SECURE - SNC-Lavalin /media/Files/S/SNC-Lavalin/... · PDF file 2020-06-09 ·...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of SECURE - SNC-Lavalin /media/Files/S/SNC-Lavalin/... · PDF file 2020-06-09 ·...



    Working in cyber – a woman’s perspective

    Upskilling for an effective CVI capability

    The OT honeypot: reloaded

  • Matthew Simpson Technical Director, Cyber Resilience

    Matt has over 20 years’ experience in System Engineering, Technical Assurances and Cyber Security. He provides C-Level subject matter advice to key clients on variety of topics including transport security, safety system assurance, secure SCADA architecture and Internet of Things.

    Matt’s previously worked with the UK Government and the academic sector to produce global standards and guidance in the field of cyber security and smart infrastructure.

    Digital technology is transforming the way we work. Thanks to digital advancements, organisations have the potential to become more efficient, more open and more agile. However, as a result of this constant change the industry is facing a new set of challenges. Can we leverage the benefits of increased connectivity, while ensuring we’re staying on the right side of legislation and keeping our critical infrastructure secure? Are we even using the right technology to protect ourselves? Do our people possess the necessary skills to operate the technology, now and in the face of future demand?

    In this magazine, we’ve gathered together the thoughts and opinions from a range of our experts to explore the answers to these questions and other topics that are shaping the cyber industry.

    It’s an exciting time in the cyber industry, with the pace of change resulting in a constantly evolving set of challenges – but more importantly an ever-growing set of opportunities. We hope the articles in this magazine inspire reflection and feedback. If you have any comments, do get in touch.

    Matt Simpson Technical Director, Cyber Resilience

    [email protected]

    From the editor Contributors

    Martin Richmond Technical Authority, Cyber Security

    Martin is a Chartered Digital Electronics Engineer with over 20 years’ experience of cyber systems design, testing and assessment. Working across government he has proven experience of complex technical and innovative cyber solutions as well as the validation, characterisation and testing of system vulnerabilities. His passions include the application of critical thinking and domain-driven Open Source intelligence analysis to secure engineering design.

    Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M)

    Nicola joined Atkins in 2016 on the Junior Consultant Development Programme after studying Economics and Geography at the University of Birmingham. Since then she has worked for multiple critical national infrastructure clients including Heathrow Airport and the Ministry of Defence. She is currently working at a confidential client as a Project Manager where she is leading on a regulation based project.

    Campbell Hayden Principal Consultant, Cyber Security

    Campbell has over 10 years’ experience working in Critical National Infrastructure (Oil & Gas, Civil Nuclear, Water and Transport) helping organisations address their cyber security risks, specifically in Industrial Control Systems and Operational Technology. Campbell has spent the last 12 months helping organisations understand and comply with the NIS Regulations.

    Mike Spain Cyber Academy Lead, Cyber Resilience

    Mike Spain is founder and chair of NeuroCyberUK, Non-Executive Director for Cyber Exchange and leads the Cyber Academy for SNC-Lavalin’s Atkins business. He is an innovation and growth specialist and neurodiversity advocate in the cyber sector and is passionate about working to enable growth of the UK cyber sector and the development of an accessible and sustainable UK cyber ecosystem.

    Della-Maria Marinova Graduate Consultant

    Della-Maria studied Law at the University of Warwick at undergraduate level, with a year studying French Law at the University of Bordeaux. She also completed a Master’s in European Law at the College of Europe in Bruges. Della-Maria joined Atkins in January 2019 as part of the Junior Consultant Development Programme and has undertaken a variety of work, including involvement in the Cyber Academy and Cyber First Summer Placement initiatives.

    Dr Ian Buffey Technical Director, ICS Security

    Ian has worked with ICS (SCADA and DCS) for over 30 years, specialising in security since 2004. He has a record of successful delivery on complex systems controlling the Critical National Infrastructure in a variety of countries worldwide.

    He has seen many changes in the ICS arena and a key focus area now is how the security and resilience of systems is affected by the introduction of distributed resources including cloud.

  • Assembling the team Delivering a CVI needs to be approached in the same way as an iterative discovery activity. From the start, you’ll be unsure of the final scope of the project, the direction it will take you in, and the final outcomes you will achieve, given that the very nature of task is to “know the unknown”. By capturing all this information, you’ll begin to paint a detailed picture of the impact of the vulnerabilities you’ve discovered, which can then be used to create an understandable, strategic set of evidence-based risk statements. Since we began undertaking CVI projects, we’ve been presented with a whole host of security risks.

    To tackle such variety, a team possessing a multidisciplinary set of skills was a must. From the outset, you’ll need domain and system engineering expertise to fully understand how your system operates while under assessment. Adopting a “hacker” mentality while keeping activities ethically and legally sound will provide a greater understanding of the range of vulnerabilities and their impact. Another necessary addition to the team is a risk-aware, cyber professional, who is well versed in articulating technical and business risks, and knows how to ask keen questions. Incorporating cultural and behavioural expertise is important too.

    Finally, a cyber-aware project manager will make sure the project remains fair as it tackles the different assessment phases, as well as ensuring that it iterates with enough frequency around the core elements, at the appropriate times, to develop the risk case and determine the impact of discovered vulnerabilities.

    Overcoming the national skills shortage The rapid rise of digital technologies and the pace at which they have been adopted, exploited and therefore need to be secured, is ever increasing. The subsequent skills gap continues to remain a concern for employers, with 46% reporting difficulty in the supply of the necessary skills1.

    Upskilling for an effective CVI capability Taking a new concept and quickly delivering successful outcomes is difficult. Anyone involved in the Ministry of Defence Cyber Vulnerability Investigation (CVI) projects will undoubtedly agree. Achieving this against a backdrop of a huge skills shortage in engineering and, in particular, cyber security and you have a challenging problem to solve.

    Cyber security skills are even more scarce. An engineer that understands the technical aspects of cyber security, as well as the strategic impact of cyber risks to a business, is a very rare and coveted resource indeed.

    Nationally, this is recognised through the National Cyber Security Centre’s new approach to professional skills training. The days of siloed information security training are now gone, and a refreshed look has resulted in a much broader framework of skills and competencies in the IISP2. When fused with other engineering frameworks, such as the IET’s CEng and IEng programmes, and the industry-recognised SFIA framework, you begin to develop a really well- rounded set of cyber skills.

    Using these frameworks (and more), we have created our very own cyber security engineering career development pathways, to try and capture the necessary skill sets.

    Bringing it all together Two years into the journey of successful delivery of CVI projects has seen our cyber security workforce develop a more rounded skillset, resulting in a streamlined, flexible delivery unit. Now, we are applying the same delivery model to increasingly wider client applications and assessments, expanding into our full client markets as well as supporting the whole of SNC-Lavalin’s engineering capabilities through the provision of secure-by-design products and services.

    As the demand continues to expand, we have embarked upon a capability development programme, which will ensure that we continue to source the skills we need, while also placing these principles within our engineering teams during their training at a cyber academy. And thus, we will be able to continue developing the digital security capabilities required for CVI projects; showing businesses where their risk lies, how it impacts their business, and how it’s possible to be reduced to a manageable level.


    2 Our_Skills_Framework.aspx

    Martin Richmond Technical Authority, Cyber Security

  • Building cyber resilience into our railway’s DNA As we move into the age of the digital railway, retro-fixing digital systems to protect them against cyber attack is no longer