BAE Systems Detica has launched a military-grade solution for critical infrastructure which promises to provide tight security against cyber attacks

Cyber War

Communication systems that sit between a company’s corporate internet protocol (IP) network and their industrial control systems are easy targets for cyber criminals, warns BAE Systems Detica strategy director for cyber security, Scott McVicar.

Speaking to StrategicRISK at the launch of BAE’s IndustrialProtect, he said: “There is significant business benefit in connecting a corporate IP network to an industrial control system, however this brings significant risk. Namely, it provides a means for adversaries to send spurious command and control messages to the industrial control system which may have an adverse effect such as causing serious damage or impeding production.

“Or [hackers] can send incorrect or misleading information back via the network to your own command and control. Their aim would be to send false information about production which would cause the operator to take inappropriate action, either closing production down or causing damage to production facilities.”

He added: “If you implement decision making about what can go across the network boundary on a standard desktop computer or on software built on a standard operating system, then the adversary will know the operating system pretty well and that provides attack vulnerability for them to influence your decision making.”

To combat the frailties in communication systems, BAE Systems Detica has launched a military-grade solution for critical infrastructure which promises to provide tight security against cyber attacks. The product puts up a series of barriers against messages, including authentication and verification of the sender and recipient.

McVicar said: “The key element to our solution is that it is built-in hardware so there is no operating system and that provides a minimal attack surface for the adversary.”

A challenge, however, is the demand for broader insurance policies to cover cyber attacks, an issue that McVicar believes could be addressed by cyber security firms which can help by assisting the insurance industry to fully understand the extent of cyber risks.

He said: “The nature and adaption of the threat means you can’t make guarantees. It’s about strength in depth and a holistic approach. There is no one solution; you need a portfolio of capabilities in order to minimise the threat.

“One of things we are doing is working with several insurance companies to help them assess the level of cyber risk and the questions you need to ask in order to make a balanced decision to assess the risk.

“We are also looking at whether there is an opportunity to marry the mitigation with the assessment to help insurance companies down that route. It is a concept which we think is pretty powerful.

He added: “We can see that portfolio of capabilities in which working with an insurance company can really help mitigation, so it is really quite powerful.”