No spam. Just the latest market insights by Seguro in your inbox each week.
How to make sure you are compliant in 2016 – Health & Safety Legislation
Throughout the year the HSE release various updates to existing legislation in order to ensure that the legislation stay current and suitable for the changing workplaces we all work in.
There are various ways for you find this information out:
Periodically visit the HSE website to see if there are any changes posted.
Search online to see if you can find anything.
Become a member of a professional body
Sign up to various magazines.
Outsource your Competent Safety Advisor resource.
As part of our Competent Safety Advisor service we ensure that on a monthly basis you are provided with all changes should they affect you or not. That way you are fully informed and up to date on all changes and can make the business decision yourselves if you need to be aware.
There are additional benefits to our service that can ensure that going into 2016 Health & Safety isnt something yo need to worry about you can concentrate on your business.
A comprehensive Health and Safety Management System – complete with policies, procedures, forms, checklists, etc to ensure compliance with legislation
Development of your company Health and Safety Policy
Development of a company employee handbook
Development of an Environmental Policy
Assistance in Accident Reporting to Enforcing Authorities/Accident Investigation
Liaison with Enforcing Authorities on your behalf
Access to telephone advice on an unlimited number of occasions
Updates on any changes in Health and Safety legislation
Below is a copy of our latest legislation updates, if you think we may be able to help you on a monthly basis please get in touch.
Legislation/Consultation
In Force/
Closes
Need to Know
Applies In
Resource
Construction (Design and Management) Regulations 2015
23rd Dec 15
Transitional period for projects started before April 2015 ends. Works with more than one contractor must have appointed a principal designer.
Control of Major Accident Hazards Regulations (COMAH) 2015
Jun-15
Main Duties unchanged from 1999 regs; lower tier operators must provide public information about their site and its hazards for the first time; both upper tier and lower tier operators must provide public information electronically.
Construction (Design and Management) regulations 2015
Apr-15
CDM coordinator replaced with principal designer, prescriptive requirements for duty holders to check contractors’ competence removed, CDM duties extended to domestic clients.
No spam. Just the latest market insights by Seguro in your inbox each week.
CHAS accreditation costs
Our CHAS accreditation cost article will give you all the information you need to make a decision, if CHAS is right for you.
The CHAS accreditation costs below are dated January 2025. Please get in touch with us for up-to-date costs if this article becomes out of date.
CHAS offers three membership packages with different levels of accreditation:
CHAS Standard
The entry-level package includes a health and safety assessment and SSIP accreditation.
CHAS Advanced
The mid-range package includes all the Standard package benefits, plus helps you achieve SSIP and PAS 91 accreditation.
CHAS Elite
The highest level of accreditation, which includes all the benefits of the other packages, plus access to the Common Assessment Standard
The Common Assessment Standard covers 13 areas of risk management, including:
Identity
Financial
Insurance
Corporate and professional standing
Health and Safety
Environmental management
Quality management
Equality
Corporate and professional standing
Information security
Information management
Anit-Bribery and corruption
Modern Slavery
While CHAS accreditation isn’t legally required, some clients may specify that it’s needed to work on their sites. It’s a common requirement for public sector and commercial contracts.
CHAS accreditation cost
CHAS has developed a membership-type offering that gives you the benefits described below. The cost of each type depends on how many people you employ. Costs per annum: You must renew the certification each year.
CHAS membership benefits include:
Free legal assistance
Business Shield support
A free 1-month CHAS RAMs trial
Access to a jobs board
Free resources
Exclusive discounts
CHAS Standard
1 person £409 + VAT
2 to 4 people £459 + VAT
5 to 15 people £749 + VAT
31 to 50 people £1189 + VAT
102 to 200 people £2019 + VAT
CHAS Advanced
1 person £639 + VAT
2 to 4 people £739 + VAT
5 to 15 people £1,139 + VAT
31 to 50 people £1,859 + VAT
102 to 200 people £3,00 + VAT
CHAS Elite
1 person £879 + VAT
2 to 4 people £919 + VAT
5 to 15 people £1,339 + VAT
31 to 50 people £2,329 + VAT
102 to 200 people £3,679 + VAT
Other CHAS accreditation Costs
Training
To comply with the standard, you may be required to train your personnel in the following courses if you have not already done so.
Asbestos The Control of Asbestos Regulations
Working at Height The Work at Height Regulations CHAS 2013 Ltd –
First Aid The Health and Safety (First-Aid) Regulations
Fire precautions The Regulatory Reform (Fire Safety) Order 2005 and the Dangerous Substances and Explosive Atmospheres Regulations
Noise and vibration The Control of Noise at Work Regulations (NAW Regs) and The Control of Vibration at Work Regulations
Personal Protective Equipment Personal Protective Equipment at Work Regulations (PPE Regs)
Substances hazardous to Health Control of Substances Hazardous to Health Regs (COSHH)
Work Equipment Provision and Use of Work Equipment (PUWE) Regs
Competent person safety advisor
You must employ a competent safety advisor if you employ more than five people. If you are a large organisation, you may already have one. Employing a qualified safety advisor may be prohibitive if you are a small contractor.
We are the remote competent person safety advisor for over eight hundred companies. We can offer this service to you for a fraction of the cost.
Cost Savings
An alternative SSIP accreditation that saves you cost
The other popular SSIP accreditation suppliers are:
PQS
Construction line
Safe Contractor
SMAS
CQMA
Builders profile
Evetta
The costs for a PQS accreditation, for example, are:
Deem to satisfy £49 + VAT
1 person £99 + VAT
2 to 4 people £119 + VAT
over 5 people £149 + VAT
As you can see, the cost is a fraction of the cost of CHAS. Why, you may ask. CHAS was a government project; in recent years, several corporations have bought it out. Costs have risen each time it has been taken over.
CHAS and all the other accreditation suppliers operate under the SSIP umbrella and comply with the SSIP standard. This means the accreditation and applications are all the same.
You can obtain a CHAS certificate with PQS accreditation with the deem to satisfy system. This can save you a lot of money.
CHAS or other SIPP cost calculation
The best way to calculate the full cost of your CHAS/SIPP accreditation is to tell us about your business, and we can give you a full breakdown of costs from the information you provide.
We carry out over five hundred CHAS and other SIPP accreditations annually. We have the skills, prepared documents, and know how to get you accredited with the minimum of fuss and fast. We can turn around an accreditation within five days, subject to having all the information from you.
Learn more about CHAS
We have a series of articles where you can learn more about CHAS. The list of articles is below:
Completing the CHAS application takes time and resources, as well as completing lots of forms and health and safety documentation.
We can make it easy for you by doing all the leg work for you. We carry out over 500 applications a year with 100% success.
For a small fee, we can take the pain away for you.
Complete the form, or call us on 0800 031 5404 and we will tell you how it works and how much the whole process costs, including the CHAS fee for your circumstances.
No spam. Just the latest market insights by Seguro in your inbox each week.
Cost of applying for constructionline
Cost of applying for Constructionline and the additional fees for enlisting the help of a consultant.
Here at Seguro we have fixed costs with no hidden fees, this helps you to budget for your Constructionline application right from the start.
We will need some information from you to make sure we give you the right quotation:
What level are you looking for?
How many employees have you got?
Do you already have an SSIP accreditation?
Is your training up to date?
Our fees are available on the website in our shop section or by getting in touch.
Constructionline fees
Applying for Constructionline and working out if it is going to be cost effective for you as a business can sometimes prove difficult as unlike many qualifications there is no set fee it is based on turnover.
The fee may seem daunting if you have a large turnover at the time you apply. We have included a sample of the costs (as of 17th March 2025) to give you a rough idea of how much you will need to pay for their assessment.
Fees start from:
Bronze £319
Silver £519
Gold £599
Platinum £2549
There is also a £99 one off joining fee
Part of the membership benefits include being able to see the opportunities board which alerts you with the latest projects that are relevant to your companies experience.
Which level do you need?
There are three main levels for Constructionline and your client is normally the one who specifies what you need. If your unsure which level we recommend Silver to start with as you can always upgrade but not downgrade in the first 12 months.
Bronze
Included in plan:
Secure Data Storage
Searchable Profile
Verified Membership
Acclaim SSIP included
Marketplace access
Silver
Included in plan:
Secure Data Storage
Searchable Profile
Verified Membership
Acclaim SSIP included
Corporate & Professional Standing
Marketplace access
Gold
Included in plan:
Secure Data Storage
Searchable Profile
Verified Membership
Acclaim SSIP included
Meets the Common Assessment standard
NEW! Building Safety Act Assessments
Marketplace access
Constructionline Support
Completing the Constructionline application takes time and resources, as well as completing lots of forms and health and safety documentation.
We can make it easy for you by doing all the leg work for you. We carry out over 500 applications a year.
For a small fee, we can take the pain away for you.
Complete the form, and we will tell you how it works and how much the whole process costs.
No spam. Just the latest market insights by Seguro in your inbox each week.
There are multiple reasons to join safe contractor:
Have you been asked to get the Safecontractor accreditation by one of your clients? Do you know what it is? Safe Contractor is one of the largest expanding health and safety accreditation schemes in the UK, it currently has more than 270 clients and over 24,000 contractor members.
Fully Qualified Assessor
Safecontractor has a unique level of specialist knowledge unrivalled by competitors, built on 10 years’ experience of delivering market leading accreditation services. This is further reinforced by engaging only directly employed, experienced and qualified assessors to carry out audits.
If you are a service supplier or contractor and want to show new and existing clients your health and safety competence, then you can register with the scheme as a contractor. Being a member of the Safecontractor scheme means you will not have to carry on filling in PPQ for every job you tender for as you can use the Safecontractor accreditation to show your compliance.
As part of the SSIP, Safe contractor can help you to satisfy other accreditations your client may need such as:
If you need any help with completing your application for Safecontractor or any of the SSIP accreditations we are on hand to provide quick professional support.
Safe Contactor Enquiry Form
Let us know how we can assist and we will be back to you within the hour.
No spam. Just the latest market insights by Seguro in your inbox each week.
Mesothelioma -Do You Know Enough About this Deadly Disease?
Managing Asbestos is a legal duty. Asbestos contains tiny fibres which are too small for the eye to see, yet they can do great damage to the lungs if breathed in. Mesothelioma is a cancer of the lining of the lung and is just one of the diseases associated with the material. The latency period for symptoms of the disease can be long – often 10 or more years – and there is currently no cure.
5 Key Points for Managing Asbestos
Asbestos could be present in any building either built or refurbished before the year 2000. Check building and renovation plans if you are unsure, as well as any asbestos surveys undertaken. Ceiling and floor tiles, older boilers, lagging and asbestos cement are often key areas to look at.
The material only poses a significant risk to health if it is accessible and in a poor or damaged condition. It is therefore important that you know what type of asbestos you have and the condition it is in.
Those most at risk are people who work on the fabric of the building – carpenters, plumbers, electricians and builders, for example, as well as any maintenance staff on site. There is therefore a duty to tell those who may be on your premises about any asbestos in the building before they undertake work. You should do this before they carry out a risk assessment/method statement so that all risks and control measures are factored in.
Some work with asbestos – either removing it or working with it – may require a licensed asbestos contractor. Check that any contractors you use have the correct licence to do the work.
Making others aware of the existence of asbestos is vital. As a visual prompt, label your asbestos with industry-recognised stickers so that it is clear that asbestos is in the vicinity should anyone be undertaking work in the area.
Asbestos is a killer and any amount of exposure can be dangerous – preventing exposure is therefore the key to limiting the number who develop asbestos-related diseases. Protect your staff, contractors and visitors so they never have to suffer.
The Differences Between Mesothelioma and Asbestosis
Both mesothelioma and asbestosis occur most often in people who were exposed to asbestos on the job. Second-hand asbestos exposure can also result in a diagnosis of either disease.
Asbestosis only affects the lungs and respiratory tract and cannot spread or develop elsewhere like mesothelioma cancer. The disease does not typically affect life expectancy. However, an asbestosis diagnosis can increase the risk of developing mesothelioma or another disease.
Although both caused by asbestos, mesothelioma and asbestosis develop differently from one another. Mesothelioma develops after asbestos fibers become lodged in the mesothelium lining of the chest, abdomen, or thoracic cavity rather than in various body cavities, asbestosis only develops in the air sacs of the lungs.
Managing asbestos online training
Our asbestos awareness online training is designed for your employees to be able to complete it when it is most convenient for them at work or home. The training is multiple choice and lasts for approx. 1 hour.
Why our Asbestos Online Training is different
Our course is priced for all businesses at £25 + vat per delegate
Mobile friendly
We have an online platform that businesses can create an account and allocate employees training purchased
Managers are able to see each employees progress
We allow up to two resets before the course is considered as a fail
A comprehensive risk assessment and method statement template for removal asbestos floor tiles risk assessment, developed by qualified health and safety professionals.
Our removal asbestos floor tiles risk assessment risk assessment and method statement document proactively identify, evaluate, and mitigate potential risks.
The document covers all the appropriate Control Procedures and Hazards for a typical job but can be easily edited to your needs. This is a ready-to-use document that can be implemented in your business straight away.
You can add your brand and adjust the content to fit your site constraints.
Includes:
12 pages of content
3,251 words
Additional Information:
The document covers all the appropriate Hazards and Control Procedures for a typical job
In “MS Word” format
Fully editable – include your company logo and details
The template should be changed to suit the specific job you are performing
No spam. Just the latest market insights by Seguro in your inbox each week.
Top dangerous jobs in the UK
You thought you might know the top dangerous jobs in the UK, but the list below may surprise you. Some jobs are more dangerous than others but we weren’t expecting a few of these.
The latest health and safety statisitcs can be studied at HSE Statistics.
Builder
The top most dangerous job comes as no surprise builders are putting themselves at risk everyday – 39 people died in the construction industry between 2012 and 2013, the majority of them by falling from a height.
Refuse collector
This isn’t the most pleasant job to have, but being a refuse collector should also carry a health warning. 10 people died collecting, treating and disposing of waste between 2012 and 2013. The industry had a fatality rate of 7.8 per 100,000 employees in 2012/2013
Farmer
Agriculture, forestry and fishing has the highest risk of all industrial sector, this sector accounts for an average of one in five fatal injuries. Out of the 29 workers fatally injured in 2012 / 2013 almost 50% were farmers, 17 % were hired hands in the industry. 5 of these were killed by animals, 5 more died by drowning or asphyxiation.
Miner
With only three deep pit coal mines left operational in the UK there is still a threat to miners on a daily basis. In 2012 / 2013 there were 2 fatalities and over 150 injuries in the mining and quarrying industry. As the industry has reduced in size, the fatality rate is now the highest in the country at 9.6 per 100,000 employees.
Shopkeeper
Although there was no fatal injuries in the retail industry between 2012 / 2013, there were 1619 “major injuries” in the sector with close to 7,000 injuries reported in total.
Mechanic
Mechanics and Car Salesmen are also at risk with 8 deaths recorded in 2012 / 2013 and close to 300 major injuries.
Teacher
Education is reportedly the most injury prone sector with 1,736 people reporting non-fatal major injuries in 2012 / 2013, although there were no reported fatalities.
Estate agent
It might seem like an unlikely career for you to be at risk, but HSE statistics say that 4 people died in the rental and leasing activities industry in 2012 / 2013, with 70 people suffering from major, but non-fatal, injuries.
Do you know the most common reasons for accidents in the workplace?
Insight by
Amanda Lambert
Published on
9 September 2015
Health and safety news
Sign up for future insights
No spam. Just the latest market insights by Seguro in your inbox each week.
Common reasons for accidents in the workplace
Depending on which industry you work in there are a different variety of hazards you may come into contact with.
One example is an office worker is much less at risk from being burnt than a chef as you would expect.
There is however a range of common accidents and injuries which occur across all occupational sectors – and slips / trips and falls invariably top the table.
In 2013/14
over half the fatal injuries to workers were of three kinds: falls from height; contact with moving machinery; and being struck by a vehicle (RIDDOR)
falls and slips & trips, combined, account for over a third (35%) of employee injuries. They made up more than half of all reported major/specified injuries and almost three in ten (29%) over-seven-day injuries to employees (RIDDOR)
handling was the most frequent cause of over-seven-day injury (RIDDOR)
an estimated 1.9 million working days were lost due to handling injuries and slips & trips (LFS).
Overall, the three most common types of accident/injury were:
Trips/slips or falls
Machinery / Moving Objects
Manual handling/lifting
Some of the most common injuries were:
Sprains and strains
Back injury
Head injury
Neck injury
Repetitive Strain Injury
Most Common Risks
Overall, slips/trips and falls or damage caused by manual handling/lifting remain the main culprits of injury in the workplace.
Some of these risks may have been able to be managed if a risk assessment and workforce training had been carried out. If you need an up to date risk assessment or tool box talks download our free documents below:
Training is the key to reduce the most common accidents in the workplace.
Our online training is designed for your employees to be able to complete it when it is most convenient for them at work or home. The training is multiple choice and lasts for approx. 1 hour.
Why our Online Training is different
Our course is priced for all businesses at £25 + vat per delegate
Mobile friendly
We have an online platform that businesses can create an account and allocate employees training purchased
Managers are able to see each employees progress
We allow up to two resets before the course is considered as a fail
No spam. Just the latest market insights by Seguro in your inbox each week.
What is CHAS Accreditation
CHAS Accreditation was a government-run (not-for-profit) scheme administered by the London Borough of Merton. CHAS was acquired by Veriforce LLC, a US-registered company with headquarters in Houston, Texas, USA, in 2022.
CHAS cofounded and helped pioneer the Safety Schemes in Procurement (SSIP) and the Common Assessment Standard.
CHAS (Contractors Health and Safety Assessment Scheme) has been developed and refined over a number of years by local government health and safety and procurement professionals, with the support of the Health and Safety Executive.
Although government bodies have developed CHAS, it is available for use by any public and private sector organisation as an aid when short-listing contractors, suppliers and consultants who apply to work for them.
CHAS provides information and assurances about the health and safety systems and competencies of the organisations that have been CHAS assessed or registered as CHAS accredited.
Organisations must submit an application to CHAS to become registered with CHAS and then have a CHAS assessment carried out. By doing so, their potential clients know that they meet minimum acceptable health and safety compliance standards. Clients from both the public and private sectors use CHAS to make assessments of contractors in this way.
Once the CHAS application has been approved for an organisation, their details are uploaded to the CHAS database, where client members of the Scheme can review an organisation’s details to check that they are, in fact, CHAS registered. One of the benefits to contractors is that by making a successful CHAS application, they can demonstrate to a wide number of potential clients that they achieve or exceed the minimum standards laid down by the assessment scheme.
With the implementation of the Construction (Design and Management) Regulations 2007 (CDM), there are stricter requirements on Clients and Principal Contractors to ensure that they only employ ‘Competent Contractors’. CHAS has been named in the CDM Regulations by the Health and Safety Executive as being one of the assessment schemes that can be used when demonstrating your competence as an organisation.
Learn more about CHAS
We have a series of articles where you can learn more about CHAS. The list of articles is below:
No spam. Just the latest market insights by Seguro in your inbox each week.
How do the CDM 2015 regulation changes affect you?
Did you know there are CDM 2015 regulation changes that came into place from 6 April 2015. Here is our quick guide on how they might affect you.
New legislation
From 6 April 2015, the Construction (Design and Management) Regulations 2015 (CDM 2015) came into force, replacing CDM 2007. The key changes of the new CDM regulations are listed below:
The revised Regulations apply to all projects including domestic client jobs
All projects must have a written construction phase plan
The role of CDM co-ordinator in the previous CDM Regs 2007 has been removed and replaced with a new role of principal designer
There is a duty to make sure all persons doing the job have the right skills, knowledge, training and experience
A Principal designer and principal contractor must be appointed on projects that will have more than one contractor
CDM 2015 main changes
CDM Coordinator role replaced by a ‘Principal Designer’. Clients are required to appoint a ‘Principal Designer’ for all projects involving more than one contractor (trade contractor) on site at one time
Client’s duties strengthened. Several of the previous functions of the CDM Co-ordinator are now to be carried out by the Clients directly, and the wording for these duties is more onerous. Additionally the Client has a new duty to ensure that both the Principal Designer and Principal Contractor comply with their duties.
Client’s “key project advisor” role removed. Previously the CDM Co-ordinator acted as the “key project advisor in respect of construction health and safety”, however under CDM2015 the Principal Designer only has to provide advice to the Client with respect to Pre-Construction Information. Accordingly, Clients that need help with their duties are advised in the HSE Guidance Document to seek competent specialist advice.
Duties to be applicable to domestic projects. For domestic projects involving more than one contractor the Principal Contractor will normally assume the Client duties. The domestic Client can choose to appoint a Principal Designer for the project. However if they do not make this appointment, the first Designer appointed during the pre-construction phase becomes the Principal Designer for the project.
Principal Designer and Principal Contractor required for all projects with more than one “trade” Contractor on site. Clients must appoint both a Principal Designer and Principal Contractor. Principal Designer’s duties include identifying and controlling risks, assisting the Client in the production of PreConstruction Information, and the preparation of the Health and Safety File. Principal Contractor duties include the planning, management and co-ordination of construction phase of the project.
Construction Phase Plan is required for all projects. The Client is to ensure that a Construction Phase Plan, provided by the Contractor or Principal Contractor, is in place before any works commence.
Threshold for notification. Notification to the HSE is required for any project exceeding 30 construction days with 20 or more workers, or if the project exceeds 500 person days.
‘Explicit competence’ requirements removed. The Client will need to ensure those that are to be appointed (i.e. Designer, Contractor or Principal Contractor and Principal Designer) can demonstrate appropriate information, instruction, training and supervision.
Further information
The CITB have produced guidance for all the roles covered under the new CDM 2015 regulations, which can be downloaded here. They have also developed a free CDM Wizard app for Android and IOS to help quickly produce construction phase plans, which can be downloaded via the links below.
Growth of networked electronic controls is a safety issue
Insight by
Bob Evans
Published on
5 July 2015
Health and safety blog
Sign up for future insights
No spam. Just the latest market insights by Seguro in your inbox each week.
Growth of networked electronic controls is a safety issue.
No self regarding health and safety professional would disregard hazard evaluations and systems for Asbestos, work at height or manual handling; yet I’ll wager that the only risk assessment you have for IT is a display screen assessment. In any case, on the off chance that you have equipment in your business that connects with the web and to something important — from a central heating thermostat to a blast furnace — electronic health and safety ought to be on your radar.
Numerous organizations have an IT office and a health and safety division, whose sole contact is the point at which somebody needs another laptop or fails to remember their password. Some have an unclear dependence on Google or the gentleman in PC World for support. As of not long ago that didn’t do much for your possibilities of recuperating an erased email, however it wasn’t going to kill anybody.
When we discuss the web, a great many people think about the human-driven traffic it conveys: email messages, website pages, instant messaging and videos. In truth most activity is not between people, it’s between computers: automated, quiet packets of data containing database questions, records, sensor information and control signals.
At the beginning of ARPAnet, the web’s forerunner, this movement was under the control of the US military. The outcomes of somebody playing about in there were possibly spectacular. In spite of the fact that the thought that you could sign in and launch a nuclear missile was never true, it was worthy of a few film scripts.
Then the worldwide web arrived and the entire system became a means of pouring cat videos and niche adult entertainment into every home. But the undercurrent of the internet carried on regardless.
Next year the internet will carry a zettabyte (one trillion gigabytes) of data. By 2019, two-thirds of all traffic will be from non-PC devices, and there will be three devices connected to the internet for every person on the planet.
Wired world
Networked control systems are nothing new, but in the 1990s, when they consisted of ISDN lines to the company mainframe, they were point to point and secure, though slow and expensive.
Then the internet arrived, and everything changed. People wanting access to their emails and the web installed modems and broadband routers, and all those machines suddenly had access to, in effect, a cost free means of talking to one another; instead of renting a dedicated phone line, just plug it into the net.
Manufacturers stopped putting serial ports on their devices, and started adding ethernet sockets. Later, even those disappeared, replaced by wifi antennas. Volume sales drove research and development and, as the technology became smaller and cheaper it spread from hulking great computers and rack mounted servers into individual switches and sensors.
For the price of a decent lunch you can put a camera the size of a golf ball in your house. It will automatically register with your wifi router, stream the images through a server in China, and you can sit in the restaurant and on your iPhone watch your cat shred your curtains, live and in high definition. Most of the people who buy them have no idea about that Chinese detour by the data. If you missed it too, it’s time to put down your sandwich and say hello to the Internet of Things (IoT).
Chips in everything
The IoT includes every one of the devices that operate the internet to communicate with each other. They can be transmitting information for remote examination by PCs or people (as cameras, indoor regulators, wellness trackers), they can be receiving commands (valves, programmable logic controllers (PLCs), electronic locks) and they could be doing both, as on account of mobiles, smart TVs and remote hard drives. Frequently the end purposes of that information are inside of meters of one another, yet the traffic jumps around the world to get there.
Presently, the internet conveys the control signals for all things from petrol pumps to nuclear power stations. A large portion of the devices are a piece of supervisory control and data acquisition (SCADA) frameworks,a generic term for any network of sensors, controllers and actuators that can be operating numerous different types of hardware and software.
SCADA devices are designed to be simple and reliable inside a factory, but tend to be woefully ill-prepared for connection to the internet, thanks to lax security and poorly written software. It’s often trivially simple to reprogramme a petrol pump to say something rude — it happened in the US in February — or infect the control systems of a nuclear power station — achieved in South Korea in December. All you need is to find the plant on the net and ask nicely.
Spun out
The first contact with this type of cyber attack was Stuxnet (see graphic below), a PC virus identified in 2010 that was said to be created to destroy uranium enrichment centrifuges —and it was somewhat great at it.. The code searched networks for PLCs running a specific piece of software from Siemens, and changed it;in the case of the centrifuges, to spin them into oblivion.
The problem is that, as with any virus — electronic or biological — it was rather good at destroying other things too. The original code was targeted and time limited, but it opened the eyes of hackers, from state sponsored teams to bored kids, to the opportunities for mayhem if you could seek out and take over a logic controller.
Stuxnet was dissected and improved, and its code is still used today to attack networks around the world. The reason it’s so effective is that the manufacturers of these internet connected SCADA devices almost always used trivially simple default passwords or “back door” access codes for factory testing. Many systems run firmware that is impossible to upgrade without a soldering iron, so when a hacker finds the way in they can run riot for years, and are often very hard to detect. If a device has no display screen, how do you know what it’s really doing?
You’d imagine that device designers had taken in their lesson at this point, yet a long way from it. Near enough everything that you connect to the internet, from a broadband router to a baby monitor,will have at least one security gap that hackers about. Since every one of these devices are joined with one another, and the security in local networks is dependably at the edges, it’s exceptionally easy to break in through a weakly protected device then bounce around searching for something else.
If I know you run a manufacturing plant, then first I find the unique IP address of your broadband router, which will be in the header information of every email you send, and every web page you visit. I can try to connect to the router, using the default manufacturer password.
Most of the time I’ll get in; but if access is only possible from inside your local network, I can send you a virus by email or through a malicious piece of code on a website. I could send you a free brochure on DVD or USB drive, with a virus payload attached, and your computer can open the doors for me.
Once inside, my virus sees every device on the network, and all the data flowing between them. It can see which devices are laptops, sensors, cameras and PLCs. It can try sending a few commands for fun — open a valve or two or change a temperature limit. It can reprogramme them so the emergency stop buttons become emergency start buttons.
The German Federal Office for Information Security reported last December that an anonymous steel factory had endured “massive harm to plant” following a cyber-attack demolished parts of the control framework, leaving the engineers unable to close down a blast furnace.
Auto configured
Hackers are exploiting two simple facts: the average user of an IoT device is not a programmer, and it’s cheaper to write a program than to design a chip.
Devices have to be extremely simple to set up, often doing lots of automatic configuration without telling the user what’s happening, and 90% of the time users don’t even know how to change the default password or PIN.
We’re all familiar with automatic updates for Windows and mobile apps, yet updating the operating system on IoT devices can be difficult and is hardly done. This is despite the fact that, instead of custom made chips that can only do one thing, nearly almost every IoT device uses a tiny embedded computer, with an operating system and software.
Your broadband router uses Linux, and many PLC controllers use Windows. Both are capable of running other programs — including a tweaked version of the factory installed application that appears to be doing everything normally — until someone on the other side of the planet clicks a button and unleashes a SCADA worm to disable all your interlock switches.
Thanks to the ubiquity of Bluetooth and wifi, you don’t even need to plug in anything. Your attacker can be walking past with a mobile phone or sitting in a basement on the other side of the world.
As we’ve seen in the news many times, the value of things like credit card numbers and identity theft bundles drove hackers to seek out customer databases in big corporations, but the cost/benefit ratio for IoT hacks is potentially far greater and is receiving more attention.
Hackers get long term access because the devices are hard to patch, don’t run anti-virus software, and users are oblivious to what you’re doing.
The rewards are huge; stealing an out of date customer list is nothing compared with blackmailing someone with a fleet of wind turbines that you can disable at will from anywhere in the world. That’s exploit CVE-2015-0985, in which turbines made by XZERES would obligingly send anyone the admin password for their control systems if they connected on the default web page. It made life easy for the engineers; easier still for the hackers. There were lessons learned on both sides.
Under your nose
Apart from causing physical damage and putting lives in danger, hackers can re-purpose the embedded software to work on their behalves; some of the biggest cyber attacks in recent months were carried out using botnets; hundreds of thousands of compromised systems in homes and offices working together under the control of hackers. These weren’t computers; they were broadband modems and PLCs. Millions of little boxes with flashing lights that are always connected, always vulnerable, and never checked. What’s yours doing now?
You may not be in charge of a nuclear reactor, but an outdated PLC or embedded Windows XP system controlling a printer in some far flung site is the perfect place to hide the command and control software that attacks something else. Stuxnet infected computers in Iran mainly, but many businesses in other countries suffered because they happened to have the same model of PLC.
You’ll need the IT department to work in partnership. Auditing firmware isn’t yet part of the NEBOSH exam; but making sure nothing on the network has a default password is simple enough, and educating your staff about the real-world hazards of a cyber-attack should be as important as toolbox talks on manual handling because in many cases they are the chinks in your armour. The German blast furnace was taken out by a free gift USB drive sent to a random employee. Stuxnet was an email attachment.
The IoT isn’t just for industry. People are inseparable from their smartphones, smart watches, portable hard drives and memory sticks, all of which can be re-purposed to inject viruses and scan your internal networks, sniffing for passwords and reporting back to their unseen masters.
Your IT department should be all too aware of the need to scan emails and change wifi passwords regularly, but if the security camera in your car park is accessible from anywhere and answers to “Password123”, you’re one hop away from chaos.
In a few years time the IoT will invade every aspect of our lives, from internet-enabled swimsuits to wireless cat-feeding stations. Some of it will control your production line, filter your drinking water and keep your doors locked. It will be marketed as efficient and easy to use. It will be promoted at individuals who think SCADA is a brand of car. It will be hacked. It will be watching you. You ought to be watching it as well.
