DoC Prof becomes Director of Institute in Trustworthy Industrial Control Systems

Prof Chris Hankin will head an Institute looking at averting cyber-attacks and other threats to vital systems that control the UK's infrastructure.

*"In 2007, parts of Estonia ground to a halt when it experienced a ‘denial of service’ cyber-attack, overloading servers, which lead to a temporary government shutdown. While this is an extreme example, it highlights how vulnerable countries are to these types of threats."

*"Our Industrial Control Systems are vital for running most of the industrial processes that underpin modern society, from electricity generation to making sure trains run on time, these systems are vital to our everyday lives, but more work needs to be done to determine how vulnerable they are to threats from cyber-attack."  

To try and avoid such attacks in the UK,  Professor Chris Hankin a Professor of Computing Science here at Imperial College London will head a team of  Researchers who will analyse how cyber-attacks could shut down  Industrial Control Systems and how they can be prevented or counteracted.

Working alongside Government and industry, the team will also identify how a lone cyber-attack on one business or utility could have a knock-on effect, affecting groups of businesses ‘downstream’, which could lead to impacts on the UK’s infrastructure as a whole. Academics at the Institute will also investigate ways that these threats can be avoided through the development of better procedures and technologies. Funding for this research will come from the Engineering and Physical Sciences Research Council (EPSRC) and the Cabinet Office.

Professor Hankin writes:

There has been substantial Government investment in cyber security over the last two years, however one area that has been neglected is process control.  Process control systems have become increasingly connected to the world and begun to look just like the IT infrastructure -- for example smart meters will be wifi-enabled to control home devices but also connected to the Internet for billing and load balancing -- and this exposes them to cyber threats.  The advances in cyber security applied in standard IT systems don't necessarily apply because of the very different characteristics; to name 3:

1. There has been a general presumption that our IT systems are patched with security updates as they are released -- daily or even more frequently -- whereas the continuous operation and safety criticality of process control systems mean that patches have to be thoroughly tested and updates scheduled a long time in advance: patches might be applied very late, if at all.

2. In an IT system the servers and central systems are usually the most heavily protected.  In process control, the edge devices, which directly control the physical processes -- the 'cyber/physical interface' -- may be more important and also, because of limited processing power and other resources, the most vulnerable, especially to sabotage.

3. Whilst the IT hardware/software replacement cycle may be quite rapid, usually in the 3-5 year range, process control systems may have to operate for 20+ years.  This brings many legacy issues to the fore, including both the technological and the human element.

We are delighted to be given the opportunity to study and understand these subtle issues with a view to developing a better understanding of the harm that threats pose, the business risk that entails and what effective, novel interventions might be possible.  In so doing we will address the global interdependencies and interconnectedness of many such systems.

See Professor Hankin discuss his new appointment

Congratulations Chris!

Read more at:

//www3.imperial.ac.uk/newsandeventspggrp/imperialcollege/newssummary/news_12-12-2013-10-49-31

http://www.theengineer.co.uk/news/uk-centre-to-study-threat-of-industry-cyber-attacks/1017685.article

*Source: C. Hankin 2013