In 2009 the UK Technology Strategy Board, The Centre for the Protection of National Infrastructure (CPNI) and the Engineering and Physical Sciences Research Council (EPSRC) allocated funds to invest in highly innovative collaborative research and development projects in the area of information infrastructure protection.

This investment targeted the increasing complexity and dependency challenges that government and businesses face in protecting information infrastructure. The focus of the investment was on the development of technologies and their associated supply chains that offer significant quantitative improvements in:

  • The understanding, monitoring and subsequent improved management of complex interdependent information infrastructures, within and between organisations, leading to enhanced security in all sectors of the economy (from SMEs to large enterprises)
  • The development of improved business resilience and risk assessment services to predict and manage risks in next generation information systems
  • The acceleration of their deployment to market.

The investment was provided through an open competition for funding of projects proposed by industry and academia in mid 2009.

Collaborative project between Citicus and industry partners

Under the framework of the Technology Strategy Board funding competition, Citicus collaborated with the energy company RWE UK and were awarded funding for a combined project to extend Citicus’ existing Citicus ONE software to the risk management of supervisory control and data acquisition (SCADA) and other process control environments.

Other organizations from the water and food production industries were subsequently involved in the project to review and steer development of the final product. The project thus combined the skills and knowhow of:

  • Citicus who are expert at risk management methodologies and their efficient automation in a software tool that is capable of being configured to address specialized areas of risk
  • Industry partners who have a large critical infrastructure of SCADA and other industrial control systems and practical expertise in identifying and managing security risks to them.

Field trials of a beta release of Citicus ICS by industry collaborators were carried out to ensure the practicability and utility of the approach.

Drawing on extensive industry research and standards

A key aspect of the development of Citicus ICS was an extensive survey of existing material published in the area of industrial control system security to identify common areas of best practice. Some of the key sources include:

  • NIST 800-82 and other NIST standards
  • CPNI Good practice guides to process control and SCADA security and other CPNI publications
  • Department of Homeland Security: Cyber security procurement language for control systems; Common cyber security vulnerabilities observed in DHS industrial control system assessments; and other DHS publications.
  • Material from LOGIIC, US Department of Energy, SANS, Government Accountability Office, Australian Government ITSEAG
  • Unpublished material from industry partners.

Leveraging the power of Citicus ONE

The development of Citicus ICS leveraged the existing capabilities of Citicus ONE, refining them for application to risk management of industrial process control systems. These capabilities include:

  • Maintenance of an inventory of critical information resources, physical sites, suppliers and other entities whose risk needs to be monitored
  • Data collection through risk scorecards customizable to specific areas of risk
  • Identifying and tracking interdependencies between IT systems and other entities such as external suppliers and the services they provide
  • Management of identified issues and remedial actions
  • Collection and analysis of data on actual incidents
  • Graphical multi-level reporting on risk and compliance status.