Cyber Security

Understand business impact and operational risk to identify an effective organisation structure and a pragmatic level of cyber security investment.

Design security into a project from inception or ensure vulnerabilities within existing infrastructure are assessed and addressed.

Identify and measure level of compliance against globally recognised security standards and regulatory requirements.

Ensure that clients have confidence in their approach to security and the processes embedded within their business and supply chain.

We were engaged to develop an Operational Technology (OT) honeypot with the objective to use real OT hardware and software to make it more realistic than honeypots based on virtualised systems and to understand the Tools, Techniques and Procedures used by attackers. Further, to provide a basis for a honeypot platform to be deployed in Critical National Infrastructure (CNI) OT and to evaluate the usefulness of network traffic analysis and situational awareness tools for OT security To achieve these objectives, the honeypot was constructed and connected to the Internet and monitored remotely. Steps were taken to ensure that the system could not be traced to us easily.

AtkinsRéalis designed and implemented a programme of work to address the gaps between the client’s cyber security posture and the requirements of NIS-R based on the Competent Authority’s sector specific profile. The profile prioritises a number of the Contributing Outcomes (COs), as defined in the NCSC Cyber Assessment Framework (CAF). NIS-R applies to all systems which are critical to the delivery of the essential service, including IT systems and their supporting infrastructure (data centres, networks and communications) and many Operational Technology (OT) systems. The OT systems are located at process plants, of which there are several hundred, so the project includes the automation of several processes, including automatic asset discovery.

Our client, a major water company, has engaged AtkinsRéalis to help them implement the requirements of the Network and Information Systems Regulations (NIS-R). A key part of this work is to have a detailed and up to date picture of the assets on operational sites, to be able to detect changes to those assets and to detect cyber-attacks on these assets, including attacks which exploit vulnerabilities which are specific to the Operational Technology (OT) used for water treatment.

Our client engaged us to assist in the development of the Security Case for a New-Build Nuclear Reactor during a Generic Design Assessment (GDA): the initial high-level assessment conducted by the Office for Nuclear Regulation (ONR) on nuclear reactor designs that have not previously been built in the United Kingdom. This reactor design had been developed outside of the UK. We aided in the development of the cyber-security risk assessment and associated methodology, the security architecture and security infrastructure, and the cyber-security design requirements for the nuclear island Instrumentation and Control (I&C) systems. We also provided cyber-security support and subject-matter expertise to the client.

As one of the world’s leading energy companies, our client is an obvious target for people looking to attack critical national infrastructure. They are therefore committed to improving their security, particularly their Industrial Control Systems (ICS) and the associated safety systems which ensure that the plant operates safely and can be shut down in an emergency. Whilst our client had their own proprietary security standard for ICS and had taken steps to protect its systems in line with that standard, they recognised that without appropriate cross-organisation behavioural change the protection offered was limited. They, therefore, identified the need for a bespoke company-wide training course to address this, based on the client’s own security standards.

We were engaged by a UK water company to help them understand their gaps against the NIS Regulations. The NIS Regulations require operators of essential services (such as energy, water, transport, healthcare etc…) to manage their cyber security risks and put in place the processes to notify Competent Authorities of any cyber breach that impacts on an essential service. For the water industry, the NIS Regulations are concerned with interruption to the supply of drinking water; however, the scope of this project included all operational sites critical to the client’s business including sewage treatment.

A major UK airport engaged AtkinsRéalis to conduct a cyber vulnerability assessment of its Air Ground Lighting (AGL) system. The client wanted to understand the full range of vulnerabilities the system was exposed to and how well the organisation was set up to understand and mitigate these vulnerabilities. Equally important, the client wanted the final assessment report to include recommendations for improving the security of the system. The project was also intended to act as a blueprint and trailblazer for the assessment of other critical systems at the airport.

Our work with automotive and technology sector leaders has moved us a step closer to the safe and secure roll-out of Connected and Autonomous Vehicles (CAVs) in the UK. We were appointed as cyber security lead for the HumanDrive project, a Nissan-led collaboration, that successfully developed an autonomous vehicle capable of travelling more than 200 miles, including through country lanes. complex junctions and on motorways. If we’re going to take our hands off the wheel, our cars need to be gathering, processing and sharing vast quantities of data. But this connectivity, which enables the safe and secure operation of an autonomous vehicle, also puts us at risk. As part of the three-year Human Drive project, a cross-industry collaboration led by Nissan Technical Centre Europe, we identified and assessed potential threats to the cyber security of CAVs and put a framework in place that could help the entire CAV ecosystem develop safer and more secure technology.