£2.5 million to recognise and reduce cyber-attack threats to critical infrastructure

Supplementary content information

Photo of electricity pylon at sunset

National Grid

Queen's University Belfast

New research co-funded by the Engineering and Physical Sciences Research Council (EPSRC) will focus on the cyber-security of the UK's vital industrial control systems which run, for example, manufacturing plants, power stations, the electricity grid, and the rail network.

The research will help understand and mitigate threats from hackers or malware infiltrating the systems behind our critical national infrastructure.

The Research Institute in Trustworthy Industrial Control Systems (RITICS) (GOW: EP/L021013/1), based at Imperial College London, is co-ordinating the research with a £2.5 million investment into new projects at Queen's University of Belfast, the University of Birmingham, City University London and Lancaster University.

The research investment comes from the Engineering and Physical Sciences Research Council and the UK's National Cyber Security Programme. The Centre for the Protection of National Infrastructure (CPNI) and GCHQ are actively supporting the research.

The research teams will work with industry partners to understand and analyse the risks from cyber-attack, examine how risk is communicated to business and provide effective interventions to counter the risk. Metrics and software tools will be produced so that non-technical decision makers can assess cyber-security in the context of their business.

Historically industrial control systems were kept isolated to keep them secure, however these systems are now connected into complex and interconnected networks via the internet. There are many business advantages from such interconnections but there are also greater risks that need to be recognised and effectively managed.

Professor Chris Hankin, from the RITICS at Imperial College London, explains; Where control systems are linked to the internet we need to understand how failures could cascade across the system. We will be looking at new ways of repairing damage to systems if an attack happens.

We need to address how to approach network maintenance for industrial control systems, particularly as most systems operate on a 24/7 basis. So we will be looking at how we can ensure better protection without compromising performance.

Notes for editors

The four new funded projects with quotes from the principal investigators below:

1. A Systematic Evaluation Process for Threats to Industrial Control Systems (GOW: EP/M002845/1)
£395,222 Professor Clive Roberts, University of Birmingham

The University of Birmingham team will carry out a detailed security analysis of the National Grid and The Rail Safety and Standards Board to build an understanding of possible failures. Industry partners are TRL and Parsons Brinckerhoff.

The project will produce a systems engineering inspired analysis method that can be applied to critical infrastructure systems. This will take the form of a process that can be followed by industry and software modelling tools that allow susceptible subsystems to be identified, and solutions to be recommended. The approach will be applicable to both rail and power systems. Within the grant, the research team will work with industry to trial and validate the approach.

A cyber-attack on the railways wouldn't affect safety as the trains are designed to be fail-safe but it would cause major disruption as trains would stop all over the network. At the moment the challenges are to understand the vulnerabilities, says Professor Roberts.

2. Communicating and evaluating cyber risk and dependencies (GOW: EP/M002802/1)
£402,738 Professor R Bloomfield, City University London

The research focuses on risk evaluation and risk communication. The project partners are Adelard LLP and Alstom Group.

Professor Bloomfield says, The research will produce a methodology supported with modelling software that will be able to be deployed in the risk assessment of critical infrastructures. It will take a scenario-based approach to risk assessment addressing uncertainties and doubts in intelligence, the systems themselves as well as the impact of attack.

The risk communication is an important component of the project and will consider the needs of different stakeholders, not just highly technical people. Some of the modelling work will be published as case studies and made publicly available.

3. Multi-faceted Metrics for ICS Business Risk Analysis (GOW: EP/M002780/1)
£393,867 Professor Awais Rashid, Lancaster University

The multi-disciplinary team of researchers are working with industry partners: Airbus, Thales, Atkins-Global and Raytheon to provide decision makers with metrics to understand the business risks posed by cyber security breaches of industrial control systems.

Our project is about understanding the cyber security risks at the intersection of people and technology. If you give people lots of technical metrics that they don't understand you get poor decision making. Risk decisions are made not only at board and management level but also by those working with industrial control systems on a day-to-day basis. Our project will produce a software tool that will allow professionals to more effectively understand and visualise risks to industrial control systems. Given the long operational life of such systems, we will also study the implications of security decisions on them in 20-30 years' time. This will provide much needed future-proofing, says Professor Rashid.

4. Converged Approach towards Resilient Industrial Control systems and Cyber Assurance (GOW: EP/M002837/1)
£394,306 Professor Sakir Sezer, Queen's University Belfast

Researchers will investigate vulnerabilities within the national grid as wind or solar generated electricity comes on stream. Where the grid operates over the telecoms network it could be vulnerable. Project partners are Scottish and Southern Energy, Statnett and Thales Ltd.

Professor Sezer, QUB, said: Presently, Ireland frequently operates with over 50 per cent of electricity supplied by wind generation. Operating the system with such high levels of renewable generation is a challenge, and requires complex wide area monitoring and control.

Should the telecoms systems that support the control system be compromised, the impact of the resultant loss of electricity supply would have far-reaching consequences for society. This would involve loss of consumer supply, supply to hospitals, industry, and would even affect the gas, water and sewage networks.

The researchers will demonstrate assured and improved operational decision making and lay the groundwork for a new, cyber-threat resilient, control architecture for the grid.

Engineering and Physical Sciences Research Council

The Engineering and Physical Sciences Research Council (EPSRC) is the UK's main agency for funding research in engineering and the physical sciences. EPSRC invests around £800 million a year in research and postgraduate training, to help the nation handle the next generation of technological change. The areas covered range from information technology to structural engineering, and mathematics to materials science. This research forms the basis for future economic development in the UK and improvements for everyone's health, lifestyle and culture. EPSRC works alongside other Research Councils with responsibility for other areas of research. The Research Councils work collectively on issues of common concern via Research Councils UK.

The National Cyber Security Programme and UK Cyber Security Strategy

The UK Cyber Security Strategy (November 2011) sets out how the UK will support economic prosperity, protect national security and safeguard the public's way of life by building a more trusted and resilient digital environment. The National Cyber Security Programme (NCSP) within the Cabinet Office provides £860 million of funding until 2016. It coordinates and funds work undertaken by government departments and agencies to implement the UK Cyber Security Strategy. Information on progress against the strategy and achievements of the National Cyber Security Programme can be found at the GOV.UK website.