In the Absence of Government Leadership, CNI Firms Can Still Improve Security
In analysis / By Phil Muncaster / 26 November 2018
A new parliamentary report has some harsh words on the government’s handling of cybersecurity in critical national infrastructure (CNI). The Joint Committee on the National Security Strategy says that while the executive has acknowledged the growing threat, it is failing to act with a “meaningful sense of purpose or urgency” and “identifiable political leadership is lacking.”
The report’s findings may ring true with many organisations operating in the sector. But the good news is that there’s plenty that can be done to improve cyber risk management in anticipation of the tier one attack predicted by experts. In CNI, the stakes couldn’t be higher, so there’s little time to waste waiting for the government to get its act together.
CNI under fire
The committee report highlights the growing and continually evolving cyber threat to UK critical infrastructure. Even over the past 18 months there’s been a noticeable uptick in activity, mainly blamed on Russia. A landmark joint “technical alert” issued by GCHQ’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security (DHS) earlier this year warned of Russia’s “sustained presence in UK and US internet infrastructure”. The Kremlin has also been named and shamed by the government for the destructive global ransomware worm NotPetya and BadRabbit attacks, while North Korea was pegged for the WannaCry ransomware campaign which did so much harm to the NHS.
Attacks could be careful and calculated, like the outages caused by Kremlin hackers at Ukrainian energy providers in December 2015 and 2016. Or they could be almost “accidental”, as per WannaCry, which caused £92m in NHS losses and 19,000 cancelled appointments and operations. It’s also increasingly hard to tell nation state from “almost state level” cybercrime gangs, the report warned.
What’s the problem?
It’s difficult to generalise about a sector which covers such a broad sweep of verticals. The parliamentary report said CNI should cover: chemicals; civil nuclear; communications; defence; emergency services; energy; finance; food; government; health; space; transport; and water. This is way more than the handful of sectors covered by the recently introduced NIS Directive and indicates just how broad the potential CNI attack surface is. There are over one million email addresses hosted by NHSmail alone, for example. That’s a lot of potential phishing victims.
Broadly speaking, many of the same challenges face these CNI firms as elsewhere. Legacy, unpatched systems; poor password management and access controls; unencrypted data at rest and in transit; configuration errors; poor network visibility; and low levels of security awareness among staff are all commonplace. Supply chain risk is also endemic, as we’ve discussed before on The Nasstarian.
Many CNI firms are likely to run sizeable operational technology (OT) systems in facilities like electricity substations or water treatment plants. These used to be unconnected and therefore de facto air-gapped from potential threats. Unfortunately, this is no longer the case: such systems are increasingly connected to IT systems and the wider internet to improve operational efficiencies — but in so doing are exposed to online threats. The number of SCADA vulnerabilities reported to one scheme in 1H 2018 rose 30% from the previous six months. Sometimes security patches can’t even by applied due to incompatibility issues with legacy technology and/or difficulty in taking mission critical systems offline.
In many organisations, these failings come from the top down. A widespread failure to consider cybersecurity as a major business risk is partly responsible for historic under-investment. But fortunately, this is slowly changing. The challenge for many CNI firms will be knowing how much investment is enough — and this is where government should be stepping in with guidelines.
But most CNI are private businesses, and the truth is that good cybersecurity makes good business sense. If you want to drive digital transformation-led improvements to customer service, agility and operational efficiency, you need to build on a secure foundation. So don’t wait for the government to sort its approach out. Take the initiative now.
The NIS Directive, whilst aimed only at a few CNI sectors, is not a bad place to start. The NCSC has issued useful guidance on how organisations can meet each of the four top-level objectives: managing security risk; protecting against attack; detecting cybersecurity events; and minimising the impact of incidents. Even if you’re not mandated to comply with the directive, it could provide a useful place to start.
- Rigorous, regular pen testing of the entire IT environment
- Cyber insurance: this is a rapidly maturing space with policies now mandating baseline security standards
- Identifying a board member with responsibility for cyber resilience and reporting
- Outsourcing some parts of the IT infrastructure to a reputable, accredited managed service/hosting provider
The committee report’s recommendation is that the objective for CNI firms should be to:
“Make it as difficult and as costly as possible to succeed in attacking the UK’s critical national infrastructure — and to continue raising the bar as new threats emerge.”
This requires a flexible but determined approach to improving resilience. It will evolve over time and should be revisited at least annually. With the right cultural mindset and risk-based approach, there’s plenty that CNI firms can do now to get started, as we wait for that elusive government leadership.