New risk management approach for UK’s critical national infrastructure

Citicus has been chosen by the UK Government’s Technology Strategy Board to develop a capability for managing risks to key industrial control systems that support the critical national infrastructure. Citicus will collaborate with RWE npower and other key industry partners to deliver a major advance in the protection and security of critical information infrastructures that underpin the continuous supply of essential utilities and commodities.

The development is part of a Government-driven initiative targeted to achieve significant improvements in tackling the ever-increasing threat to organisations’ information systems, through the understanding, monitoring and subsequent improved management of complex, interdependent information infrastructures. The initiative will also lead to the development of improved business resilience and risk assessment services to predict and manage risks in next generation information systems.

This major project combines the risk methodologies and technology of Citicus and their award-winning Citicus ONE risk management software, with the experience and skills of industry partners - who have high dependency on industrial controls systems and possess practical expertise in identifying and managing their security risks. The project will extend the existing capabilities of Citicus ONE’s risk management software to provide a solution optimized for identifying and managing risks in supervisory control and data acquisition (SCADA) systems and other components of industrial control systems. These systems form the critical infrastructure behind the uninterrupted and safe production and distribution of energy, water, oil/gas and food.

Citicus ONE’s model for measuring risk has been uniquely developed from the world's largest set of data on what causes IT systems to suffer incidents. This project will identify the specific way in which risk factors should be evaluated for industrial control systems - using risk scorecards and supporting control and threat checklists. The use of 'risk dependency mapping' will also help identify and track interdependencies between control systems, other IT systems and other key parts of the risk chain, including external suppliers and the services they provide.

The resulting risk management capability will be available as an integral part of Citicus ONE and be deliverable as an installable product or as software-as-a-service (SaaS). Paul Jervis, Chief Information Security Officer at RWE npower said,

"We have used Citicus ONE for several years for managing risks in our IT environment and are very pleased to be participating in this initiative. Industrial control systems are critical to our business and have unique characteristics that need to be considered when identifying and managing risks. Combining best practice in this field with Citicus’ data gathering and reporting capabilities will be of great interest to us."

Simon Oxley, Managing Director at Citicus said,

"There is a lot of current interest in the robustness of critical national infrastructures in the face of evolving threats. Although there’s much guidance being published – particularly through the US Department of Homeland Security – there are few automated tools that allow organizations to manage risks to industrial control systems efficiently and on a large scale. We believe this project will represent a significant step forward in ensuring the adequate protection of this infrastructure that our society takes for granted."

Marco Kapp, Director and co-founder of Citicus adds,

"Citicus has a strong track record of partnering with our customers to deliver practical risk management tools based on real-world experience. We think the new capabilities that emerge from this collaboration will be of great interest to our customers in process-based industries.”

Project background

In 2009 the Technology Strategy Board, The Centre for the Protection of National Infrastructure (CPNI) and the Engineering and Physical Sciences Research Council (EPSRC) allocated funds to invest in highly innovative collaborative research and development projects in the area of information infrastructure protection. This investment targeted the increasing complexity and dependency challenges that UK government and businesses face, and aimed to develop a strong UK capability base.

Citicus ONE background

Citicus ONE is used by major private and public sector organisations worldwide for monitoring and managing risks to critical business applications and their supporting IT infrastructure. The software enables organisations to measure, manage and reduce the risk posed, not only by IT, but by the full spectrum of assets, processes, facilities and external parties on which it depends.

Citicus bases its methodology for managing risk on 20 years of rigorous research, including detailed analysis of the most comprehensive data available on what drives key areas of risk up or down. Its research background makes Citicus unique amongst providers of software for managing operational risk.

Citicus ONE employs succinct criticality assessments, risk scorecards and incident assessments – supported by harm reference tables and detailed checklists – to measure risk in objective, business terms. Highly visual, informative results, can be generated including risk and compliance status reports, heat maps, dependency risk maps, risk dashboards, risk league tables, guidance on driving down risks, incident statistics and action plans. Multiple reporting levels ensure that all levels of management are informed of the status of risk and compliance in their areas of responsibility.

About Citicus

Citicus Limited ( was formed in 2000 by Simon Oxley, Sian Alcock and Marco Kapp. The company provides world-class automated risk management tools that have been implemented in public and private sector enterprises of all sizes around the world, and helps customers implement them successfully. Our flagship software, Citicus ONE, enables organizations to measure and manage the risk posed by the entire range of assets, entities, processes and activities on which they depend, using a methodology that reflects 20 years of research into the factors that drive risk up or down and those which make risk programmes successful.

For more information, contact:

Simon Oxley, Citicus Ltd, Tel: +44 (0)20 7203 8405

Nick Hall, Citicus media relations: Tel: + 44 (0)7949 111174

Download PDF Back to News


Share this post