Data available online leaves UK infrastructure vulnerable to cyber attacks - IET

Institution of Engineering and Technology warns 'low level of technical knowledge' required to mount attacks thanks to freely available information

Information freely available on the web could be leaving the UK's critical national infrastructure vulnerable to cyber attacks by hackers, a new report has claimed.

Carried out by design and engineering consultancy Atkins on behalf of the Institution of Engineering and Technology (IET,) the Using Open Source Intelligence to Improve ICS & SCADA Security report suggests information on blogs, social networks and specialist papers could be used to mount cyber attacks on utilities.

The research suggests that many industrial sector websites and academic papers reveal information about staff and their social media data, something that could be exploited by cyber criminals in order to launch an attack.

Papers available online also identify vulnerabilities about industrial control systems, along with information about contractors who have access to such systems. The paper suggests it would be fairly simple for a cyber criminal to put the pieces together in order to launch a calculated cyber attack against critical UK infrastructure.

"To illustrate the increased threat to industrial control systems, the assessment used freely-available tools to demonstrate the identification of networked control systems, their vulnerabilities - and the exploits that may be used to attack them," said Dr Richard Piggin, head of control systems security consulting at Atkins.

"The research demonstrates the low level of technical knowledge that is required to successfully mount an attack against industrial control systems," he continued.

Dr Piggin argues that third-party contractors must be properly managed in order to prevent information falling into the hands of cyber criminals.

"In the control system context, suitable access control, including role-based access to software and systems with activity logging is recommended."

Hugh Boyes, cyber security expert at IET, said industry must ensure it is properly protected against threats posed by hackers, adding that awareness is key.

"The UK has been proclaimed as the ‘most internet-based major economy'. Whilst this provides a basis for industry to expand and grow, it is essential that any connections between the internet and industrial control systems are adequately protected," he said.

"However, there continues to be real and growing threats to our interests in cyberspace. The availability of these open source tools makes it easier to locate and attack or interfere with poorly protected control systems.

"This is working with industry to raise awareness of the issue and to promote the development of suitably skilled cyber security professionals," Boyes concluded.

The report comes less than 24 hours after Secretary of State for Business, Innovation and Skills Vince Cable spoke publicly about the threats posed to national infrastructure by hackers and other cyber criminals.

"Cyber attacks are a serious and growing threat to British businesses, but it is particularly important that those industries providing essential services such as power, telecommunications and banking are adequately protected to avoid disruption to our everyday lives," said Cable.

"We can only achieve this objective through a partnership between government, the regulators and industry," he added