Some years ago Stuxnet, a digital cyber weapon, attracted much publicity when it caused serious damage to Iran’s uranium enrichment facilities. Stuxnet, designed to attack industrial control systems, was the first cyber weapon capable of attacking so-called SCADA industrial control systems seen outside the laboratory. This type of cyber weapon poses a threat to critical infrastructure such as public water supplies, electricity supply systems, nuclear facilities, transport, oil and gas supply systems and manufacturing industry. FOI runs courses designed to increase awareness of the potential threat posed by cyber attacks on critical infrastructure.
“There is a general lack of awareness of the extent to which we are dependent on computer systems in many of the areas that are vital to the proper functioning of society. Take, for example, the industrial systems that control our sewage, drinking water supply, electricity distribution, trains and logistics, refrigeration, vehicles and climate control in buildings, all these are totally dependent on computers. If they were to be knocked out, there could well be serious consequences. So how can we get users to understand what is ‘reasonably safe’ and how can we improve system security when everything is becoming so computerised?” asks David Lindahl, a research engineer and cyber specialist at FOI.
The expansion that has taken place in the field of data networks has provided an opportunity for many in industry to improve the efficiency of their businesses by networking their systems, so reducing the need to deploy staff to work locally. But when one tries to combine traditional systems of the kind widely used in industry, for example programmable logic controllers (PLCs) used to control individual machines, with ordinary office networks, the two different worlds collide. Because of the differences in technology used in these two separate worlds, the security of the total system is put at risk.
“Historically, where critical infrastructure is concerned, it has been traditional to talk about the “safety” of the system, i.e. how to protect people from a malfunction in the system. Now, however, we are trying to ensure that attention is also focused on the “security” of the system, i.e. how to protect the system against human intervention. If a hacker attacks a system we must be able to protect it,” says David Lindahl.
“One of our major activities relates to preparedness for such intervention. The greater part of my work relates to the National Centre for the security of important infrastructure control systems (NCS3), which involves collaboration between FOI and the Swedish Contingencies Agency (MSB) for the purpose of protecting critical infrastructure,” adds David Lindahl.
Cyber attacks may be mounted by activists as well as by state actors and criminal organisations. FOI scientists run courses for groups of personnel from a range of essential facilities in order to improve their preparedness in the event of a cyber attack. What could happen in the future? What could happen today? And what changes can we make to systems in order to make the effects of a cyber attack more manageable?
Those who are actively involved send personnel to us on courses that enable them to practice with different test systems. Here at FOI we have long experience in the security of supervisory control and data acquisition (SCADA) systems and, jointly with MSB, we have set up a laboratory for SCADA security. This is a facility that has been in great demand and we are now in the process of building up a new programme of courses. The nuclear industry, for example, has sent personnel to us to exercise on the various test systems. We have a unique exercise facility that is able to simulate the data networks of real installations, a feature that is particularly appreciated.