SCEPTICS: A Systematic Evaluation Process for Threats to Industrial Control Systems

The rapid pace of development in Information and Communications Technology (ICT) over the last 30 years has changed the way the rail industry operates. Commercial pressures and the need to share operational information between stakeholders to facilitate cross-border services etc. have gradually pushed the industry away from more expensive, bespoke systems and towards Commercial Off The Shelf (COTS) solutions. Nowhere is this more evident than in the area of industrial control, where examples of the move to standard technologies include the European Train Control System (ETCS) in the signalling domain, and the provision of remote condition monitoring via Supervisory Control And Data Acquisition (SCADA) networks.
Although the move away from bespoke systems has allowed the industry to become more agile, reduce the risks of vendor lock-in, and deliver “more for less” in terms of underlying investment, it also risks increasing the attractiveness of the railways to cyber attackers; much of the off-the-shelf hardware is IP based, and therefore subject to many of the same attack mechanisms as any other modern ICT system. Furthermore, common platforms share common vulnerabilities, meaning exploits that have been realised in one industrial sector, such as the Stuxnet worm used to damage Iran’s nuclear centrifuges in 2010, could in theory now be used to attack PLCs used on the railways in the same way.
While the rail industry in the UK and worldwide recognises that there will be an increased risk of cyber attack in coming years, many railway undertakings are unsure of how to begin building an understanding of the extent of the problem they face, or the steps required to address it. Traditional threat analysis techniques used in cyber security research frequently require large amounts of detailed information on specific systems to be gathered before they can be applied, and cyber security specialists speak a different language to rail industry ICT professionals making it difficult to prioritise available resources.
This paper presents outcomes from the SCEPTICS project, an EPSRC funded initiative that is developing a set of common processes that can be applied by ICT professionals within the rail industry to scope their own industrial control systems, allowing them to get a broad understanding of the potential risks of cyber attack, and delivering sets of priority areas / systems to investigate using more detailed threat analysis tools and approaches.