Securing strategic advantage Protecting industrial control systems Cyber Supplier to UK Government Plan Design Enable
In delivering our vision to be the best infrastructure company in the world, we pride ourselves on leading global protection of critical assets and businesses. This encompasses physical and information assets, particularly those involved in the control of industrial processes. 2
Identity assurance We have experience of delivering identity assurance solutions in a number of environments covering commercial, military and civil aviation sites and premises. Behavioural We help customers understand the importance of creating a positive culture within an organisation where management and staff contribute effortlessly towards shared protective security objectives. Business Continuity Atkins services are designed to put in place clear planned responses to business continuity challenges. Bringing it all together Atkins Holistic Security approach Industrial control systems For industrial control systems, availability and reliability are the key priorities, in contrast with IT in general, where the overriding concern is confidentiality. Physical Covering all aspects of physical security across commercial infrastructure, transport systems, military facilities and airport security services. Cyber Our impact focused, risk based approach builds the appropriate cyber security controls into the fabric of organisations. We ensure you can deter, defend and detect the inevitable attempts to compromise your operation. Securing strategic advantage 3
Atkins Holistic Security Proposition Physical, cyber and personnel security generally remain separate in many organisations. Our holistic security offering enables you to get a better understanding of overall organisational security risks by applying converged governance and risk management across all assets. In combination with our programme and security risk management expertise, this approach ensures better protection for assets, staff and information; your critical business enablers. 4
Industrial and Process Control Cyber Security Business processes relying upon industrial control systems are required to have high operational demands. System and data integrity are essential to satisfactory operation, with the absolute necessity to operate in real time. Availability or reliability of plant systems is the foremost priority, in contrast with IT in general, where the prime concern is confidentiality, the intellectual property of the process, recipe, product or the automation software. Understanding security risks to organisations and assessing the critical operations Develop a holistic security strategy to address challenges across the organisation, whether technical, procedural, or personnel based Establish resilience through realising cyber security events are inevitable. Appropriate planning and incident response will minimise impacts and enable a rapid return to business as usual. Assess and evaluate Operate Enterprise Situational Awareness Programme management Design Assurance and governance Education and training Test and commission Build 5
The scale of the challenge A number of publications, both in the UK and internationally, have underlined the importance of protecting critical national infrastructure and the scale of the challenge in doing so. The UK Parliamentary Office for Science and Technology (POST), a body that provides independent analysis of policy issues with a science and technology basis, published a briefing entitled Cyber Security in the UK (1). The briefing highlighted recent events in cyber security and discussed the potential for large-scale attacks on national infrastructure, emerging issues related to this, as well as the implementation of cyber security. Topics included the responsibility for UK cyber security, the types of attacks, industrial control systems and the need to improve resilience, security and knowledge in both industry and Government. Governance Compliance Cyber and information security Risk management Assurance Architecture 6
This was followed by the UK Government s Cyber Security Strategy (2), which outlines a programme of activity to work closely with companies responsible for critical national infrastructure systems. Moreover, it announces the Government s intention to work with a wider range of companies than those currently associated with national infrastructure; anywhere the threat to revenues and intellectual property is capable of causing significant economic damage is now firmly on the Government s radar. Furthermore data available from online media such as blogs, social networking sites and specialist publications could be used to mount a cyber attack on UK infrastructure, according to the report commissioned by the Institution of Engineering and Technology(IET). Key information regarding vulnerabilities in company systems is now openly available from a range of sources on the internet, said the report, entitled Using Open Source Intelligence to Improve ICS & SCADA Security. This research, published at the IET s Cyber Security for Industrial Control Systems seminar in London, found many industrial sector websites and academic papers provide information which identifies CNI-related staff and their social media information. (3) Article: Cyber Security and Critical National Infrastructure. Dr Richard Piggin, Atkins 1. POSTnote 389, September 2011 2. UK Cyber Security Strategy, Cabinet Office, November 2011 3. IET ICS Cyber Security for IndustrialControl Systems event, February 2014 Understand business objectives Vulnerability assessment Analytical assessment Recommendations 7
Protecting Global Infrastructure Confidential Critical National Infrastructure Client Vulnerability Assessment Atkins undertook an open source vulnerability assessment of a UK Critical National Infrastructure company focused upon Industrial Control Systems (ICS) and SCADA. The aim was to understand ICS information available in the public domain which could be obtained by a potential adversary in order to enable an assessment of the potential threats and the implementation of appropriate mitigation measures to improve security and safety. An analytical investigation was undertaken using, mainstream media, blogs, social media, sector-specific journals, academic material, web 2.0 and industrial sector websites. Once specific information was known, an assessment of the likely threat was made and recommendations proposed to reduce the open source footprint and to take compensating measures. The assessment is divided into various categories, including mapping, social media, ICS, and outward facing IT architecture. Publicly available tools were used to demonstrate the identification of networked control systems, their vulnerabilities and the exploits that may be used to attack them. This highlighted the low technical knowledge required to successfully mount an attack against Industrial Control Systems. 8
Confidential Global Oil and Gas Client Developing a major programme to protect process control systems Atkins has been working with one of the world s largest energy sector clients to help them develop a single framework approach for development of cyber security architecture. The method of achieving this encompassed first understanding the organisational objectives of the client and using a business objective orientated approach to establish asset criticality. Having understood what was critical to delivering business objectives the framework could then be developed to allow the client to focus its security on those areas that were actually critical to delivering the business objectives. The resulting framework was then used to establish a comprehensive single programme of work to ensure that the organisation was truly secure and facilitated, rather than impeded, doing business successfully. Industrial and process control systems are inevitably a key part of the organisation s critical business processes and central to the programme of development work. 9
Atkins securing strategic advantage: Atkins has the experience and expertise to help its clients deliver strategic advantage through an holistic approach to security: Atkins has considerable experience of designing and implementing protective security regimes for physical and information assets. We have a depth of understanding of the approach to protecting clients assets including: networks information intellectual property critical infrastructure; and control systems. Accessing information, entertainment and services digitally is now part of daily life, both at home, at work, from schools through to hospitals, from fire brigades to airports, and from offices to the armed services. In delivering our vision to be the best infrastructure company in the world, we pride ourselves on leading global protection of critical assets and business. This encompasses physical and informational property, particularly those which control critical processes. Physical, cyber and personnel security generally remain separate in many organisations. Our holistic security offering enables you to get a better understanding of overall organisational security risks by applying converged governance and risk management across all assets. We deliver high quality security consultancy services to clients across a wide range of capabilities and sectors. Our consultants are ready to help. For information on how Atkins can help guide you through the challenges of delivering effective security in your organisation please contact us via 10 holistic@atkinsglobal.com
Our capability encompasses: Physical security Cyber Security Industrial and Process Control Cyber Security Behavioural security Identity Assurance Business Continuity We bring all these capabilities together in an innovative holistic security approach. Our sector coverage includes: Critical national infrastructure Public sector Oil and Gas Defence and Intelligence In combination with our programme and security risk management expertise, this approach ensures better protection for assets, staff and information; your critical business enablers. Atkins engineers work with clients ensuring their information communications systems add value to our clients security projects. 11
Cyber Supplier to UK Government Andrew Cooke Business Development Director Security Atkins 11th/12th Floors Eagle Tower Montpellier, Drive Cheltenham Gloucestershire, GL50 1TA England T: +44 1242 54 6259 F: +44 1242 54 6246 M: +44 7803 25 9666 E: andrew.cooke@atkinsglobal.com Ian Buffey Technical Director Security Atkins 11th/12th Floors Eagle Tower Montpellier, Drive Cheltenham Gloucestershire,GL50 1TA England M: +44 7812 31 8463 F: +44 1242 54 6246 E: ian.buffey@atkinsglobal.com Atkins Security Woodcote Grove Ashley Road Epsom Surrey KT18 5BW www.atkinsglobal.com/security mailto:holistic@atkinsglobal.com Atkins Limited except where stated otherwise. The Atkins logo, Carbon Critical Design and the strapline Plan Design Enable are trademarks of Atkins Limited.