Cyber Resilience in a Digital World

ISECUREI IBY DESIGNI 2019

CYBER RESILIENCE IN A DIGITAL WORLD

The OT honeypot: Upskilling for an Working in cyber – reloaded effective CVI capability a woman’s perspective From the editor Contributors Digital technology is transforming the way we work. Thanks to digital advancements, organisations have the potential to become more effcient, more open and more agile.

However, as a result of this constant change the industry is facing a new set of challenges. Can we leverage the benefts of increased connectivity, while ensuring we’re staying on the right side of legislation and keeping our critical infrastructure secure? Are we even using the right technology to protect ourselves? Do our people possess the necessary skills to operate the technology, now and in the face of future demand? Martin Richmond Nicola Aspinall Campbell Hayden Technical Authority, Cyber Security Consultant, Portfolio, Project and Principal Consultant, Cyber Security In this magazine, we’ve gathered together the thoughts and opinions from a range of our experts to explore Programme Management (P3M) the answers to these questions and other topics that are shaping the cyber industry. Martin is a Chartered Digital Electronics Campbell has over 10 years’ Engineer with over 20 years’ experience Nicola joined Atkins in 2016 on the Junior experience working in Critical National It’s an exciting time in the cyber industry, with the pace of change resulting in a constantly evolving set of of cyber systems design, testing and Consultant Development Programme Infrastructure (Oil & Gas, Civil challenges – but more importantly an ever-growing set of opportunities. We hope the articles in this magazine assessment. Working across government after studying Economics and Geography Nuclear, Water and Transport) helping inspire refection and feedback. If you have any comments, do get in touch. he has proven experience of complex at the University of Birmingham. Since organisations address their cyber technical and innovative cyber solutions then she has worked for multiple critical security risks, specifcally in Industrial as well as the validation, characterisation national infrastructure clients including Control Systems and Operational Matt Simpson and testing of system vulnerabilities. Heathrow Airport and the Ministry of Technology. Campbell has spent the Technical Director, His passions include the application of Defence. She is currently working at a last 12 months helping organisations Cyber Resilience critical thinking and domain-driven Open confdential client as a Project Manager understand and comply with the Source intelligence analysis to secure where she is leading on a regulation NIS Regulations. [email protected] engineering design. based project.

Matthew Simpson Technical Director, Cyber Resilience Matt has over 20 years’ experience Mike Spain Della-Maria Marinova Dr Ian Buffey in System Engineering, Technical Cyber Academy Lead, Cyber Resilience Graduate Consultant Technical Director, ICS Security Assurances and Cyber Security. He Mike Spain is founder and chair of Della-Maria studied Law at the University Ian has worked with ICS (SCADA and provides C-Level subject matter advice NeuroCyberUK, Non-Executive Director of Warwick at undergraduate level, DCS) for over 30 years, specialising in to key clients on variety of topics for Cyber Exchange and leads the Cyber with a year studying French Law at security since 2004. He has a record including transport security, safety Academy for SNC-Lavalin’s Atkins the University of Bordeaux. She also of successful delivery on complex system assurance, secure SCADA business. He is an innovation and growth completed a Master’s in European Law systems controlling the Critical architecture and Internet of Things. specialist and neurodiversity advocate at the College of Europe in Bruges. National Infrastructure in a variety Matt’s previously worked with the UK in the cyber sector and is passionate Della-Maria joined Atkins in January of countries worldwide. about working to enable growth of the UK 2019 as part of the Junior Consultant Government and the academic sector He has seen many changes in the ICS cyber sector and the development of an Development Programme and has to produce global standards and arena and a key focus area now is how accessible and sustainable UK undertaken a variety of work, including guidance in the feld of cyber security the security and resilience of systems is cyber ecosystem. involvement in the Cyber Academy and smart infrastructure. affected by the introduction of distributed and Cyber First Summer resources including cloud. Placement initiatives. Martin Richmond Technical Authority, Cyber Security Upskilling for an effective CVI capability Taking a new concept and quickly delivering successful outcomes is diffcult. Anyone involved in the Ministry of Defence Cyber Vulnerability Investigation (CVI) projects will undoubtedly agree. Achieving this against a backdrop of a huge skills shortage in engineering and, in particular, cyber security and you have a challenging problem to solve.

Assembling the team To tackle such variety, a team possessing Finally, a cyber-aware project manager Cyber security skills are even more Using these frameworks (and more), As the demand continues to expand, Delivering a CVI needs to be approached a multidisciplinary set of skills was will make sure the project remains fair scarce. An engineer that understands the we have created our very own cyber we have embarked upon a capability in the same way as an iterative discovery a must. From the outset, you’ll need as it tackles the different assessment technical aspects of cyber security, as security engineering career development development programme, which will activity. From the start, you’ll be domain and system engineering phases, as well as ensuring that it well as the strategic impact of cyber risks pathways, to try and capture the ensure that we continue to source the unsure of the fnal scope of the project, expertise to fully understand how iterates with enough frequency around to a business, is a very rare and coveted necessary skill sets. skills we need, while also placing these the direction it will take you in, and your system operates while under the core elements, at the appropriate resource indeed. principles within our engineering teams the fnal outcomes you will achieve, assessment. Adopting a “hacker” times, to develop the risk case Bringing it all together during their training at a cyber academy. Nationally, this is recognised through the given that the very nature of task is to mentality while keeping activities and determine the impact of Two years into the journey of successful And thus, we will be able to continue National Cyber Security Centre’s new “know the unknown”. By capturing all ethically and legally sound will provide discovered vulnerabilities. delivery of CVI projects has seen our developing the digital security capabilities approach to professional skills training. this information, you’ll begin to paint a greater understanding of the range of cyber security workforce develop a required for CVI projects; showing The days of siloed information security a detailed picture of the impact of vulnerabilities and their impact. Another Overcoming the national more rounded skillset, resulting in a businesses where their risk lies, how training are now gone, and a refreshed the vulnerabilities you’ve discovered, necessary addition to the team is a skills shortage streamlined, fexible delivery unit. Now, it impacts their business, and how look has resulted in a much broader which can then be used to create risk-aware, cyber professional, who is The rapid rise of digital technologies we are applying the same delivery model it’s possible to be reduced to a framework of skills and competencies an understandable, strategic set of well versed in articulating technical and and the pace at which they have been to increasingly wider client applications manageable level. in the IISP2. When fused with other evidence-based risk statements. Since business risks, and knows how to ask adopted, exploited and therefore need and assessments, expanding into our engineering frameworks, such as the we began undertaking CVI projects, we’ve keen questions. Incorporating cultural to be secured, is ever increasing. The full client markets as well as supporting IET’s CEng and IEng programmes, and been presented with a whole host and behavioural expertise is subsequent skills gap continues to the whole of SNC-Lavalin’s engineering the industry-recognised SFIA framework, of security risks. important too. remain a concern for employers, with capabilities through the provision of you begin to develop a really well- 46% reporting diffculty in the supply secure-by-design products and services. rounded set of cyber skills. of the necessary skills1.

2 https://www.iisp.org/iisp/About_Us/Our_Frameworks/Our_Skills_Framework/iispv2/Accreditation / 1 https://www.theiet.org/media/1350/skills17.pdf Our_Skills_Framework.aspx Building cyber resilience into our railway’s DNA As we move into the age of the digital railway, retro-fxing digital systems to protect them against cyber attack is no longer enough. We must now put cyber security and cyber resilience front and centre of every railway engineering project.

We’re already living in an increasingly the wealth of new opportunities being Opening-up to new opportunities digital world, where advances over just unleashed by the digital revolution. But While digital technologies within our the past fve years have been staggering. where there are opportunities, there railway’s operations aren’t new, the Autonomous vehicles are being tested are also threats. Change is happening opportunities for greater connectivity is on our roads. Driverless trains are on the exponentially, not gradually, and to keep a new development. We know that the increase. Computer systems on aircraft our railway’s new systems – and our introduction of digital signaling will make are so advanced that planes virtually physical rail network – secure, we now trains better connected, and they’ll be fy themselves. The broad perception need to see a step-change in how we able to communicate with each other is that the railways are catching up, embrace cyber security. Because cyber in a much more intelligent way. with Network Rail’s Digital Railway resilience is just as much of an issue programme driving the modernisation to passenger safety as safeguarding Continued overleaf › of Britain’s railways. The industry physical infrastructure – and it is cannot help but move forward towards business-critical.

Watch now Building cyber resilience into our railway’s DNA 12 Secure by This also means that railway companies Resilience not just security In the joined up digital ecosystem, are being increasingly pushed to open- To the railway industry we say this: with data driving our daily lives, new up their on-board networks to provide security is not an option. As one of interdependencies will cause threats, passengers with better, more reliable the biggest systems integrators in the opportunities, and the need for action. Design principles Wi-Fi and overall, a greater passenger rail industry, building cyber resilience We’re already in that world now, and it’s experience. This new extra connectivity into any project we deliver is now our no surprise that the industry is starting to between trains, apps, Wi-Fi, websites, default setting. It’s simply the right thing listen. But when so much is at stake if our Security is not a bolt on, nor is it a compliance exercise. Secure by Design aims to email – everything – also means that to do. It’s our strategy. That means rail networks aren’t fully protected, and embed pragmatic security controls into your infrastructure. It promotes a proven the whole network, as an organism, is cyber security is built-in to our delivery train companies face potential malicious vulnerable in a way it never has been processes: this is a big task, and it’s a attack like never before, how can it afford systems engineering process to establish and manage your cyber risk to protect before. And as an industry it’s our duty major transformation. It affects all of not to? the safety, security, availability and integrity of your networks and assets. to protect that entire end-to-end digital our engineering lifecycle, engineering ecosystem, the networks, the apps, the design assurance, and project delivery Know your infrastructure Segregate vital systems Prepare for monitoring Wi-Fi; everything. The whole system will processes, because now – and going › › › only be as strong as its weakest link. forward – they will all have security You must have current and detailed Segregation of vital and non-vital Monitoring is vital; building in an woven into them. understanding of your network systems minimises the attack footprint anomaly detection capability to your infrastructure, data fows and and the provision of security gateways networks will help to future proof your assets’ specifcations and encrypted conduits will help protect systems design essentially services Matthew Simpson › Understand your › Manage third party risk Technical Director, threat landscape › Minimise user privileges Manage your supply chain risk via the Cyber Resilience The majority of threats are likely to Restrict access to the most data critical adoption of a standardised System of come from inside – with accidental, systems to those who truly need it using Systems approach, underpinned by malicious insider and supply chain Role Based Access Control (RBAC) baseline architecture, external security activity the largest malware infection gateways and a code of connection threat vector › Minimise media connectivity Removable devices and unmanaged › Implement change assurance › Prioritise operational resilience media remain a high risk, limit the use Threats change on a regular basis, Aim to provide operational continuity of such devices and design out their use your Design Assurance regime must be through cyber resilience with a secure remote access solution cognisant of these developments and where appropriate respond to any emerging risks during › Understand your risk the system lifecycle › Prepare for maintainability Be aware of the safety, integrity, legal Digital assets will require regular and availability risks of your networks and assets patches and updates, this needs to be a secure central solution that › Implement security layers minimises user interaction through A well designed and defended enterprise a DMZ (demilitarized zone) architecture should include multiple automated process layers of security; being able to identify attacks early will minimise impact The Network and Information Systems (NIS) Regulations one year on. Strict new laws were introduced in May 2018 to protect the UK’s essential services from the increasing risk of cyber attack. The Network and Information Systems Regulations 2018 (NIS Regulations) came into force in May. One year on, how are the owners and operators of the infrastructure and technologies that underpin our society ensuring they’re secure?

The Competent Authority (CA) will then They understand the threats to They’ve developed an Next steps for organisations: their organisation improvement plan assess whether the judgements that have been made are reasonable. assess, improve, repeat As a frst step towards compliance, To ensure the self-assessment and the Organisations that are improving their organisations are required to carry wider regulations add value, business The cyber security legislation resilience and ensuring they’ll continue out a self-assessment of their critical leaders need to be prepared to act on encourages collaboration and operators to provide essential services, even in the systems and processes, and identify the fndings. So far, many organisations should work with their Competent event of a cyber attack are: areas in which security or resilience have put plans in place but making the Authorities. CAs have suggested could be improved. The National Cyber recommended changes may not be as organisations will have time to put new › Engaging fully in the Security Centre (NCSC) created the straightforward. Most operators will security measures in place, however, self-assessment process. Cyber Assessment Framework (CAF), need to increase their investment in they must demonstrate their intention › Developing an improvement plan. which operators of essential services cyber security, or change attitudes or to do this. › Implementing the appropriate actions. and digital service providers can use culture within their frm before they as a guide for this activity. They map see signifcant improvements. The They’re embedding strong › Re-assessing their progress. their security posture against a series of question is, will they be able to maintain cyber security throughout › Communicating the results to the high-level objectives and then interpret the momentum that has been created their organisations entire organisation. the fndings to determine if they’re doing through the introduction of the new The introduction of new legislation has enough to protect their assets. legislation in the following few years? raised the profle of cyber security and In the past 12 months, many operators They’re implementing appropriate encouraged senior executives and Board members to invest in initiatives that will have sought the support of engineering and proportionate protection and operational technology specialists create a more resilient organisation. who can help them develop an in-depth The NIS Regulations don’t include a Since May last year, operators have understanding of the risks they face checklist of what action must be taken taken the frst steps on this journey. Over and apply their expert judgement to to maintain compliance. Instead, they the coming 12 months, we hope to start help the organisation assess how well recognise the diversity of organisations to see stronger cyber security practices it’s meeting the requirements of the that run our critical national embedded within their businesses. For legislation and balance that with the infrastructure. This means that owners example, many organisations celebrate operator’s appetite for risk. The most and operators must manage their risks safety milestones. In the future, cyber effective reviews have focused on more by implementing ‘appropriate and security milestones could become than compliance - they’ve also sought to proportionate security measures’ rather equally as common place. than by ticking a box. deliver business benefts. Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Supply chain challenges in Critical National Infrastructure When the Network & Information Systems (NIS) Regulations3 came into effect, the organisations that operate our critical national infrastructure (CNI) became legally responsible for cyber risks from their supply chain that impact the provision of essential services. The National Cyber Security Centre (NCSC)’s NIS Guidance for Supply Chain4 states:

The NIS Regulations are primarily aimed The OT vendor that supplied the remote at operational technology (OT), that monitoring technology had (perhaps is, the computers, servers, network unwittingly) beneftted from the infrastructure and programmable customer’s lack of technical If an organisation relies control systems used to manage capability to: on third parties (such as and monitor automated processes at a. question the security of the industrial sites. It’s not uncommon for outsourced or cloud-based equipment being sold to them; and “ CNI organisations to contract third party technology services) it vendors to support OT, either through b. take ownership of the technology remains accountable onsite or remote support, or the delivery from the vendor – something that for the protection of any of system upgrades. But are vendors will be rectifed in this case. putting their customers’ security The risks to OT are well-known. essential service. This requirements frst? High-profle cyber attacks include The examples above relate to major For example, a smaller OT vendor CNI organisations that are responsible means that there should be Recently, I visited a power plant where Stuxnet and CrashOverride. The most OT vendors who have the capability publicised their work for a major for delivering essential services must a well-known turbo-machinery vendor recent breach, which was aimed at a confdence that all relevant to provide cyber resilient services to international airport on social media increase their awareness of cyber had supplied equipment for a remote, safety control system at a Saudi Arabian customers but are perhaps not as recently. They may not be breaking security to ensure they’re demanding security requirements are 24/7, real-time diagnostics service for oil and gas plant, was dubbed Triton or strong in this area as they claim to be. the contract with their client but they best practice from their supply chain. met regardless of whether gas turbines. The vendor had remote Trisis due to the type of controllers that 5 A potentially bigger problem for CNI have drawn attention to very sensitive Cyber security requirements should access to critical server applications were targeted. A recent presentation the organisation or a third organisations may be less experienced information about a safety-critical be built into contracts with vendors to and information, and the measures put from a frst responder to that attack vendors who aren’t cyber aware, who system, which is not suitable for an open reduce the likelihood of the supply chain party delivers the service.” in place to protect the control network noted several key lessons, one of which don’t perform background checks of source environment. being the cause of a malicious from unauthorised access were not was ‘Beware your vendors. They may not have the same interests you do’. their people, and who aren’t used to or accidental cyber incident. as robust as they should have been – In other cases, vendors have been This was because of an apparent lack of meeting the cyber security requirements the vendor could remotely administer allowed to maintain their connection to transparency from the vendor during the of modern OT. These vendors may and bypass the technology they had a new piece of plant equipment post- initial investigation into the incident. expose infrastructure owners and deployed to protect the gas turbines commissioning, bypassing all of the operators to risk, either through an from remote access. technical and procedural controls used accidental cyber incident, or a malicious to manage remote access to the OT. actor may target them in the hope of Or malware has been delivered to the infltrating the wider network. customer’s OT environment accidentally, either directly into a live production system, or through the delivery of a new 3 http://www.legislation.gov.uk/uksi/2018/506/contents/made system for commissioning. Campbell Hayden 4 https://www.ncsc.gov.uk/collection/nis-directive?curPage=/collection/nis-directive/nis-objective-a Principal Consultant, 5 https://www.youtube.com/watch?v=XwSJ8hloGvY Cyber Security Who will protect the UK’s critical infrastructure? Finding the cyber security experts of the future

We don’t have enough people with the skills we need to protect our digital assets. The current shortfall of around 2.9m6 is expected to increase to 3.5m within the next two years.

Organisations are fnding it’s diffcult, The shortfall in the number of people The ‘must-have’ skills highlighted in The National Cyber Security Centre’s Diversity & Inclusion (D&I) will form If we remain on our current path we and expensive, to attract and retain the with the skills we need to address advertisements, are in many cases, CyberFirst programme and other an essential part of the future of the won’t be able to fll the skills gap. right people and they’re under increasing these concerns is measured by unflled an unnecessarily exhaustive and industry-led schemes, such as Cyber sector. But this should be led by cultural Instead, we have an opportunity to pressure to develop their capability and cyber job positions, anecdotal surveys prescriptive list of role requirements, Security Challenge UK’s Cyber ethos, not corporate social responsibility re-evaluate our culture and ambitions expertise from a talent pool that’s being and industry reporting. Is the fgure qualifcations and experience, rather Centurion competition, encourage 13 objectives. There is clear business and be clear on what defnes cyber tapped by a growing sector. we arrive at precise? Perhaps not. than a true representation of what to 18 year olds to consider a career beneft: Diverse teams are more and the characteristics we need from But a wide range of industry partners, is needed. in this sector. In addition, we must all productive, creative and effective and people to beneft the sector. We must Providing national resilience and including cyber and tech organisations, ensure local initiatives that open the offer different approaches and solutions. think differently to ensure we enrich the protecting our critical national The UK Government is working with acknowledge there’s an issue – demand doors to people from a diverse mix Groups such as NeuroCyberUK7 are sector with the skills for the future and infrastructure (CNI) are the areas of industry and academia to change this continues to exceed supply. of socioeconomic and educational playing an important role in evolving give people the chance to further, as most concern. It’s a problem described through groups such as the Cyber backgrounds are supported to provide the sector through their work to achieve well as establish their career, as part of by the Joint Committee on National So why is the sector struggling to keep Growth Partnership, which provides routes into cyber careers. neurodiverse inclusion and there are a healthy and sustainable ecosystem. Security Strategy as a top-tier national up? And could we solve the problem strategic oversight to government with positive steps being taken to encourage security threat because we’re facing if we changed the way we attract and the aim of growing a vibrant cyber Organisations must be more creative more women, mid-career transfers, a growing number of cyber attacks develop people with cyber skills? sector. The draft Cyber Skills Strategy in their attempts to attract and develop ex-service personnel and other on industrial control systems (ICS) is being prepared in support of the talented people and explore non-linear It will always be easier and cheaper to underrepresented groups into cyber. and operation technology (OT). The National Cyber Security Strategy, channels. For example, there may be follow a well-trodden path than explore adoption of new technology that links IT which was frst published in 2016, and myriad opportunities for cross-skilling the unfamiliar. But this approach is and OT, and the convergence of digital committed £1.9bn to grow the sector. and upskilling existing employees. neither effective nor effcient. The and physical (sometimes referred to The draft acknowledges the problem Atkins’ Cyber Academy has been set status-quo revolves around repeating as the Fourth Industrial Revolution) goes beyond a lack of technical skills up to build on our engineers’ wealth of earlier approaches and an almost sole presents many benefts but it also and the number of jobs and capabilities knowledge and experience to learn the focus on recruitment through traditional carries signifcant risks and exposes our required. Importantly, attempts are importance and application of cyber channels. Current or potential cyber networks, systems and devices to being made to look at new routes to security in CNI environments. skills exist far more broadly than many new threats. attract talent including mid-career recruitment strategies care to venture. transition and the creation of a Cyber Council to help professionalise the sector. Mike Spain Cyber Academy Lead, 6 (ISC)2 Cybersecurity Workforce Study 2018 7 https://neurocyber.uk Cyber Resilience Cyber academy – upskilling our people SNC-Lavalin Atkins’ Cyber Academy: Creating Cyber Engineers for Critical National infrastructure resilience Atkins Cyber Academy is domain-led and has been designed to leverage this DNA in creating the next level of defence: Cyber Engineers – those that understand the technical aspects of cyber security as well as the strategic impact of risk.

Through utilising the vast expertise and By far the most effective learning method The personal security and digital footprint domain presence of our engineers, we found has been a mix of theory and message is also fundamental throughout are achieving domain-relevant cyber practical in scenarios that engage with to help instil a personal link to cyber capability. The Academy facilitates a engineers using models built using the security and its importance. structured path to up-skill graduates very equipment they work with in The scope of the Academy includes and apprentices and cross-skill familiar environments. They are important outreach that is supporting existing engineers into cyber security encouraged to explore the equipment our considerable STEM activity to work practitioners. Attempts are too often and test the cyber theory. The with students and children to excite made to “bolt on” cyber to operational interdependencies between digital and and inspire through doing. Non-linear systems perhaps outpaced by digital physical are then visible through the way and non-traditional channels are also innovation. The importance of cyber equipment responds. Cause and effect. very much part of the mission which engineers in achievement of Secure by The competency levels for Academy includes accessible content, design Design is more important now than ever. courses are aligned to the SFIA for all learning styles and involvement The approach is very hands-on. It has framework and range from practitioner with underrepresented groups including been designed around the principle that through to master. The modules form our continued involvement with if you enjoy what you’re doing, you’re an academy matrix through which the NeuroCyberUK. more likely to remember it. Traditional most appropriate educational pathways Cyber isn’t all hoodies and SOCs. computer-based training can be seen as can be followed, and most appropriate Providing cyber resilience in all the a tax, something that gets in the way, competency achieved. ‘cool’ places is an exciting story to tell. something to avoid and certainly nothing Over 25 modules have been developed It has unlocked the skills of this unique to get excited about. The Academy to compliment client market presence engineering capability and engaged a new modules are very different. including digital rail, CVI, water and generation with new ways of thinking that power, aerospace, maritime, defence, will enrich our sector. CAV, manufacturing and BIM. Working in cyber – a woman’s perspective With women estimated to make up only 10% of the cyber industry, and the cyber skills shortage predicted to reach more than 3 million by the year 2021, it’s evident that more needs to be done to promote such an exciting and growing feld to this largely untapped market. So, how do we attract women the cyber sector? I recently chatted with Della-Maria Marinova on the matter, to hear how she found her way into the cyber industry and discover her advice for companies looking to improve their female intake.

Thank you for joining us What attracted you to Did you feel any Why do you think it’s important Based on your experience, do Della-Maria. Could you explain a career in cyber? trepidation in entering a to promote women to join the you have any tips for companies what your role entails? My route into cyber wasn’t direct. My male-dominated industry? cyber industry? looking to attract women to the I am a Graduate Consultant in cyber background is non-technical – I am no Having previously worked in male- History is littered with leading women in cyber industry? hacker or tech genius. At university, security, participating in the Atkins dominated environments, the fact that technology, however, the cyber industry My frst tip would be to engage with I studied Law for nearly seven years; 2019 Junior Consultant Development the cyber industry also displayed this at present is very male dominated. This young people. Initiatives such as the it wasn’t until my master’s studies in Programme. In the short time I’ve been trend didn’t really cross my mind. I’ve imbalance points to a need to support Cyber First Summer Placement scheme European law, through a module on the at Atkins, having joined at the start always believed that gender shouldn’t women – and the growth of greater are a great way to get young people Digital Single Market, that my interest of 2019, I’ve already been involved in factor into the equation when assessing diversity in the broader sense – within the interested and involved in a career in in cyber really took off. Cumbersome several roles, including leading a Cyber professional capabilities. industry to bring in fresh perspectives, cyber. Companies also need to demystify Vulnerability Investigation Consultancy legal processes juxtaposed with fast- That said, it can be slightly intimidating different approaches to work and new cyber and let young people know it’s Skills session for a Cyber Insight Day paced technological developments when you enter a meeting and you’re the skill-sets. about more than coding and hacking. with UTC-Heathrow students, and really sparked my interest in cyber only female in the room. It can also be formulating a Cyber Bytes campaign security and the means through which Attracting women to the cyber industry My second tip would be to hold diffcult to imagine yourself progressing as part of the Digital Trust initiative we can ensure users make the most of needs to be two-sided. It should be both networking events, whether virtual or in an industry where you don’t see many to raise awareness of cyber security innovative technologies and collaborate about promoting women at all stages physical, where women at all stages of women in senior positions. However, in a technology-driven world. on the vast array of online platforms, of their career to join the cyber industry However, this is not enough. There also the career path can ask questions, build while ensuring the safety and integrity I think that this is starting to change and about promoting women to progress needs to be a shift in mindsets within their cyber network, and talk through I’m thoroughly enjoying the diversity of the online space. and as someone who’s not afraid of a upwards within the cyber industry. In the cyber industry, and cyber industry their aspirations and fears around joining of work I can get involved in as a Cyber challenge, I would like to be part my mind, this can be achieved through recruiters should be encouraged to the cyber industry. Graduate and the fact that, while of that change. actively encouraging women at all consider a broader pool of talented understanding the technical can be stages of the career path to consider a candidates rather than sticking with the fascinating, a career in cyber involves career in cyber, through sharing personal misconception that all cyber careers are so much more. experiences and networking events. about coding and programming. Dr Ian Buffey Technical Director, The OT honeypot: reloaded ICS Security Operational Technology (OT) controls the production and distribution of energy and water, the smooth running of our transport systems (air, road, rail and sea) and the production of chemicals and pharmaceuticals. This Critical National Infrastructure (CNI) that we rely on needs to be safe and resilient to accidental or malicious actions, whether it’s a physical security breach or a cyber attack.

The need for resilience is what separates Recently, we repeated a part of this Then, and now › Many connections sent Modbus What we didn’t see What should CNI the cyber security requirements of experiment to see whether the level of In the 2014 experiment, we distinguished identity queries (i.e., they were None of the visitors to the honeypot operators do about this? OT from IT. An attack on an IT system interest or the actions an attacker would between attackers looking for devices defnitely looking for Modbus devices). deliberately read or wrote process data. This work aims to raise awareness of the may result in vital information being take have changed over the past fve exposing OT communication protocols › Nmap scans for HTTP, LDAP, In the 2014 experiment, an attacker did issues. Operators should consider: lost or stolen, or websites and other years. We found: and attackers looking for more generic online services may not be available Kerberos , etc., including vulnerability reconfgure the PLC to lock us out but › An increased interest in industrial protocols that could be a part of an ICS, › Checking that contractors and staff for some time. However, the impact checks, were done on port 502. Port they didn’t do anything that would have control systems (ICS) devices now. for example, HTTP(S), FTP, RDP. We obfuscation is no longer a valued had an effect in the real world. There are receiving proper training relating on the physical world will usually not also ensured the honeypot could easily to OT cyber security. › Scanning for other protocols and security technique. would be potential benefts to attackers be immediate and may not be noticed. be found on Google. There was very In contrast, a cyber-attack on the OT vulnerabilities increased too and this › Some messages (e.g., from nmap in reading or writing process data: › Ensuring that employees and little probing for the ICS communication contractors adhere to approved that manages and monitors essential could cause issues for ICS. scans) look like Modbus messages › Industrial processes generally have protocols we exposed, which were methods of access to OT, avoiding services such as power and water would › There are also things we didn’t see to read coils, read/write registers, time-based patterns. Some power Modbus and Ethernet/IP. After 100 days direct connections from the internet. be felt immediately and it may put our but might in the future. of exposing the protocols to the internet etc. Therefore, there’s a chance stations only generate power at peak › Deploying honeypots or other safety or the environment at risk. the only activity was from Shodan. an attacker/researcher could times, demand for water varies over What are honeypots? detection technology in OT networks By contrast, scanning of common accidentally cause a real Modbus a 24-hour period, etc. Looking at The threat to OT is well known and and ensuring that any alerts The idea of using an attractive but false IT protocols such as HTTP started device to execute an action. The these patterns would help attackers many security professionals would generated are acted on. target to lure a would-be attacker is an within a couple of hours and continued Bro and Wireshark parsers differ understand if the system they were agree that having an OT system visible on the meaning of a packet – a poor from the internet, without adequate old one, and in computing we attract the throughout the experiment. interested in was controlling a real attention of hackers using a honeypot. parser in a real device might be industrial process. protection, signifcantly increases its In the latest test, we exposed the This is a system or device which is worse, although most reputable vulnerability. And yet search engines Modbus protocol on its own. That is, we › Writing to a PLC could designed to attract a would-be attacker. manufacturers will have their Modbus such as Shodan, which are used to didn’t expose other protocols to entice a cause disruption to the The most common reasons for this are: implementations tested. identify devices that are connected would-be attacker. Some of the key controlled process. to the internet, show many systems › To study the attackers’ TTPs. › There are connections from around Writing random values fndings included: the world, some easily attributed to are exposed. In 2014, we set up a high › As an early warning in an to random addresses in universities and other researchers interaction OT honeypot to understand operational system. › Activity increased by around a factor the PLC would be a hit the extent to which these systems of 100. We only had to wait two hours (e.g., Shodan) and others that are and miss process but were being targeted and to learn more Using honeypots is a game of cat and for the frst connection (compared harder to attribute. it doesn’t require much about the attackers’ tools, tactics and mouse. Attackers understand honeypots with around 100 days in 20139). › Some attackers/researchers are effort from procedures (TTPs). A full account of the are used to investigate their activities and › The honeypot was scanned by 120+ clearly employing multiple machines the attacker. experiment can be found on the Atkins that if they’re not careful they’ll reveal IP addresses in 70 days. to scan the internet and in some web site8. their TTPs for no beneft. There’s also a cases it appears their systems are a › 60+ of those devices wrote data to the chance their activities will be attributed little clumsy, resulting in heavy and Modbus server (i.e., they didn’t just and they may be prosecuted or repeated scanning. named publicly. open or half open a connection).

8 https://www.atkinsglobal.com/honeypot 9 The 2013 experiment used AWS whilst in 2018 the IP address used belonged to an ADSL provider. It is possible that attackers (or more likely researchers) would have been more careful when it came to scanning AWS addresses. Ensure your organisation is able to harness the power of technology About us….. without putting your assets or infrastructure at risk.

DEFENCE CRITICAL INFRASTRUCTURE One of the largest providers of Experienced in the design and Our Services engineering and technical cyber delivery of vital infrastructure vulnerability investigation services combined with industry-leading to the UK Defence sector. Protecting cyber security capability, Our four key services are underpinned by our individual technical solutions. people, assets and missions, whether supporting clients in utilities, They’re designed to help you achieve cyber resilience. on land, at sea or in the air. As one of renewables, oil & gas and nuclear. the world’s most respected design, engineering and project management ! consultancies, we help our clients plan, design and enable major projects and provide expert consultancy. Our cyber security experts help our clients Risk management: understand your Secure by design: design security maximise the benefts of greater business impact and operational risk into a project from inception or connectivity without to identify an effective organisation ensure vulnerabilities within compromising structure and a pragmatic level of existing infrastructure are cyber security investment. assessed and addressed. AEROSPACE operations. TRANSPORTATION For decades we’ve been We work with transportation helping world leaders in operators to ensure their the aerospace sector solve infrastructure is secure, complex engineering challenges, supporting their increasing offering pragmatic cyber advice digitalisation to enable them which safeguards operations, to offer smart passenger whilst minimizing downtime. options without downtime.

Security compliance: identify Security assurance: ensure your NATIONAL SECURITY CENTRAL GOVERNMENT and measure your level of organisation and stakeholders have We’re the largest supplier of Trusted provider of cyber security compliance against globally confidence in your approach to security client-side advisory services support to local and national recognised security standards and the processes embedded within your to the UK’s national security authorities helping them meet and regulatory requirements. business and supply chain. sector, with a long track the pressure to provide record of delivering complex streamlined and responsive transformational programmes public services. of national signifcance. Harness the power of technology and ensure you are resilient in a digital world

snclavalin.com atkinsglobal.com/cyber Or contact us at [email protected]