Download - SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

Transcript
Page 1: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

ISECUREI IBY DESIGNI 2019

CYBER RESILIENCEIN A DIGITAL WORLD

Working in cyber – a woman’s perspective

Upskilling for an effective CVI capability

The OT honeypot: reloaded

Page 2: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

Matthew SimpsonTechnical Director, Cyber Resilience

Matt has over 20 years’ experience in System Engineering, Technical Assurances and Cyber Security. He provides C-Level subject matter advice to key clients on variety of topics including transport security, safety system assurance, secure SCADA architecture and Internet of Things.

Matt’s previously worked with the UK Government and the academic sector to produce global standards and guidance in the field of cyber security and smart infrastructure.

Digital technology is transforming the way we work. Thanks to digital advancements, organisations have the potential to become more efficient, more open and more agile. However, as a result of this constant change the industry is facing a new set of challenges. Can we leverage the benefits of increased connectivity, while ensuring we’re staying on the right side of legislation and keeping our critical infrastructure secure? Are we even using the right technology to protect ourselves? Do our people possess the necessary skills to operate the technology, now and in the face of future demand?

In this magazine, we’ve gathered together the thoughts and opinions from a range of our experts to explore the answers to these questions and other topics that are shaping the cyber industry.

It’s an exciting time in the cyber industry, with the pace of change resulting in a constantly evolving set of challenges – but more importantly an ever-growing set of opportunities. We hope the articles in this magazine inspire reflection and feedback. If you have any comments, do get in touch.

Matt Simpson Technical Director, Cyber Resilience

[email protected]

From the editor Contributors

Martin RichmondTechnical Authority, Cyber Security

Martin is a Chartered Digital Electronics Engineer with over 20 years’ experience of cyber systems design, testing and assessment. Working across government he has proven experience of complex technical and innovative cyber solutions as well as the validation, characterisation and testing of system vulnerabilities. His passions include the application of critical thinking and domain-driven Open Source intelligence analysis to secure engineering design.

Nicola AspinallConsultant, Portfolio, Project and Programme Management (P3M)

Nicola joined Atkins in 2016 on the Junior Consultant Development Programme after studying Economics and Geography at the University of Birmingham. Since then she has worked for multiple critical national infrastructure clients including Heathrow Airport and the Ministry of Defence. She is currently working at a confidential client as a Project Manager where she is leading on a regulation based project.

Campbell HaydenPrincipal Consultant, Cyber Security

Campbell has over 10 years’ experience working in Critical National Infrastructure (Oil & Gas, Civil Nuclear, Water and Transport) helping organisations address their cyber security risks, specifically in Industrial Control Systems and Operational Technology. Campbell has spent the last 12 months helping organisations understand and comply with the NIS Regulations.

Mike Spain Cyber Academy Lead, Cyber Resilience

Mike Spain is founder and chair of NeuroCyberUK, Non-Executive Director for Cyber Exchange and leads the Cyber Academy for SNC-Lavalin’s Atkins business. He is an innovation and growth specialist and neurodiversity advocate in the cyber sector and is passionate about working to enable growth of the UK cyber sector and the development of an accessible and sustainable UK cyber ecosystem.

Della-Maria Marinova Graduate Consultant

Della-Maria studied Law at the University of Warwick at undergraduate level, with a year studying French Law at the University of Bordeaux. She also completed a Master’s in European Law at the College of Europe in Bruges. Della-Maria joined Atkins in January 2019 as part of the Junior Consultant Development Programme and has undertaken a variety of work, including involvement in the Cyber Academy and Cyber First Summer Placement initiatives.

Dr Ian Buffey Technical Director, ICS Security

Ian has worked with ICS (SCADA and DCS) for over 30 years, specialising in security since 2004. He has a record of successful delivery on complex systems controlling the Critical National Infrastructure in a variety of countries worldwide.

He has seen many changes in the ICS arena and a key focus area now is how the security and resilience of systems is affected by the introduction of distributed resources including cloud.

Page 3: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

Assembling the teamDelivering a CVI needs to be approached in the same way as an iterative discovery activity. From the start, you’ll be unsure of the final scope of the project, the direction it will take you in, and the final outcomes you will achieve, given that the very nature of task is to “know the unknown”. By capturing all this information, you’ll begin to paint a detailed picture of the impact of the vulnerabilities you’ve discovered, which can then be used to create an understandable, strategic set of evidence-based risk statements. Since we began undertaking CVI projects, we’ve been presented with a whole host of security risks.

To tackle such variety, a team possessing a multidisciplinary set of skills was a must. From the outset, you’ll need domain and system engineering expertise to fully understand how your system operates while under assessment. Adopting a “hacker” mentality while keeping activities ethically and legally sound will provide a greater understanding of the range of vulnerabilities and their impact. Another necessary addition to the team is a risk-aware, cyber professional, who is well versed in articulating technical and business risks, and knows how to ask keen questions. Incorporating cultural and behavioural expertise is important too.

Finally, a cyber-aware project manager will make sure the project remains fair as it tackles the different assessment phases, as well as ensuring that it iterates with enough frequency around the core elements, at the appropriate times, to develop the risk case and determine the impact of discovered vulnerabilities.

Overcoming the national skills shortageThe rapid rise of digital technologies and the pace at which they have been adopted, exploited and therefore need to be secured, is ever increasing. The subsequent skills gap continues to remain a concern for employers, with 46% reporting difficulty in the supply of the necessary skills1.

Upskilling for an effective CVI capabilityTaking a new concept and quickly delivering successful outcomes is difficult. Anyone involved in the Ministry of Defence Cyber Vulnerability Investigation (CVI) projects will undoubtedly agree. Achieving this against a backdrop of a huge skills shortage in engineering and, in particular, cyber security and you have a challenging problem to solve.

Cyber security skills are even more scarce. An engineer that understands the technical aspects of cyber security, as well as the strategic impact of cyber risks to a business, is a very rare and coveted resource indeed.

Nationally, this is recognised through the National Cyber Security Centre’s new approach to professional skills training. The days of siloed information security training are now gone, and a refreshed look has resulted in a much broader framework of skills and competencies in the IISP2. When fused with other engineering frameworks, such as the IET’s CEng and IEng programmes, and the industry-recognised SFIA framework, you begin to develop a really well-rounded set of cyber skills.

Using these frameworks (and more), we have created our very own cyber security engineering career development pathways, to try and capture the necessary skill sets.

Bringing it all togetherTwo years into the journey of successful delivery of CVI projects has seen our cyber security workforce develop a more rounded skillset, resulting in a streamlined, flexible delivery unit. Now, we are applying the same delivery model to increasingly wider client applications and assessments, expanding into our full client markets as well as supporting the whole of SNC-Lavalin’s engineering capabilities through the provision of secure-by-design products and services.

As the demand continues to expand, we have embarked upon a capability development programme, which will ensure that we continue to source the skills we need, while also placing these principles within our engineering teams during their training at a cyber academy. And thus, we will be able to continue developing the digital security capabilities required for CVI projects; showing businesses where their risk lies, how it impacts their business, and how it’s possible to be reduced to a manageable level.

1 https://www.theiet.org/media/1350/skills17.pdf

2 https://www.iisp.org/iisp/About_Us/Our_Frameworks/Our_Skills_Framework/iispv2/Accreditation/Our_Skills_Framework.aspx

Martin RichmondTechnical Authority, Cyber Security

Page 4: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

Building cyber resilience into our railway’s DNAAs we move into the age of the digital railway, retro-fixing digital systems to protect them against cyber attack is no longer enough. We must now put cyber security and cyber resilience front and centre of every railway engineering project.

We’re already living in an increasingly digital world, where advances over just the past five years have been staggering. Autonomous vehicles are being tested on our roads. Driverless trains are on the increase. Computer systems on aircraft are so advanced that planes virtually fly themselves. The broad perception is that the railways are catching up, with Network Rail’s Digital Railway programme driving the modernisation of Britain’s railways. The industry cannot help but move forward towards

the wealth of new opportunities being unleashed by the digital revolution. But where there are opportunities, there are also threats. Change is happening exponentially, not gradually, and to keep our railway’s new systems – and our physical rail network – secure, we now need to see a step-change in how we embrace cyber security. Because cyber resilience is just as much of an issue to passenger safety as safeguarding physical infrastructure – and it is business-critical.

Opening-up to new opportunitiesWhile digital technologies within our railway’s operations aren’t new, the opportunities for greater connectivity is a new development. We know that the introduction of digital signaling will make trains better connected, and they’ll be able to communicate with each other in a much more intelligent way.

Continued overleaf ›

Watch now

Page 5: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

This also means that railway companies are being increasingly pushed to open-up their on-board networks to provide passengers with better, more reliable Wi-Fi and overall, a greater passenger experience. This new extra connectivity between trains, apps, Wi-Fi, websites, email – everything – also means that the whole network, as an organism, is vulnerable in a way it never has been before. And as an industry it’s our duty to protect that entire end-to-end digital ecosystem, the networks, the apps, the Wi-Fi; everything. The whole system will only be as strong as its weakest link.

Resilience not just securityTo the railway industry we say this: security is not an option. As one of the biggest systems integrators in the rail industry, building cyber resilience into any project we deliver is now our default setting. It’s simply the right thing to do. It’s our strategy. That means cyber security is built-in to our delivery processes: this is a big task, and it’s a major transformation. It affects all of our engineering lifecycle, engineering design assurance, and project delivery processes, because now – and going forward – they will all have security woven into them.

In the joined up digital ecosystem, with data driving our daily lives, new interdependencies will cause threats, opportunities, and the need for action. We’re already in that world now, and it’s no surprise that the industry is starting to listen. But when so much is at stake if our rail networks aren’t fully protected, and train companies face potential malicious attack like never before, how can it afford not to?

Matthew SimpsonTechnical Director, Cyber Resilience

Building cyber resilience into our railway’s DNA

12 Secure by Design principlesSecurity is not a bolt on, nor is it a compliance exercise. Secure by Design aims to embed pragmatic security controls into your infrastructure. It promotes a proven systems engineering process to establish and manage your cyber risk to protect the safety, security, availability and integrity of your networks and assets.

› Know your infrastructureYou must have current and detailed understanding of your network infrastructure, data flows and assets’ specifications

› Understand your threat landscape

The majority of threats are likely to come from inside – with accidental, malicious insider and supply chain activity the largest malware infection threat vector

› Prioritise operational resilienceAim to provide operational continuity through cyber resilience

› Understand your riskBe aware of the safety, integrity, legal and availability risks of your networks and assets

› Implement security layers A well designed and defended enterprise architecture should include multiple layers of security; being able to identify attacks early will minimise impact

› Segregate vital systems Segregation of vital and non-vital systems minimises the attack footprint and the provision of security gateways and encrypted conduits will help protect essentially services

› Minimise user privileges Restrict access to the most data critical systems to those who truly need it using Role Based Access Control (RBAC)

› Minimise media connectivity Removable devices and unmanaged media remain a high risk, limit the use of such devices and design out their use with a secure remote access solution where appropriate

› Prepare for maintainabilityDigital assets will require regular patches and updates, this needs to be a secure central solution that minimises user interaction through a DMZ (demilitarized zone) automated process

› Prepare for monitoringMonitoring is vital; building in an anomaly detection capability to your networks will help to future proof your systems design

› Manage third party risk Manage your supply chain risk via the adoption of a standardised System of Systems approach, underpinned by baseline architecture, external security gateways and a code of connection

› Implement change assuranceThreats change on a regular basis, your Design Assurance regime must be cognisant of these developments and respond to any emerging risks during the system lifecycle

Page 6: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

The Network and Information Systems (NIS) Regulations one year on. Strict new laws were introduced in May 2018 to protect the UK’s essential services from the increasing risk of cyber attack. The Network and Information Systems Regulations 2018 (NIS Regulations) came into force in May. One year on, how are the owners and operators of the infrastructure and technologies that underpin our society ensuring they’re secure?

They understand the threats to their organisationAs a first step towards compliance, organisations are required to carry out a self-assessment of their critical systems and processes, and identify areas in which security or resilience could be improved. The National Cyber Security Centre (NCSC) created the Cyber Assessment Framework (CAF), which operators of essential services and digital service providers can use as a guide for this activity. They map their security posture against a series of high-level objectives and then interpret the findings to determine if they’re doing enough to protect their assets.

In the past 12 months, many operators have sought the support of engineering and operational technology specialists who can help them develop an in-depth understanding of the risks they face and apply their expert judgement to help the organisation assess how well it’s meeting the requirements of the legislation and balance that with the operator’s appetite for risk. The most effective reviews have focused on more than compliance - they’ve also sought to deliver business benefits.

They’ve developed an improvement planTo ensure the self-assessment and the wider regulations add value, business leaders need to be prepared to act on the findings. So far, many organisations have put plans in place but making the recommended changes may not be as straightforward. Most operators will need to increase their investment in cyber security, or change attitudes or culture within their firm before they see significant improvements. The question is, will they be able to maintain the momentum that has been created through the introduction of the new legislation in the following few years?

They’re implementing appropriate and proportionate protectionThe NIS Regulations don’t include a checklist of what action must be taken to maintain compliance. Instead, they recognise the diversity of organisations that run our critical national infrastructure. This means that owners and operators must manage their risks by implementing ‘appropriate and proportionate security measures’ rather than by ticking a box.

The Competent Authority (CA) will then assess whether the judgements that have been made are reasonable.

The cyber security legislation encourages collaboration and operators should work with their Competent Authorities. CAs have suggested organisations will have time to put new security measures in place, however, they must demonstrate their intention to do this.

They’re embedding strong cyber security throughout their organisationsThe introduction of new legislation has raised the profile of cyber security and encouraged senior executives and Board members to invest in initiatives that will create a more resilient organisation. Since May last year, operators have taken the first steps on this journey. Over the coming 12 months, we hope to start to see stronger cyber security practices embedded within their businesses. For example, many organisations celebrate safety milestones. In the future, cyber security milestones could become equally as common place.

Next steps for organisations: assess, improve, repeatOrganisations that are improving their resilience and ensuring they’ll continue to provide essential services, even in the event of a cyber attack are:

› Engaging fully in the self-assessment process.

› Developing an improvement plan.

› Implementing the appropriate actions.

› Re-assessing their progress.

› Communicating the results to the entire organisation.

Nicola AspinallConsultant, Portfolio, Project and Programme Management (P3M)

Page 7: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

If an organisation relies on third parties (such as outsourced or cloud-based technology services) it remains accountable for the protection of any essential service. This means that there should be confidence that all relevant security requirements are met regardless of whether the organisation or a third party delivers the service.”

The NIS Regulations are primarily aimed at operational technology (OT), that is, the computers, servers, network infrastructure and programmable control systems used to manage and monitor automated processes at industrial sites. It’s not uncommon for CNI organisations to contract third party vendors to support OT, either through onsite or remote support, or the delivery of system upgrades. But are vendors putting their customers’ security requirements first?

Recently, I visited a power plant where a well-known turbo-machinery vendor had supplied equipment for a remote, 24/7, real-time diagnostics service for gas turbines. The vendor had remote access to critical server applications and information, and the measures put in place to protect the control network from unauthorised access were not as robust as they should have been – the vendor could remotely administer and bypass the technology they had deployed to protect the gas turbines from remote access.

The OT vendor that supplied the remote monitoring technology had (perhaps unwittingly) benefitted from the customer’s lack of technical capability to:

a. question the security of the equipment being sold to them; and

b. take ownership of the technology from the vendor – something that will be rectified in this case.

The risks to OT are well-known. High-profile cyber attacks include Stuxnet and CrashOverride. The most recent breach, which was aimed at a safety control system at a Saudi Arabian oil and gas plant, was dubbed Triton or Trisis due to the type of controllers that were targeted. A recent presentation5 from a first responder to that attack noted several key lessons, one of which was ‘Beware your vendors. They may not have the same interests you do’. This was because of an apparent lack of transparency from the vendor during the initial investigation into the incident.

3 http://www.legislation.gov.uk/uksi/2018/506/contents/made4 https://www.ncsc.gov.uk/collection/nis-directive?curPage=/collection/nis-directive/nis-objective-a5 https://www.youtube.com/watch?v=XwSJ8hloGvY

The examples above relate to major OT vendors who have the capability to provide cyber resilient services to customers but are perhaps not as strong in this area as they claim to be. A potentially bigger problem for CNI organisations may be less experienced vendors who aren’t cyber aware, who don’t perform background checks of their people, and who aren’t used to meeting the cyber security requirements of modern OT. These vendors may expose infrastructure owners and operators to risk, either through an accidental cyber incident, or a malicious actor may target them in the hope of infiltrating the wider network.

For example, a smaller OT vendor publicised their work for a major international airport on social media recently. They may not be breaking the contract with their client but they have drawn attention to very sensitive information about a safety-critical system, which is not suitable for an open source environment.

In other cases, vendors have been allowed to maintain their connection to a new piece of plant equipment post-commissioning, bypassing all of the technical and procedural controls used to manage remote access to the OT. Or malware has been delivered to the customer’s OT environment accidentally, either directly into a live production system, or through the delivery of a new system for commissioning.

CNI organisations that are responsible for delivering essential services must increase their awareness of cyber security to ensure they’re demanding best practice from their supply chain. Cyber security requirements should be built into contracts with vendors to reduce the likelihood of the supply chain being the cause of a malicious or accidental cyber incident.

Supply chain challenges in Critical National Infrastructure When the Network & Information Systems (NIS) Regulations3 came into effect, the organisations that operate our critical national infrastructure (CNI) became legally responsible for cyber risks from their supply chain that impact the provision of essential services. The National Cyber Security Centre (NCSC)’s NIS Guidance for Supply Chain4 states:

Campbell HaydenPrincipal Consultant, Cyber Security

Page 8: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

Who will protect the UK’s critical infrastructure? Finding the cyber security experts of the futureWe don’t have enough people with the skills we need to protect our digital assets. The current shortfall of around 2.9m6 is expected to increase to 3.5m within the next two years.

Organisations are finding it’s difficult, and expensive, to attract and retain the right people and they’re under increasing pressure to develop their capability and expertise from a talent pool that’s being tapped by a growing sector.

Providing national resilience and protecting our critical national infrastructure (CNI) are the areas of most concern. It’s a problem described by the Joint Committee on National Security Strategy as a top-tier national security threat because we’re facing a growing number of cyber attacks on industrial control systems (ICS) and operation technology (OT). The adoption of new technology that links IT and OT, and the convergence of digital and physical (sometimes referred to as the Fourth Industrial Revolution) presents many benefits but it also carries significant risks and exposes our networks, systems and devices to new threats.

The shortfall in the number of people with the skills we need to address these concerns is measured by unfilled cyber job positions, anecdotal surveys and industry reporting. Is the figure we arrive at precise? Perhaps not. But a wide range of industry partners, including cyber and tech organisations, acknowledge there’s an issue – demand continues to exceed supply.

So why is the sector struggling to keep up? And could we solve the problem if we changed the way we attract and develop people with cyber skills?

It will always be easier and cheaper to follow a well-trodden path than explore the unfamiliar. But this approach is neither effective nor efficient. The status-quo revolves around repeating earlier approaches and an almost sole focus on recruitment through traditional channels. Current or potential cyber skills exist far more broadly than many recruitment strategies care to venture.

The ‘must-have’ skills highlighted in advertisements, are in many cases, an unnecessarily exhaustive and prescriptive list of role requirements, qualifications and experience, rather than a true representation of what is needed.

The UK Government is working with industry and academia to change this through groups such as the Cyber Growth Partnership, which provides strategic oversight to government with the aim of growing a vibrant cyber sector. The draft Cyber Skills Strategy is being prepared in support of the National Cyber Security Strategy, which was first published in 2016, and committed £1.9bn to grow the sector. The draft acknowledges the problem goes beyond a lack of technical skills and the number of jobs and capabilities required. Importantly, attempts are being made to look at new routes to attract talent including mid-career transition and the creation of a Cyber Council to help professionalise the sector. Mike Spain

Cyber Academy Lead, Cyber Resilience6 (ISC)2 Cybersecurity Workforce Study 2018

The National Cyber Security Centre’s CyberFirst programme and other industry-led schemes, such as Cyber Security Challenge UK’s Cyber Centurion competition, encourage 13 to 18 year olds to consider a career in this sector. In addition, we must all ensure local initiatives that open the doors to people from a diverse mix of socioeconomic and educational backgrounds are supported to provide routes into cyber careers.

Organisations must be more creative in their attempts to attract and develop talented people and explore non-linear channels. For example, there may be myriad opportunities for cross-skilling and upskilling existing employees. Atkins’ Cyber Academy has been set up to build on our engineers’ wealth of knowledge and experience to learn the importance and application of cyber security in CNI environments.

Diversity & Inclusion (D&I) will form an essential part of the future of the sector. But this should be led by cultural ethos, not corporate social responsibility objectives. There is clear business benefit: Diverse teams are more productive, creative and effective and offer different approaches and solutions. Groups such as NeuroCyberUK7 are playing an important role in evolving the sector through their work to achieve neurodiverse inclusion and there are positive steps being taken to encourage more women, mid-career transfers, ex-service personnel and other underrepresented groups into cyber.

If we remain on our current path we won’t be able to fill the skills gap. Instead, we have an opportunity to re-evaluate our culture and ambitions and be clear on what defines cyber and the characteristics we need from people to benefit the sector. We must think differently to ensure we enrich the sector with the skills for the future and give people the chance to further, as well as establish their career, as part of a healthy and sustainable ecosystem.

7 https://neurocyber.uk

Page 9: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

SNC-Lavalin Atkins’ Cyber Academy: Creating Cyber Engineers for Critical National infrastructure resilienceAtkins Cyber Academy is domain-led and has been designed to leverage this DNA in creating the next level of defence: Cyber Engineers – those that understand the technical aspects of cyber security as well as the strategic impact of risk.

Through utilising the vast expertise and domain presence of our engineers, we are achieving domain-relevant cyber capability. The Academy facilitates a structured path to up-skill graduates and apprentices and cross-skill existing engineers into cyber security practitioners. Attempts are too often made to “bolt on” cyber to operational systems perhaps outpaced by digital innovation. The importance of cyber engineers in achievement of Secure by Design is more important now than ever.

The approach is very hands-on. It has been designed around the principle that if you enjoy what you’re doing, you’re more likely to remember it. Traditional computer-based training can be seen as a tax, something that gets in the way, something to avoid and certainly nothing to get excited about. The Academy modules are very different.

By far the most effective learning method found has been a mix of theory and practical in scenarios that engage with engineers using models built using the very equipment they work with in familiar environments. They are encouraged to explore the equipment and test the cyber theory. The interdependencies between digital and physical are then visible through the way equipment responds. Cause and effect.

The competency levels for Academy courses are aligned to the SFIA framework and range from practitioner through to master. The modules form an academy matrix through which the most appropriate educational pathways can be followed, and most appropriate competency achieved.

Over 25 modules have been developed to compliment client market presence including digital rail, CVI, water and power, aerospace, maritime, defence, CAV, manufacturing and BIM.

The personal security and digital footprint message is also fundamental throughout to help instil a personal link to cyber security and its importance.

The scope of the Academy includes important outreach that is supporting our considerable STEM activity to work with students and children to excite and inspire through doing. Non-linear and non-traditional channels are also very much part of the mission which includes accessible content, design for all learning styles and involvement with underrepresented groups including our continued involvement with NeuroCyberUK.

Cyber isn’t all hoodies and SOCs. Providing cyber resilience in all the ‘cool’ places is an exciting story to tell. It has unlocked the skills of this unique engineering capability and engaged a new generation with new ways of thinking that will enrich our sector.

Cyber academy – upskilling our people

Page 10: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

Thank you for joining us Della-Maria. Could you explain what your role entails?I am a Graduate Consultant in cyber security, participating in the Atkins 2019 Junior Consultant Development Programme. In the short time I’ve been at Atkins, having joined at the start of 2019, I’ve already been involved in several roles, including leading a Cyber Vulnerability Investigation Consultancy Skills session for a Cyber Insight Day with UTC-Heathrow students, and formulating a Cyber Bytes campaign as part of the Digital Trust initiative to raise awareness of cyber security in a technology-driven world.

I’m thoroughly enjoying the diversity of work I can get involved in as a Cyber Graduate and the fact that, while understanding the technical can be fascinating, a career in cyber involves so much more.

What attracted you to a career in cyber?My route into cyber wasn’t direct. My background is non-technical – I am no hacker or tech genius. At university, I studied Law for nearly seven years; it wasn’t until my master’s studies in European law, through a module on the Digital Single Market, that my interest in cyber really took off. Cumbersome legal processes juxtaposed with fast-paced technological developments really sparked my interest in cyber security and the means through which we can ensure users make the most of innovative technologies and collaborate on the vast array of online platforms, while ensuring the safety and integrity of the online space.

Did you feel any trepidation in entering a male-dominated industry?Having previously worked in male-dominated environments, the fact that the cyber industry also displayed this trend didn’t really cross my mind. I’ve always believed that gender shouldn’t factor into the equation when assessing professional capabilities.

That said, it can be slightly intimidating when you enter a meeting and you’re the only female in the room. It can also be difficult to imagine yourself progressing in an industry where you don’t see many women in senior positions. However, I think that this is starting to change and as someone who’s not afraid of a challenge, I would like to be part of that change.

Why do you think it’s important to promote women to join the cyber industry?History is littered with leading women in technology, however, the cyber industry at present is very male dominated. This imbalance points to a need to support women – and the growth of greater diversity in the broader sense – within the industry to bring in fresh perspectives, different approaches to work and new skill-sets.

Attracting women to the cyber industry needs to be two-sided. It should be both about promoting women at all stages of their career to join the cyber industry and about promoting women to progress upwards within the cyber industry. In my mind, this can be achieved through actively encouraging women at all stages of the career path to consider a career in cyber, through sharing personal experiences and networking events.

However, this is not enough. There also needs to be a shift in mindsets within the cyber industry, and cyber industry recruiters should be encouraged to consider a broader pool of talented candidates rather than sticking with the misconception that all cyber careers are about coding and programming.

Based on your experience, do you have any tips for companies looking to attract women to the cyber industry?My first tip would be to engage with young people. Initiatives such as the Cyber First Summer Placement scheme are a great way to get young people interested and involved in a career in cyber. Companies also need to demystify cyber and let young people know it’s about more than coding and hacking.

My second tip would be to hold networking events, whether virtual or physical, where women at all stages of the career path can ask questions, build their cyber network, and talk through their aspirations and fears around joining the cyber industry.

Working in cyber – a woman’s perspectiveWith women estimated to make up only 10% of the cyber industry, and the cyber skills shortage predicted to reach more than 3 million by the year 2021, it’s evident that more needs to be done to promote such an exciting and growing field to this largely untapped market. So, how do we attract women the cyber sector? I recently chatted with Della-Maria Marinova on the matter, to hear how she found her way into the cyber industry and discover her advice for companies looking to improve their female intake.

Page 11: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

The OT honeypot: reloadedOperational Technology (OT) controls the production and distribution of energy and water, the smooth running of our transport systems (air, road, rail and sea) and the production of chemicals and pharmaceuticals. This Critical National Infrastructure (CNI) that we rely on needs to be safe and resilient to accidental or malicious actions, whether it’s a physical security breach or a cyber attack.

The need for resilience is what separates the cyber security requirements of OT from IT. An attack on an IT system may result in vital information being lost or stolen, or websites and other online services may not be available for some time. However, the impact on the physical world will usually not be immediate and may not be noticed. In contrast, a cyber-attack on the OT that manages and monitors essential services such as power and water would be felt immediately and it may put our safety or the environment at risk.

The threat to OT is well known and many security professionals would agree that having an OT system visible from the internet, without adequate protection, significantly increases its vulnerability. And yet search engines such as Shodan, which are used to identify devices that are connected to the internet, show many systems are exposed. In 2014, we set up a high interaction OT honeypot to understand the extent to which these systems were being targeted and to learn more about the attackers’ tools, tactics and procedures (TTPs). A full account of the experiment can be found on the Atkins web site8.

Recently, we repeated a part of this experiment to see whether the level of interest or the actions an attacker would take have changed over the past five years. We found:

› An increased interest in industrial control systems (ICS) devices now.

› Scanning for other protocols and vulnerabilities increased too and this could cause issues for ICS.

› There are also things we didn’t see but might in the future.

What are honeypots?The idea of using an attractive but false target to lure a would-be attacker is an old one, and in computing we attract the attention of hackers using a honeypot. This is a system or device which is designed to attract a would-be attacker. The most common reasons for this are: › To study the attackers’ TTPs.

› As an early warning in an operational system.

Using honeypots is a game of cat and mouse. Attackers understand honeypots are used to investigate their activities and that if they’re not careful they’ll reveal their TTPs for no benefit. There’s also a chance their activities will be attributed and they may be prosecuted or named publicly.

Then, and nowIn the 2014 experiment, we distinguished between attackers looking for devices exposing OT communication protocols and attackers looking for more generic protocols that could be a part of an ICS, for example, HTTP(S), FTP, RDP. We also ensured the honeypot could easily be found on Google. There was very little probing for the ICS communication protocols we exposed, which were Modbus and Ethernet/IP. After 100 days of exposing the protocols to the internet the only activity was from Shodan. By contrast, scanning of common IT protocols such as HTTP started within a couple of hours and continued throughout the experiment.

In the latest test, we exposed the Modbus protocol on its own. That is, we didn’t expose other protocols to entice a would-be attacker. Some of the key findings included:

› Activity increased by around a factor of 100. We only had to wait two hours for the first connection (compared with around 100 days in 20139).

› The honeypot was scanned by 120+ IP addresses in 70 days.

› 60+ of those devices wrote data to the Modbus server (i.e., they didn’t just open or half open a connection).

Dr Ian Buffey Technical Director, ICS Security

8 https://www.atkinsglobal.com/honeypot

9 The 2013 experiment used AWS whilst in 2018 the IP address used belonged to an ADSL provider. It is possible that attackers (or more likely researchers) would have been more careful when it came to scanning AWS addresses.

› Many connections sent Modbus identity queries (i.e., they were definitely looking for Modbus devices).

› Nmap scans for HTTP, LDAP, Kerberos , etc., including vulnerability checks, were done on port 502. Port obfuscation is no longer a valued security technique.

› Some messages (e.g., from nmap scans) look like Modbus messages to read coils, read/write registers, etc. Therefore, there’s a chance an attacker/researcher could accidentally cause a real Modbus device to execute an action. The Bro and Wireshark parsers differ on the meaning of a packet – a poor parser in a real device might be worse, although most reputable manufacturers will have their Modbus implementations tested.

› There are connections from around the world, some easily attributed to universities and other researchers (e.g., Shodan) and others that are harder to attribute.

› Some attackers/researchers are clearly employing multiple machines to scan the internet and in some cases it appears their systems are a little clumsy, resulting in heavy and repeated scanning.

What we didn’t seeNone of the visitors to the honeypot deliberately read or wrote process data. In the 2014 experiment, an attacker did reconfigure the PLC to lock us out but they didn’t do anything that would have had an effect in the real world. There would be potential benefits to attackers in reading or writing process data:

› Industrial processes generally have time-based patterns. Some power stations only generate power at peak times, demand for water varies over a 24-hour period, etc. Looking at these patterns would help attackers understand if the system they were interested in was controlling a real industrial process.

› Writing to a PLC could cause disruption to the controlled process. Writing random values to random addresses in the PLC would be a hit and miss process but it doesn’t require much effort from the attacker.

What should CNI operators do about this?This work aims to raise awareness of the issues. Operators should consider:

› Checking that contractors and staff are receiving proper training relating to OT cyber security.

› Ensuring that employees and contractors adhere to approved methods of access to OT, avoiding direct connections from the internet.

› Deploying honeypots or other detection technology in OT networks and ensuring that any alerts generated are acted on.

Page 12: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

About us…..

NATIONAL SECURITY We’re the largest supplier of client-side advisory services to the UK’s national security

sector, with a long track record of delivering complex

transformational programmes of national significance. 

CENTRAL GOVERNMENT Trusted provider of cyber security

support to local and national authorities helping them meet

the pressure to provide streamlined and responsive

public services.

TRANSPORTATION We work with transportation

operators to ensure their infrastructure is secure,

supporting their increasing digitalisation to enable them

to offer smart passenger options without downtime.

AEROSPACE For decades we’ve been helping world leaders in

the aerospace sector solve complex engineering challenges, offering pragmatic cyber advice which safeguards operations, whilst minimizing downtime.

CRITICAL INFRASTRUCTURE Experienced in the design and delivery of vital infrastructure

combined with industry-leading cyber security capability,

supporting clients in utilities, renewables, oil & gas and nuclear.

DEFENCEOne of the largest providers of

engineering and technical cyber vulnerability investigation services

to the UK Defence sector. Protecting people, assets and missions, whether

on land, at sea or in the air. As one of the world’s

most respected design, engineering

and project management consultancies, we help our clients

plan, design and enable major projects and provide expert consultancy. Our cyber

security experts help our clients maximise the benefits of greater

connectivity without compromising

operations.

Our four key services are underpinned by our individual technical solutions. They’re designed to help you achieve cyber resilience.

Our Services

Security compliance: identify and measure your level of

compliance against globally recognised security standards and regulatory requirements.

Security assurance: ensure your organisation and stakeholders have

confidence in your approach to security and the processes embedded within your

business and supply chain.

Risk management: understand your business impact and operational risk to identify an effective organisation structure and a pragmatic level of

cyber security investment.

Secure by design: design security into a project from inception or

ensure vulnerabilities within existing infrastructure are assessed and addressed.

!

Ensure your organisation is able to harness the power of technology without putting your assets or infrastructure at risk.

Page 13: SECURE - SNC-Lavalin/media/Files/S/SNC-Lavalin/... · 2020-06-09 · Nicola Aspinall Consultant, Portfolio, Project and Programme Management (P3M) Nicola joined Atkins in 2016 on

Harness the power of technology and

ensure you are resilient in a digital world

snclavalin.comatkinsglobal.com/cyber

Or contact us at [email protected]