BP leads security initiative

Energy giant BP is leading a global initiative to plug security holes in engineering systems that control large parts of the UK’s critical national infrastructure (CNI).

BP’s Achilles Project is testing for security flaws on supervisory control and data acquisition (Scada) systems which automate operational processes at its energy plants and pipelines in more than 450 sites across the world. Scada systems are often internet-connected and can be vulnerable to computer hackers.

Working with the British Columbia Institute of Technology (BCIT), BP plans to extend the scheme in the hope that it will be used by other parts of the CNI that use Scada systems, such as power stations, train networks and sewage treatment plans.

‘We need to move to a stage where there is a proper security certification for engineering systems,’ said Paul Dorey, chief information security officer at BP.

‘The next plan for us and the BCIT is to spread the capability of this to other test laboratories in the world.’

The project could help reduce the risk of hackers taking control of parts of the CNI, by using sophisticated systems to test Scada appliances against all known security flaws before they are installed in engineering plants.

Research from PA Consulting and BCIT suggests that there has been a tenfold increase in the number of successful attacks on Scada systems since 2000. The report also estimates that between 100 and 500 unreported industrial cyber attacks occur each year (Computing, 21 April).

The UK is believed to have avoided major electronic attacks on its critical infrastructure, but other countries have been less fortunate.

In 1999, hackers seized control of a major Russian gas pipeline for more than 24 hours. And in April 2000, millions of tonnes of sludge were released into rivers and parks when a former employee hacked into the systems of an Australian sewage treatment centre and took control of 300 Scada systems.

‘It is important that organisations which use Scada and other process control systems are aware of the risks associated with using the internet in this way,’ said a spokesman for the government’s National Infrastructure Security Co-ordination Centre, which works to minimise electronic attacks in the UK.

‘Organisations need to take proper steps to protect themselves and the processes they control using these techniques.’