Defence
Preventing the Impossible: the Inevitability of Critical National Infrastructure Cyberattacks
Attacks on critical national infrastructure are inevitable, and a threat to the economy, the environment and even human life. Elliot Gardner looks into why they are a future reality, and whether the risk can be reduced
Critical national infrastructure (CNI) are the facilities on which a country depends; the lifeblood of any nation state and essential to the effective running of crucial public and private services, from energy generation and distribution, to public health facilities and financial services.
While in the physical world UK businesses and public services are usually well-secured, the increasing frequency and sophistication of cyberattacks has left critical infrastructure fighting a losing battle.
A certain inevitability: the imminence of an attack against national infrastructure
According to the Centre for the Protection of National Infrastructure (CPNI), the UK’s national infrastructure – as well as related businesses – are under a constant threat from both international and domestic terrorism, espionage and other hostile foreign operations. While CNI are yet to face a full-scale cybersecurity breach, many experts are in agreement that it is simply a matter of time before a vital piece of infrastructure is subject to a large-scale and particularly damaging attack.“There feels a certain inevitability about a successful attack on the national infrastructure,” comments Tony Proctor, principal lecturer on cybersecurity at the University of Wolverhampton, “I just hope that we can delay this until such time that it has minimum impact.”
“There feels a certain inevitability about a successful attack on the national infrastructure.”
This is more than mere doom and gloom on the part of the industry. A spokesperson for the UK’s National Cyber Security Centre (NCSC), who wished to remain anonymous, admits that: “Our CNI – in both the private and public sector – continues to be a target for attack as the [cybersecurity] threat continues to diversify and increase.” They go on to provide reassurances that the security and resilience of CNIs against cyberattacks remains a priority for the Government, however with threats advancing in intricacy, an attack seems increasingly unavoidable.
While they have held up quite well so far, in recent history several public sector institutions have either been probed for weaknesses, or have fallen victim to small-scale attacks, highlighting the evolving complexity of cyber threats. “There have been several instances of large public infrastructures that have experienced problems,” explains Proctor, “the Joint Academic Network (JANET) experienced a serious denial of service two years ago. This year a significant number of NHS organisations were seriously affected by the Wannacry malware. There was also evidence of some attempts to disrupt the 2012 Olympics. I’m sure that nation states are constantly probing our cyber defences in the same way as they do in the physical world.”
The worst-case scenario: understanding the scale of a potential attack
Perhaps the conversation, then, should move from if and when there will be an attack, to the potential scale of such a breach, and the severity of the impending damage. “An attack against any critical national infrastructure could be devastating, depending on the motivation of the threat actor,” said Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk. “The worst-case scenario, which is looking increasingly likely in the years to come, is a manipulation of, or complete loss of control of physical industrial systems and infrastructure.”
“How good is your imagination? Anything is possible. We live in an age where what isn’t currently controlled by technology soon will be.”
The issue, however, is the difficulty in envisaging the scale of this ‘worst case scenario’. Bouhdada has said that loss of life could easily occur if certain infrastructural areas, such as health or defence services, were hit, but Proctor believes the damage could span much further.
“How good is your imagination? Anything is possible,” he says. “We live in an age where what isn’t currently controlled by technology soon will be. We have also grown an environment around instant communication. So just think about some of the things in CNI; the power grid, transport network, telecoms, finance industry. What damage couldn’t you do if you were able to take control of these systems?”
Can CNI effectively protect against cyber-threats?
How then can those in charge of CNI protect against these imminent cyber-based dangers? The NCSC spokesperson made it clear that the government is doing all it can, and will support industry where possible, “but will not take on the responsibility to manage this risk, which rightly sits with boards and CNI owners and operators. They have the responsibility to ensure their networks are secure and to invest appropriately, and must work with Government to achieve this.”
They also highlighted that the Network and Information Systems (NIS) Directive, which comes into effect in May 2018, will help to ensure operators take better steps to protect infrastructure form cyberattacks and disruption. This provides an even stronger incentive for service providers to shore up their defences, as “essential service operators who fail to appropriately manage risks and implement effective cyber security measures could be subjects to punitive measures such as directions, audits or fines.”
“It is impossible to predict what will happen next and when it will happen.”
Whether this is the correct approach remains to be seen. While those who are negligent in their responsibility to adequately protect infrastructural services will certainly face legal retribution, the complexity and evolving nature of security breaches may make it tricky for some industries to stay above this line of ‘appropriate risk management’. The Government will have to ensure they are not punishing those who have attempted to protect themselves, but have been caught unawares as a result of sophisticated, developing techniques.
“It is very difficult because it is impossible to predict what will happen next and when it will happen,” says Proctor. He does however recommend some minimum standards for cybersecurity that CNI players should endeavour to achieve, such as “adopting best practice, including things like using the latest software, appropriate security architecture and excellent staff awareness; properly risk assessing anything that is connected to the internet or other networks; and sharing information on risks / attacks with peers. These are not complex activities; the key is in making sure that they happen consistently.”
The NCSC could not comment on the specifics of what is being done to protect against evolving technological threats “in the interests of national security,” but did state that industry must continue to invest in its protections against cyberattacks, and made it known that “the government is alert to threats to the UK from all actors. This includes cyber threats.” The spokesperson further commented that “Her Majesty’s Government seeks to understand and address these threats,” and highlighted that the NCSC, as part of GCHQ, is supported by £1.9bn of transformational investment.
Still, with CNI yet to be successfully targeted, we may need to wait for the worst to happen in order to fully understand how many resources will need to be committed to effectively combat cyber threats, and to comprehend the potential breadth of damage that could be wrought to the country.
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang