate and attack or interfere with poorly protected control systems. This is working with industry to raise awareness of the issue and to promote the development of suitably skilled cyber security professionals.”