Blog posts

How the Internet of Things poses fresh risks to public sector systems

A post by Professor Chris Hankin, Director ISST. This blog originally appeared on publictechnology.net published 19.06.2017.

With the cyber threat shifting its focus to sabotage rather than data theft, many of the defences deployed by public sector organisations will have to be adapted for the new world.

Information security policies are commonly guided by the CIA triad of confidentiality, integrity and availability. Many of the big security stories in the media relate to confidentiality, where data theft, for example, affects both individuals (eg. personal banking data) but also has a huge economic impact as a result of industrial espionage.

Integrity, or rather its loss, is most evident in the hijacking of websites by “hacktivists” seeking to deface content or replace it with political messages, but can also be associated with data, such as environmental monitoring, stock market trading or consumer price indices.

The Role of Distributed Ledgers in Securing Urban Infrastructure

A post by Dr Cathy Mulligan (Imperial College), Tony Kenyon (Guardtime) and Kacper Zylka (Imperial College).

Imperial College’s Blockchain research group (IC3RE) together with Guardtime have been investigating how distributed ledger technology – aka Blockchain – can be used to secure digitally-enabled critical infrastructure. Together they are providing an early warning system that embedded sensors have been compromised.

Cities around the globe are under increasing pressure to deliver high quality services to a growing number of citizens. Digital technology is being adopted – in what is sometimes called the ‘smart-city’ – to better manage assets, and deepen understanding of key services like waste, water, power and transport.

How we can secure critical infrastructure against zero-day hacks

A post by Dr Tingting Li, Research Associate at the Institute for Security Science & Technology.

As detailed in the recent Alex Gibney documentary Zero Days: Nuclear Cyber Sabotage, the Stuxnet worm caused havoc in an Iranian nuclear facility by exploiting unknown – and hence unprotected – weaknesses in the computer control system; so called zero-day weaknesses.

At Imperial ISST we’ve shown that the risk of a cyber-attack like Stuxnet being successful can be reduced by strategically defending the known weaknesses. We can model the relative risks in the system without foreknowledge of potential zero-day weaknesses, and maximise security by focusing defences on higher impact risks.

Worms, birds and insects inspire the robots of the future

A post by Dr Silvia Ardila-Jiménez, Post-doctoral Research Associate, Imperial College London

The development of autonomous systems is one of the technology trends driving the fourth industrial revolution. Autonomous systems in transportation are perhaps the most widely talked about, but beyond this we’re already seeing systems deployed in sectors like environmental monitoring and agriculture.

The range of potential applications is huge: search and rescue, border surveillance, construction, energy, health, sports and recreation, agriculture, and food and water security to name a few. And whilst advances in this area are vast – fueled by machine learning, data science, robotics etc. – no man-made system can perform at the level of living organisms.

The interaction between safety and security

A post by Professor Chris Hankin, Director ISST

Increasing digitization has led to convergence between IT (Information Technology) used in offices and mobile devices, and OT (Operational Technology) that controls devices used in critical infrastructure and industrial control systems. The IoT (Internet of Things) is also rapidly growing, with around 10 billion devices today.

These trends raise concerns about the interaction between safety and security. The reality of the threat has been highlighted in national news coverage, from cyber security vulnerabilities being exploited to compromise vehicle safety, to denial of service attacks launched from consumer devices.

Discussions are sometimes hampered by the lack of clear definitions of the concepts.

The origin of threat assessment

A post by Helen Greenhough, PhD Research Student, Imperial College, Dept of Computing

As an analyst in the defense sector, the adage of threat = capability x intent was widely accepted.   But where did it come from?

In the course of my research I was pleased to come across what appears to be the original source of this equation in J. David Singer’s 1958 paper ‘Threat Perception and Armament-Tension Dilemma’ and was originally:   ‘Threat-Perception = Estimated Capability x Estimated Intent’ [p94, Singer, J. 1958].   This quasi-formula  posits that the perception of a threat can be reduced to zero by either reducing military capability or military intent. 

Security of Industrial Control Systems

A post by Professor Chris Hankin, Director ISST

Operational Technology (OT), as distinct from Information Technology (IT), refers to the hardware and software that controls an industrial process.  Despite increasing similarities between OT and IT architectures and components there are quite fundamental differences in the make-up of cyber attacks on each.  In To Kill a Centrifuge, an in-depth technical analysis of the Stuxnet attack, Ralph Langner has already identified three distinct layers of a sophisticated cyber-physical attack: the IT, the Industrial Control Systems (ICS) and the physical layers.  The SANS Institute in the U.S. has recently published an anatomy of cyber attacks  on ICS, involving two multi-phase stages: 1) cyber intrusion preparation and execution – what can be thought of as intelligence gathering; and 2) ICS attack development and execution.

The Cyber Security Show

A post by Professor Chris Hankin, Director ISST

I’ve just returned from the Cyber Security Show 2016, held 8-9 March 2016 at the Business Design Centre, Islington. This incorporated an exhibition and conference, one of the major annual cyber security conferences in the UK, for which I was Chairman for the two days.

It is a particularly interesting time in the world of Cyber Security.  Just a month ago, President Obama launched the U.S. Cybersecurity National Action Plan.  The measures announced include the creation of a Commission on Enhancing National Cybersecurity, a $3.1bn Information Technology Modernization Fund, a new National Cybersecurity Awareness Campaign to empower Americans to better secure their online accounts, and a $19bn investment in cyber during the 2017 Fiscal year.