At the Cyber UK event in Belfast in April, UK Minister Oliver Dowden warned of Russian-associated hacker attempts to disrupt or destroy critical UK infrastructure, while the National Cyber Security Centre issued an official threat notice.
Threats to critical national infrastructure (CNI) however are not new. We have already seen how the war in Ukraine has shaped the cyber security picture in Europe and driven a number of attacks against key infrastructure targets. For example, the attack against Viasat just an hour before Russian troops invaded Ukraine resulted in an immediate and significant loss of communication. It also had the secondary result of paralysing 9000 German wind turbines that rely on satellite communication for their operations.
As the war continues, we have seen other international cyber-attacks as witnessed against Estonian, Latvian, Lithuanian, and Polish targets, as well as the EU Parliament in 2022.
Why critical national infrastructure represents an attractive target for cyber attacks
Despite the high-profile nature of the Russian situation and the impact that it has had across Europe, it is not just Russian-linked hackers who seek to interfere with critical national infrastructure.
Because critical systems underpin so many important services – from communications and energy supply to healthcare, education, and transport – they are a prime target for bad actors looking for ways to be harmful. Political or ideological reasoning is not the only trigger. Financial gain can also be a key motivation for ransomware or phishing attacks. But whether politically or financially motivated, attacks on CNI have the potential to inflict significant disruption to national economies and the lives of citizens.
The financially-led Colonial Pipeline cyber attack on the largest US fuel pipeline in 2021 forced the company to shut down its pipeline network. This brought the oil delivery system to an almost complete standstill, resulting in a regional emergency declaration for 17 states and Washington D.C.
Attacks on healthcare, meanwhile, can mean life or death. A ransomware attack on a hospital in Germany in September 2020 caused emergency care to be disrupted. It resulted in a police investigation into whether the attack caused the death of a patient. Although the investigation found that the hackers were not directly responsible, the incident goes to show how high the stakes can be.
There are a number of reasons that critical national infrastructure can be vulnerable to cyber threats.
Digital transformation, for example, has expanded the cyber footprint of all industries, exacerbating dependence on technology and connectivity and widening the opportunity for attacks. But despite digital advancement in several areas, the continued use of legacy systems designed before cyber security was even an issue also contributes to susceptibility.
Complexity of operations, including supply chains and the large number of stakeholders involved also increases vulnerability. Different equipment suppliers, software vendors, and third-party contractors can mean that control over third-party products and services is often weak. The complexity of the systems is often such that nobody has the holistic and detailed view required, and companies rely on outsourced services.
And as is often the case in cyber security, human error is always dangerous. Utility companies, financial institutions and healthcare providers to name but a few all employ thousands of workers who have access to sensitive systems and information. These workers can inadvertently introduce vulnerabilities through phishing attacks, weak passwords, and other security lapses.
In order to protect the energy sector against cyber attacks, it is vital to take a systemic approach and weave cyber security into daily business activities.
What can CNI organisations do to better protect themselves?
Although vulnerabilities proliferate, there are a number of things that CNI organisations can do in order to protect themselves and the services they provide.
The first is to plan for a cybersecurity budget and invest in exercises that help leaders and employees prepare for cyber security attacks. Implementing a zero trust policy, for example, where inherent trust in the network is removed, the network is assumed hostile and each request is verified based on an access policy.
By hardening systems and investing in the human link by involving everyone to create a ‘human firewall’ it is possible to go some way towards preventing mistakes which lead to vulnerabilities, as well as ensuring planning and preparedness so that, should a cyber attack occur, it can be dealt with and contained as quickly and effectively as possible.
Many examples of live exercises can be carried out that are enlightening for an organisation regarding their cyber security awareness and result in a whole set of measures to implement.
Knowing how the internal network is built up for example, or how easy it is to cause lateral movement which allows a ransomware attack to really get to the heart of the company, and how it can be prevented.
Moreover, it is crucial to:
- Decide who to call in a cyber attack;
- Define the management’s role;
- Plan whether or not to inform customers;
- Know where to back up and how to back up; and
- How backups can be used after they have been decrypted.
Cyber range technology can provide a realistic simulation environment for training employees on cyber security best practices, including identifying and responding to cyber threats.
Cyber ranges can also be used to create simulations of cyber attacks on critical national infrastructure systems to help identify vulnerabilities, test cyber defences, and facilitate collaboration and coordination between different departments and stakeholders within a company. Being able to document the results of these simulation events also goes a long way towards the compliance required by many national regulators.
It’s not possible to protect everything, however, so we recommend prioritising. This means understanding what and where the organisation’s crown jewels are, defending those, and detaching critical core systems from business systems to do so.
Sadly it is the way of the world that if bad actors can pinpoint a way in which they can be harmful, causing data or financial loss, or reputation damage, then they will use it to their advantage.
We have seen the devastation that attacks against critical national infrastructure can cause. Because of the way in which it underpins so many important national services, it will remain a prime target. Arming individuals with the knowledge and training in cyber security will be crucial if we are to protect our critical national infrastructure, keep vital services up and running and instil trust in the end-user.