Teams of experts are looking at how to plug security holes in the vital systems that run the UK's power stations, rail networks and manufacturing plants.
Four groups of researchers will share £2.5m in government funding to look at the security of industrial control systems which are increasingly seen as at risk from hackers.
Historically these industrial control systems were isolated, but now are regularly connected into wider networks via the internet, making them much easier to attack. Industrial control systems are likely to be the front line in any serious cyberwarfare scenario, but there are concerns that such systems are not being adequately protected.
It is already known that various nation states are probing industrial control systems for weaknesses that could be exploited at a later date, and the consequences of a successful attack on these systems could be extremely serious.
"Where control systems are linked to the internet we need to understand how failures could cascade across the system. We will be looking at new ways of repairing damage to systems if an attack happens," said Professor Chris Hankin, from the Research Institute in Trustworthy Industrial Control Systems at Imperial College London.
A team from the University of Birmingham will carry out a security analysis of the National Grid and rail systems. "A cyber-attack on the railways wouldn't affect safety as the trains are designed to be fail-safe but it would cause major disruption as trains would stop all over the network. At the moment, the challenges are to understand the vulnerabilities," said Professor Clive Roberts, from the University of Birmingham.
Researchers at City University will develop a way of assessing risk for critical infrastructures, while a group at Lancaster University is aiming to create a software tool that will allow managers to better understand the risks posed by cyber security breaches to industrial control systems.
Professor Awais Rashid at Lancaster University said the project is about understanding the cyber security risks at the intersection of people and technology. "If you give people lots of technical metrics that they don't understand you get poor decision making. Risk decisions are made not only at board and management level but also by those working with industrial control systems on a day-to-day basis," he said.
And given the long operational life of such systems — which tend to be operational for 20 or 30 years — the team will also study the long-term implications of security decisions.
A team under Professor Sakir Sezer of Queen's University of Belfast will look at the potential vulnerabilities within the national grid as wind or solar-generated electricity comes on stream.
Sezer said that in as much as 50 percent of the electricity used in Ireland is wind-generated, but having such high levels of renewable energy in the system requires complex wide area monitoring and control.
He warned: "Should the telecoms systems that support the control system be compromised, the impact of the resultant loss of electricity supply would have far-reaching consequences for society. This would involve loss of consumer supply, supply to hospitals, industry, and would even affect the gas, water and sewage networks."
The researchers aim to improved operational decision making and lay the groundwork for a new, cyber-threat-resilient control architecture for the grid.
The funding comes from the Engineering and Physical Sciences Research Council and the UK's National Cyber Security Programme, while the Centre for the Protection of National Infrastructure and GCHQ are also supporting the research.
Now read this