Safe and secure

30th October 2015


Related Topics

Related tags

  • Management ,
  • EMS ,
  • Business & Industry


Thomas Norton

Rosa Richards looks at managing cyber threats as part of environmental risk management

First came steam power, followed by electricity and then the digital revolution. Now use of smart technology and the Internet of Things (IoT) to control processes in real time is driving the fourth industrial revolution, or Industrie 4.0. But, with every introduction of a new smart device or system the threat of a cyber-attack grows.

Cyber security incidents are often in the news and there is evidence that the frequency of attacks is increasing, although few have led to hazardous events. Nonetheless, environment managers may want to review the risk to their organisation's operations from cyber threats. At the same time those responsible for critical national infrastructure (CNI) and sites regulated under COMAH - control of major accident hazards - are advised to ensure procedures are in place and staff trained to deal any threat.

Growing problem

Uptake of smart technology is increasing year on year. Deloitte predicts that in 2015 one billion wireless IoT devices will be bought worldwide, 60% more than in 2014. ABI Research predicts that by 2020 more than 30 billion devices globally will be connected wirelessly to the internet. The increasing use by enterprises and industry of smart systems is accompanied by the responsibility for managing and protecting them.

Global cyber-attacks against supervisory control and data acquisition (SCADA) systems quadrupled in 2014 compared with 2013, according to Dell's annual threat report. The technology firm recorded 675,186 attacks in 2014, with Finland facing the largest proportion (202,322), followed by those in the UK (69,656) and the US (51,258). The high figures are likely to be due to increased awareness and detection, as well as the fact that SCADA systems are more common in these countries and more likely to be connected to the internet. Many attacks target operational capabilities in power plants, factories and refineries. These are political in nature rather than those that are financially-driven, such as credit card fraud or identity theft, but which receive more publicity.

The Health and Safety Executive (HSE) recognises the implications of cyber-attack on CNI, which includes energy, food, health, transport and water. It says: "Accidental failure or malicious attack on process control systems could result in loss of system-critical safety functions such as interlocking and emergency shutdown systems and disruption of control of the process, potentially resulting in serious risks to operators and possibly the public."

The Centre for the Protection of National Infrastructure (CPNI) advises large companies and organisations operating CNI to "take all necessary measures to prevent major accidents involving dangerous substances. Limit the consequences to people and the environment of any major accidents that do occur."

Operations using an instrumented control system that is electrical, electronic or programmable are bound by international standard IEC61508. This requires a hazard analysis to be undertaken but also a security threat analysis if malevolent or unauthorised action constituting a security threat is identified as reasonably foreseeable. The HSE says: "While it is good practice to isolate safety-critical control or protection systems from any connectivity to the 'outside world' this approach is being challenged by the changing nature of plant electronic control and management systems. This is leading to increased vulnerability of plant to electronic attack, while at the same time the threat level is increasing. The possibility of such electronic attack of control systems is recognised as a threat to the CNI."

A security breach can be caused internally simply due to human error - which accounts for about half, according to the UK 2015 information breaches survey, published by the government in June - or an intentional cyber-attack by a disgruntled staff member. Alternatively attacks can originate from malicious external third parties, including organised criminals, malware authors, activists and non-professional hackers. Poor IT security or a lack of control of vendors or third parties can present weaknesses. Breaches of technology were the third most common type of security breach after government and "other" in the first half of 2015, according to data from the Global Breach Level index.

In 2011, Stuxnet was the first-known virus designed to target critical infrastructure, such as power stations. It was transferred by USB to equipment physically isolated (air-gapped) from unsecured networks. Dragonfly was a less publicised virus, designed to sabotage energy supplies. It simply sent emails with information that the recipient opened. According to cyber security business Symantec, more than a 1,000 organisations in 84 countries were affected over an 18-month period.

Other cyber-attacks aimed at industrial control systems in 2014 include the Havex RAT - a cyber espionage malware campaign - and BlackEnergy malware attacks, which exploited vulnerabilities in products from GE, Advantech/Broadwin and Siemens.

Combating the threats

All employees need to be aware of cyber threats and how to avoid them; it is not just the responsibility of the IT department. They should understand the risks of spear phishing (a fraudulent email) across organisations and whale phishing (attacks on wealthier and senior people), which targets executives. Both make organisations vulnerable to cyber espionage by releasing sensitive information in response to cleverly worded emails (see case study, below).

Security control measures, such as firewalls, antivirus and vulnerability management can be put in place to prevent breaches, and threats can be monitored but these measures will not prevent all cyber-attacks. In the past, an organisation's internal network may have been "fenced off" from the web, but smart technology interacts with the internet. Previously the standards of security may have been higher for IT than for operational technology (OT), such as SCADA systems, due to the systems and knowledge bases being separate. This situation is changing with IT and OT working more closely together, such as in the utilities sector.

There is growing acceptance that breaches are inevitable so the emphasis in many companies is switching to securing sensitive data. Security experts recommend that firms take a data-centric view of digital threats. This includes setting long and strong passwords and installing multi-factor authentication and encryption so that if data is stolen it is useless. Data "tunnels" can be used so information being transferred is secure. Companies can hire ethical hackers, known as "white hat" hackers, to test the strength of their infrastructure. In addition, IT teams are recommended to establish roles and responsibilities, and to draw up plans for regular testing in scenarios that cover all possible outcomes.

Nick McLauchlan, business manager at the engineering business, Z-Tech Control Systems, warns: "There can sometimes be an assumption that smart devices are secure. If the original equipment manufacturer [OEM] is selling the device they must make it secure - right? Wrong, your data system is only as secure as the weakest link in the chain, and the OEM will generally assume that you are responsible for the security of your system." He recommends performing a full cyber-security risk assessment (see panel, below) at the design stage of any project. This should be followed by regular reviews throughout the life of the system, and staff should receive regular training on simple behavioural controls that will maintain security. These include instructions not to open attachments in emails from unknown sources and controlling the use of USB dongles. McLauchlan also advises organisations to refer to the guidance provided by the CPNI.

Severn Trent Water recently undertook a cyber-security review and improved its data security with guidance from the CPNI. John Skelton, chief technology officer at the utility company, said: "We took proportionate and appropriate action across people, process and technology to manage the risks. It was hard work at times, but we gained useful insights. There has been sweat, but no blood or tears - yet! We feel more confident that we are now more proactive to cyber threats rather than just reactive, and better prepared for the challenges ahead with increasing use of machine-to-machine [M2M] technologies." M2M refers to technologies that allow wireless and wired systems to communicate with other devices.

Organisations that have assessed their cyber-security agree that it has been a worthwhile exercise. Moreover, guidance is easily available on how to take proportionate and appropriate pre-emptive action. We are already living in the digital age and the system "surface" potentially vulnerable to cyber-attack will continue to grow with the types of threat likely to become more sophisticated.

Cyber-security risk assessment

A cyber-security risk assessment is the first step in securing process controls and SCADA. These steps are recommended by the CPNI:

  • Undertake a cyber-security risk assessment to understand the business risk - a combination of credible threats, impacts and vulnerabilities. Questions to ask include: What information is at risk? From whom? How likely is this? How might attackers try to access the information? What impacts would there be? Who is responsible for this risk at board level? What security measures do you have and are they working? Is there an incident response plan? Can any improvements be made to improve security?
  • Implement secure architecture according to the business risk. This should not rely on one single security measure, such as firewalls, for its defence.
  • Establish response capabilities.
  • Improve awareness and skills.
  • Manage third-party risk from use of mobile devices, such as laptops and USB sticks, by implementing the Cyber essentials scheme, a government-backed initiative to help organisations protect themselves against common cyber attacks (
  • Engage with all new process-control, system-related projects.
  • Establish ongoing governance.

Your information risk management regime should comprise all of these components:

  • Ongoing staff training and awareness-raising.
  • A mobile working policy with training.
  • Security patches.
  • A policy for all removable media controls - for example, USB sticks.
  • Account management processes - limit user privileges and monitor user activity.
  • Incident management plans and reporting - see CiSP in useful resources below.
  • A continuous monitoring strategy.
  • Malware protection across the organisation.
  • Network security measures.

Further advice is available at Other useful resources include: CPNI training in ICS security, which is free for CNI assets owners; Companies like yours video (; Secure the breach - two-part video (; The critical security controls for effective cyber defense, version 5.1, Council on Cyber Security (; and the Cyber-security Information Sharing Partnership (CiSP) - a UK "community watch" scheme for cyber threats and vulnerabilities so that UK businesses are aware of current issues and can take steps to reduce their impact (

Case study: Spear phishing attack at German steel mill

The German Federal Office for Information Security (BSI) reported in 2014 that a cyber attack on a German steel mill caused extensive damage to a blast furnace.

The attackers used spear phishing and clever social engineering to target key staff and trick them into opening emails.

The messages contained code that captured login details for the office network. This gave the hackers access to the plant's production systems. The attack led to parts of the control system failing, which resulted in the uncontrolled shutdown of a blast furnace and caused extensive damage.

The security services rated the attackers' technical skills as very advanced. To be capable of mounting the assault, the hackers would have had in-depth knowledge of IT security and technical knowledge of industrial control systems as well as production processes.

Attacks like this are reported to the national security services so that other operators of industrial installations are aware of the risks and threat level. In the UK, incidents are reported to the Cyber-security Information Sharing Partnership (CiSP).


Subscribe to IEMA's newsletters to receive timely articles, expert opinions, event announcements, and much more, directly in your inbox.

Transform articles

Is the sea big enough?

A project promoter’s perspective on the environmental challenges facing new subsea power cables

3rd April 2024

Read more

The UK’s major cities lag well behind their European counterparts in terms of public transport use. Linking development to transport routes might be the answer, argues Huw Morris

3rd April 2024

Read more

Tom Harris examines the supply chain constraints facing the growing number of interconnector projects

2nd April 2024

Read more

The UK government’s carbon capture, usage and storage (CCUS) strategy is based on optimistic techno-economic assumptions that are now outdated, Carbon Tracker has warned.

13th March 2024

Read more

The UK government’s latest Public Attitudes Tracker has found broad support for efforts to tackle climate change, although there are significant concerns that bills will rise.

13th March 2024

Read more

A consortium including IEMA and the Good Homes Alliance have drafted a letter to UK government ministers expressing disappointment with the proposed Future Homes Standard.

26th February 2024

Read more

Global corporations such as Amazon and Google purchased a record 46 gigawatts (GW) of solar and wind energy last year, according to BloombergNEF (BNEF).

13th February 2024

Read more

Three-quarters of UK adults are concerned about the impact that climate change will have on their bills, according to polling commissioned by Positive Money.

13th February 2024

Read more

Media enquires

Looking for an expert to speak at an event or comment on an item in the news?

Find an expert

IEMA Cookie Notice

Clicking the ‘Accept all’ button means you are accepting analytics and third-party cookies. Our website uses necessary cookies which are required in order to make our website work. In addition to these, we use analytics and third-party cookies to optimise site functionality and give you the best possible experience. To control which cookies are set, click ‘Settings’. To learn more about cookies, how we use them on our website and how to change your cookie settings please view our cookie policy.

Manage cookie settings

Our use of cookies

You can learn more detailed information in our cookie policy.

Some cookies are essential, but non-essential cookies help us to improve the experience on our site by providing insights into how the site is being used. To maintain privacy management, this relies on cookie identifiers. Resetting or deleting your browser cookies will reset these preferences.

Essential cookies

These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.

Analytics cookies

These cookies allow us to recognise and count the number of visitors to our website and to see how visitors move around our website when they are using it. This helps us to improve the way our website works.

Advertising cookies

These cookies allow us to tailor advertising to you based on your interests. If you do not accept these cookies, you will still see adverts, but these will be more generic.

Save and close