WHY THIS MATTERS IN BRIEF
Industrial Control Systems (ICS) that enable the safe and efficient operation of our CNI assets are becoming increasingly smart and connected, making them more vulnerable to attack, and new technologies bring new challenges.
Firstly, thanks to James for inviting me to be the keynote at this year’s annual Industrial Control Systems (ICS) Cyber Security Nuclear event held in the shadow of Sellafield nuclear power station in Warrington in the UK, and in front of an audience packed full of Israeli cyber security experts, members of the UK’s National Cyber Security Centre (NCSC), which is a part of GCHQ, the UK Office for Nuclear Regulation, and other “interested and vested” parties.
The security of Industrial Control Systems, which play a vital role in ensuring the correct and safe operation of Critical National Infrastructure (CNI) such as civilian nuclear power stations, and our energy, food, government, health and transportation networks, to name but a few, has been under increasing scrutiny for the past couple of years.
Traditionally ICS systems would be built into, for example, a nuclear power station like the UK’s new station at Hinkley Point, when they’re first built and left in situ for thirty or so years until they were eventually upgraded – an expensive and dangerous task, and one that, as the directors and architects from EDF, who are building Hinkley C best said “means you need to be able to predict what the world of cyber will look like in 30 years in order to [stay secure].”
As we build out the next generation of CNI, including, for example, the first fully autonomous energy grids, these ICS which used to be dumb and offline, are now increasingly smart and connected, and it this that’s now putting them at increased risk of being compromised and hacked. And as for using air gaps to help add an additional layer of security? Well, those are increasingly easy to infiltrate and exfiltrate data from as well…
Described as “the black art of the black arts” ICS nuclear cyber security is an elite topic, and one that many people are, for obvious reasons, uncomfortable talking about, even in private, which given the fact that hackers and state sponsored actors have no such compunction is rather ironic, and arguably, I’d argue, to some degree, puts the industry on the back foot when it comes to trying to understand what future attacks and attack vectors look like.
Over the past few years ICS attacks have been in and out of the news with an increasingly amount of regularity, whether it’s because of Stuxnet, an advanced malware that destroyed over 1,000 Iranian nuclear centrifuges a few years ago, or whether it’s because of Triton, another advanced malware that recently disabled a Saudi chemical factory. The most worrying thing about Triton though was that unlike previous attacks not only did it have the ability to cripple the plants operational technology (OT), but it also had the capability to turn the plant into a bomb – something that was only prevented because of an accidental bug in its code.
In addition to the increasing proliferation of “advanced cyber weapons,” and as if all that wasn’t bad enough already, US and European government sources, now claim that “state sponsored actors are pre-positioning themselves by infiltrating CNI assets.” In short, state sponsored actors are increasingly infiltrating CNI assets and pre-positioning cyber weaponry that they can pull the trigger on if they ever feel the need. And I shouldn’t have to spiel out why that’s a bad thing…
During my keynote I covered all aspects of the future of cyber security, from advanced social engineering techniques, to the rise of Robo-hackers and self-evolving AI’s through to the rise of new DNA malware and tools that allow us to crack even the toughest 4,096 bit encryption. But that wasn’t all. While we continue to focus so much energy on protecting our assets from tomorrow’s advanced cyber weapons I made the strenuous point in front of the assembled audience that we shouldn’t forget there are other ways disable CNI assets, and while I’m not going to detail them here suffice to say there are other ways to knock these systems out, tear up a nuclear power station from the inside, and even infiltrate their heavy water and cooling systems. And to be frank, so far I see no evidence of our being able to defend against what’s coming.
Isn’t it time we talked about it in more depth? After all, the future is arriving faster than many people are anticipating…