The Engineering and Physical Sciences Research Council (EPSRC), the U.K.’s main agency for funding research in engineering and physical sciences, and the U.K.’s National Cyber Security Program are to jointly invest £2.5 million ($4 million) to help recognize and reduce cyber-attack threats to the nation’s critical infrastructure. (For more about cyber security, see “Defeat Targeted Cyber Attacks.”)
The new research will particularly focus on the U.K.’s vital industrial control systems that run manufacturing plants, power stations, the electricity grid, and the rail network. The idea is to help better understand and mitigate threats from hackers or malware infiltrating the systems behind the infrastructure.
The funds are to be spread over four new projects being run at Queen’s University of Belfast, the University of Birmingham, City University London and Lancaster University. Coordinating the effort is the Research Institute in Trustworthy Industrial Control Systems (RITICS), based at Imperial College London, and founded last December to explore potential infrastructure threats.
RITICS Professor Chris Hankin explains, “Where control systems are linked to the Internet we need to understand how failures could cascade across the system. We will be looking at new ways of repairing damage to systems if an attack happens. We need to address how to approach network maintenance for industrial control systems, particularly as most systems operate on a 24/7 basis. So we will be looking at how we can ensure better protection without compromising performance.”
£402,738 ($640,000) of the funds will go to City University London for a project run by Professor Robin Bloomfield that focuses on risk evaluation and risk communication. “The research will produce a methodology supported with modeling software that will be able to be deployed in the risk assessment of critical infrastructures. It will take a scenario-based approach to risk assessment addressing uncertainties and doubts in intelligence, the systems themselves, as well as the impact of attack. The risk communication is an important component of the project and will consider the needs of different stakeholders, not just highly technical people. Some of the modeling work will be published as case studies and made publicly available,” he says.
Another beneficiary, with £393,867 ($625,993), is Professor Awais Rashidi’s multi-disciplinary team at Lancaster. They will be working with industry partners to develop multi-faceted metrics to understand the business risks posed by cyber-security breaches of industrial control systems.
“Our project is about understanding the cyber security risks at the intersection of people and technology. If you give people lots of technical metrics that they don’t understand you get poor decision-making. Risk decisions are made not only at board and management level but also by those working with industrial control systems on a day-to-day basis. Our project will produce a software tool that will allow professionals to more effectively understand and visualize risks to industrial control systems. Given the long operational life of such systems, we will also study the implications of security decisions on them in 20–30 years’ time. This will provide much-needed future-proofing,” he explains.
Queen’s University Belfast will use its £394,306 ($626,904) to investigate vulnerabilities within the national grid as wind- or solar-generated electricity comes on line — particularly where the grid operates over telecoms networks.
“Presently, Ireland frequently operates with over 50% of electricity supplied by wind generation,” says Professor Sakir Sezer of Queen’s. “Operating the system with such high levels of renewable generation is a challenge, and requires complex wide-area monitoring and control. Should the telecoms systems that support the control system be compromised, the impact of the resultant loss of electricity supply would have far-reaching consequences for society. This would involve loss of consumer supply, supply to hospitals, industry, and would even affect the gas, water and sewage networks. The researchers will demonstrate assured and improved operational decision-making and lay the groundwork for a new, cyber-threat-resilient control architecture for the grid.”
The fourth beneficiary, a team from the University of Birmingham, will invest its share, £395,222 ($628,370), on a detailed security analysis of the national grid and the Rail Safety and Standards Board to build an understanding of possible failures. “A cyber-attack on the railways wouldn’t affect safety as the trains are designed to be failsafe, but it would cause major disruption as trains would stop all over the network. At the moment, the challenges are to understand the vulnerabilities,” says lead investigator Professor Clive Roberts.
The Centre for the Protection of National Infrastructure, London, and the U.K.’s intelligence and security organization, Government Communications Headquarters, Cheltenham, also actively support the new projects.
Seán Ottewell is Chemical Processing's Editor at Large. You can e-mail him at firstname.lastname@example.org