Category: Cyber Security

How we can secure critical infrastructure against zero-day hacks

A post by Dr Tingting Li, Research Associate at the Institute for Security Science & Technology.

As detailed in the recent Alex Gibney documentary Zero Days: Nuclear Cyber Sabotage, the Stuxnet worm caused havoc in an Iranian nuclear facility by exploiting unknown – and hence unprotected – weaknesses in the computer control system; so called zero-day weaknesses.

At Imperial ISST we’ve shown that the risk of a cyber-attack like Stuxnet being successful can be reduced by strategically defending the known weaknesses. We can model the relative risks in the system without foreknowledge of potential zero-day weaknesses, and maximise security by focusing defences on higher impact risks.

The interaction between safety and security

A post by Professor Chris Hankin, Director ISST

Increasing digitization has led to convergence between IT (Information Technology) used in offices and mobile devices, and OT (Operational Technology) that controls devices used in critical infrastructure and industrial control systems. The IoT (Internet of Things) is also rapidly growing, with around 10 billion devices today.

These trends raise concerns about the interaction between safety and security. The reality of the threat has been highlighted in national news coverage, from cyber security vulnerabilities being exploited to compromise vehicle safety, to denial of service attacks launched from consumer devices.

Discussions are sometimes hampered by the lack of clear definitions of the concepts.

The origin of threat assessment

A post by Helen Greenhough, PhD Research Student, Imperial College, Dept of Computing

As an analyst in the defense sector, the adage of threat = capability x intent was widely accepted.   But where did it come from?

In the course of my research I was pleased to come across what appears to be the original source of this equation in J. David Singer’s 1958 paper ‘Threat Perception and Armament-Tension Dilemma’ and was originally:   ‘Threat-Perception = Estimated Capability x Estimated Intent’ [p94, Singer, J. 1958].   This quasi-formula  posits that the perception of a threat can be reduced to zero by either reducing military capability or military intent. 

Security of Industrial Control Systems

A post by Professor Chris Hankin, Director ISST

Operational Technology (OT), as distinct from Information Technology (IT), refers to the hardware and software that controls an industrial process.  Despite increasing similarities between OT and IT architectures and components there are quite fundamental differences in the make-up of cyber attacks on each.  In To Kill a Centrifuge, an in-depth technical analysis of the Stuxnet attack, Ralph Langner has already identified three distinct layers of a sophisticated cyber-physical attack: the IT, the Industrial Control Systems (ICS) and the physical layers.  The SANS Institute in the U.S. has recently published an anatomy of cyber attacks  on ICS, involving two multi-phase stages: 1) cyber intrusion preparation and execution – what can be thought of as intelligence gathering; and 2) ICS attack development and execution.

The Cyber Security Show

A post by Professor Chris Hankin, Director ISST

I’ve just returned from the Cyber Security Show 2016, held 8-9 March 2016 at the Business Design Centre, Islington. This incorporated an exhibition and conference, one of the major annual cyber security conferences in the UK, for which I was Chairman for the two days.

It is a particularly interesting time in the world of Cyber Security.  Just a month ago, President Obama launched the U.S. Cybersecurity National Action Plan.  The measures announced include the creation of a Commission on Enhancing National Cybersecurity, a $3.1bn Information Technology Modernization Fund, a new National Cybersecurity Awareness Campaign to empower Americans to better secure their online accounts, and a $19bn investment in cyber during the 2017 Fiscal year.