CNI & Cyber Security
By Shirley O’Sullivan
Cyber threats come in many different forms. Often the focus is on stealing either cash or information, but in recent years concerns have emerged about attacks on critical national infrastructure (CNI). This is a threat to infrastructure items including power supplies, traffic control systems, internet and telecommunications systems, and other technology that can be attacked to disrupt the life of a nation. A CNI security attack isn’t just a possibility, we’ve already seen it in action with attacks against the power grid in the Ukraine and a hack into the control system of a dam in New York. In many cases, these attacks are seen as being the work of other nation state actors rather than simply hackers or hacker groups. However, it’s likely that there are a wide range of motives at work including industrial espionage from competitors, or ransom and other activities from cyber criminals.
Governments are under increasing pressure to take these types of attack seriously. Both the National Cyber Security Centre in the UK and the Department of Homeland Security in the US have warned that network devices such as routers and switches can be used to attack targets including power stations and distribution networks. But the responsibility for protecting infrastructure systems is not just a government one, it must be shared with the organisations providing the services.
Supply Chain Attacks
CNI security attacks aren’t always directly against the main target. They can affect other businesses that are part of the supply chain too, as they may be used as a softer route to gaining access to a larger organisation. So this means it’s important that organisations at all levels take cyber security seriously. Even if a company is not involved directly in CNI, the trend towards integration of systems within the supply chain and exchange of information between organisations can lead to vulnerabilities in supplier’s systems, exploiting back doors to larger companies or even governments.
In order to ensure their safety, businesses providing critical national infrastructure need to examine their systems at all levels, including those of other organisations that are used to help deliver their products and services. This monitoring of connected systems needs to be made part of the business continuity planning process and needs to be updated each time a new supplier comes on-board. This ensures that vulnerabilities are not unwittingly introduced.
Government Measures
The Government has explicitly acknowledged that it must do more to improve the cyber resilience of our critical national infrastructure, irrespective of whether it is owned or operated in the public or private sector [1]. The past year has seen cyber attacks on the health, telecommunications, energy and government sectors in the UK. And although the UK has yet to suffer the most severe form of cyber attack, (which the Government defines as an attack leading to the sustained loss of essential services, severe economic or social consequences, or a loss of life), the head of the National Cyber Security Centre (NCSC) has said this is a matter of ‘when’, not ‘if’.
A major part of defining protection, both at a national and an organisational level, is understanding the risks involved. This means creating tailored risk profiles for all organisations involved in critical infrastructure, but also for the departments within them. While an energy company may, for example, be at risk from nation-state hackers seeking to disrupt supplies, it may also be vulnerable to more regular cyber criminals looking to get their hands on money or steal personal information to use in other attacks.
Building in Resilience
The important element in CNI security is to ensure resilience at all levels. This means from government downwards. Increasingly companies are looking to give more control to their customers. In the energy sector, for example, the introduction of smart meters and of online accounts is aimed at putting customers in the driving seat, but this inevitably introduces higher levels of risk by creating a larger attack surface.
Attackers are also on the lookout for ways to jump from information technology (IT) to operational technology (OT) systems to allow them to disrupt the delivery of services. Increasingly the rollout of Internet of Things connected devices – such as smart meters – provides greater attack potential for hackers.
In the past, it may have been possible to keep OT systems completely separate with no links to the IT side of the business or indeed the internet. However, modern demands for connectivity and the desire to give consumers greater control means that systems are increasingly interconnected. This means businesses need to take the vulnerability of OT systems to attack rather more seriously.
In order to protect their systems and manage the potential for attacks, infrastructure companies need to take a ‘defence in depth’ approach and ensure that systems at all levels from the consumer upwards are properly secured. They also need to establish a proactive cyber security team to ensure that systems are properly monitored and any incidents responded to in a timely manner. Obviously, with large and complex systems generating lots of transaction data, many businesses are turning to artificial intelligence in order to identify the most severe alerts.
Commoditisation of Threats
Although we’ve talked about nation state attackers being a threat to national infrastructure, it’s also the case that the increasing commoditisation of tools makes it easier for other hackers to reach ambitious targets.The availability of hacking tools on the dark web, together with lists of compromised credentials from high profile security breaches means that anyone with the money to pay for them can launch a DDoS attack or look to penetrate critical systems. This also means that not only cyber criminals but also smaller states with limited cyber capabilities of their own have the capability to launch devastating attacks.
In CNI security, it’s very often the end user that is a weak link. Employees, therefore, need to be made aware of the risk of phishing and social engineering attacks seeking to obtain login credentials. As systems are hardened against attack, this is an increasingly common way of attempting to gain access, so security awareness training for staff at all levels of the organisation is essential.
The threat to infrastructure targets is not going to go away and it is vital for both governments and businesses to take it CNI security seriously and act accordingly.
[1] https://publications.parliament.uk/pa/jt201719/jtselect/jtnatsec/1708/170803.htm
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.