In 2021, the idea of a cyberattack on critical infrastructure seriously damaging the UK’s ability to function moved yet another step away from science fiction and towards day-to-day reality.
The attack on the US Colonial Pipeline - which knocked it out of action for six days and pushed US gas prices to their highest level in six years - and attacks on the Irish health service have demonstrated that the security of the utilities we take for granted is in no way guaranteed. Cybersecurity failure was ranked the number one short-term risk to the UK by British respondents to a recent World Economic Forum (WEF) report.
The UK government defines the national critical infrastructure as elements of infrastructure, such as facilities, systems, sites, property, information, people, networks, and processes, “the loss or compromise of which would result in major detrimental impact on the availability, delivery, or integrity of essential services, leading to severe economic or social consequences or to loss of life.” There are currently 13 national infrastructure sectors: chemicals, civil nuclear, communications, defence, emergency services, energy, finance, food, government, health, space, transport, and water.
An attack on the IT systems supporting these sectors is a terrifying concept, particularly with emerging evidence of how major world powers like Russia and North Korea are willing to use cyberattacks offensively. In 2017, the National Cyber Security Centre said it was "highly likely" that the North Korean Lazarus hacking group were responsible for the “WannaCry” ransomware attack which affected almost 200,000 computers internationally and cost the UK an estimated £92 million. But how serious is the cyberthreat to the UK critical national infrastructure now and where does it come from? And to what extent are initiatives by the UK government and businesses likely to effectively reduce the threat of UK plc going offline?
Ciaran Martin, formerly head of the National Cyber Security Centre, the cyber security arm of GCHQ, has said that a major cyberattack on the UK is a matter of ‘when, not if’; for its part, the government seems to be taking the threat of a cyberattack relatively seriously. In August 2021, a total of 2,658 House of Commons (HoC) staff members were asked to partake in an eight-part cyber security training course during the 2020-21 financial year, according to figures from a Freedom of Information (FOI) request by think tank Parliament Street. The move followed leaks related to the Matt Hancock scandal prompting Whitehall CCTV security fears.
The UK rates relatively highly in terms of the quality of its cybersecurity muscle, according to a number of organisations. The UK was recently ranked as a “second tier” cyberpower by the International Institute for Strategic Studies (IISS), alongside China, Russia, Australia, Canada, France, and Israel. These countries were evaluated according to a range of factors including cyber security and resilience, global leadership in cyberspace affairs, and offensive cyber capability. But going forward how can the UK ensure that these limited resources are used effectively?
National Technology News spoke to a variety of experts about the most serious threats to the UK’s national security infrastructure, where they stem from, and how we can best defend against these risks.
Where does the danger to national infrastructure stem from?
Some commentators – such as Jamie Collier, cyber threat intelligence consultant at Mandiant - consider nation state enemies to pose the biggest threat to national critical infrastructure, as foreign governments have more resources in terms of technology and expertise to deploy compared to criminal gangs. In many cases, a nation state’s motivations for gaining a foothold within the UK’s cyber infrastructure could be non-aggressive, at least initially.
“For some threat actors, operations would be pure information gathering and espionage missions,” said Collier. “This could include gaining an understanding of national infrastructure projects and their implications for trade and political negotiations.”.
Collier thinks these states may be “interested in how their own domestic industry players could fit into future infrastructure projects”.
“The UK has been relatively open to foreign involvement in its critical infrastructure to date, and states could be looking for information that would give them a competitive advantage in any future tender processes,” he added.
However, although the impact from these types of cyberattacks might not immediately cause havoc or make headlines “it does ultimately have an economic impact when intellectual property and business secrets are stolen and used to reduce the competitiveness of UK firms” according to Barry O'Brien, a consultant with cybersecurity specialist Integrity360.
But while nation states might hold the brunt of the accountability for cyberattacks on critical infrastructure, some experts emphasise how important it is not to underestimate the risks criminal gangs can pose.
“Yes, historically nation state actors and criminal gangs have been behind targeted attacks on critical infrastructure, but opportunistic criminals can also get lucky when carrying out campaigns with more readily available means - such as commodity ransomware - and end up reaching some high-profile targets,” said David Lomax, SE manager for UK, Ireland, and Nordics at Vectra AI.
A ransomware attack is a type of malware that prevents you from accessing a computer, or the data stored on it. The system may become locked, or the data on it might be stolen, deleted, or encrypted in exchange for a “ransom”.
Though cybercriminals might not have the same level of funding at their disposal as some nation states, the emergence of Ransomware-as-a-Service (RaaS) has made access to the tools of cybercrime more democratic. These readymade kits can be purchased on the dark web for relatively small sums. Would-be hackers can buy “do-it-your-self” ransomware kits on dark web markets, accessed with software such as the Tor browser, for as little as $70 according to cybersecurity researcher PrivacyAffairs.
The reasoning behind attacks on large scale infrastructure projects can also be purely financial.
“If you're after money, to be blunt, certain people are richer than others,” said Terry Greer-King, vice president of EMEA at SonicWall. “Why bother with you and I when you can hit a large organisation with a million dollar or a $10 million ransom, probably neither you nor I can afford to pay that.
“Targeting is everything.”
He added: “This type of targeting means larger returns for cybercriminals and much more sophisticated, more challenging threats to protect against as well”.
What type of cyberthreat is the greatest risk to national infrastructure?
Of all the different variations of cyberthreat which could hurt the national critical infrastructure, a ransomware attack is generally considered to be the greatest risk by experts.
Ransomware as a percentage of overall cyberattack volume more than doubled in Q3 2021 from Q1 2021, moving from 20 per cent to 46 per cent, according to research from governance and risk services provider Kroll.
Operational technology, which is when hardware and software is used to control industrial equipment, could potentially form a particularly attractive target for ransomware attacks.
“Over the past 12 months, we have also seen a concerning emergence of ransomware targeting operational technology, although not all of these operations are necessarily intentional,” said Collier from Mandiant. “Some operational technology assets are likely impacted due to broad and wide-ranging ransomware operations that are simply intent on encrypting as many systems as possible indiscriminately.”
He added: “Regardless of the intent, the remorseless scale of cybercrime means that the ransomware threat posed to critical national infrastructure is likely to grow over the next 12 months”.
Research from Bridewell Consulting said that over three quarters - 79 per cent of organisations’ main operational technology systems are over five years old, and that over a third - 34 per cent - are over 10 years old.
The continued evolution of ransomware attacks makes these threats only more intimidating. A recent report from the World Economic Forum (WEF) said that for example, before it disbanded, DarkSide - the group accused of being responsible for the Colonial Pipeline attack - offered a suite of services that went far beyond traditional forms of extortion.
These services included data leaks and distributed denial-of-service (DDoS) attacks. Ransomware groups will also contact victims’ clients or partners to get them to urge the victims to pay ransoms according to the WEF, and top executive information is available for blackmail from some ransomware groups.
The total number of ransomware attacks increased by 435 per cent in 2020, with a four-fold rise in the total cryptocurrency value received by ransomware addresses, according to research by deep learning specialist Deep Instinct.
What areas would cause most damage if compromised?
Though it’s difficult to predict exactly how certain scenarios might play out before they occur, some parts of the national infrastructure could pose more damage to the wider ecosystem than others if compromised.
According to research by cybersecurity consultancy firm Bridwell Consulting, aviation, and transport infrastructure detected the most attempted attacks in the past 12 months, while water and transport experienced the highest volume of successful attacks.
The biggest risks to national infrastructure may lie outside of areas which are traditionally considered to be most worthy of investment in terms of cyber protection and strict regulation.
“In environments with strict high security requirements such as nuclear power and defence there are enough resources to assess the risks and apply compensating controls that reduce the attack surface of these systems,” said O’Brien from Integrity360. “However, this same level of security is not applied across all national critical infrastructure.”
“Often overlooked, logistics and distribution have considerable reliance on operational technology, which sees little in the way of investment due to extremely tight operating margins in that industry.”
An attack on the power grid could severely impact travel and communications as well as critical supply chains such as food. O’Brien from Integrity360 believes that “after just a few days without power, tens of millions of people would be in quite a desperate situation without food, fuel, and medicine due to ‘just in time’ economics.”
Some commentators believe that the risks which an attack could entail might hinge on when it occurs, as much as the type of attack or organisation it is launched against. O’Brien highlighted that an attack in winter could be particularly damaging as people wouldn't be able to get food, fuel, medicine, or any emergency assistance in the cold weather.
A cyberattack which compromises the integrity of the financial system and impacts consumer trust could also potentially cause a huge amount of damage to how the UK society functions more widely.
“On a large scale, the world saw what it looked like when banks couldn’t trust each other in the credit crunch of 2007; just ask anyone who banked with Northern Rock and queued for days to get a glimpse of a world without trust in financial services,” said Kevin Bocek, vice president security strategy and threat intelligence at Venafi. “The system of trust that’s established between banks whether in trading or Open Banking - is primarily not one of assets, but of identity - machine identity.”
“The difference between your mobile device trusting a hacker’s app or your bank trusting a FinTech service to transfer money comes down to the identities of machines.”
He added: “And with developers in control and banking moving to the cloud, the dangers are increasingly serious.”
Pete Dutton, head of public sector for UK and Ireland at Elastic, wanted to highlight that the NHS is particularly at risk from cyberattacks ‘due to the abundance of devices connected to the IT network’ and said that “any one of them can have vulnerabilities in either the hardware or software used by such devices”.
Dutton also highlighted that the “NHS is also beholden to old operating systems that are expensive to maintain and couldn’t help mitigate against a ransomware attack.
“None of this escapes the attention of hackers who know that, if they manage to incapacitate those systems, government, and public service decision-makers could be forced to pay a high ransom,” said Dutton. “And that’s a very worrying thought.”
What could the government do to improve critical infrastructure cyber defences?
Though protecting the national infrastructure is undoubtedly a priority for government, the correct way to enforce these protections can be difficult to determine when you consider the level of interplay between the public and private sector in IT.
O'Brien from Integrity360 believes that the emphasis should be on enforcing regulations which ensure there are severe penalties for non-compliance.
“Before Brexit the UK signed into law the EU's NIS Directive (Network and Information Security directive) which regulates security strategy and standards for national critical infrastructure,” said O’Brien. “Compliance with NIS-D can be achieved by implementing a security programme based on IEC-62443 and this should be enforced for all operators of essential services.”
“Increase the level of investment in training and upskilling people to the required standards. There is a severe shortage of relevantly skilled IT security resources but there is an even worse shortage of suitably skilled operational technology security resources”.
“This needs to be addressed at a strategic level by ensuring the education systems and pathways are in place with third-level education institutions and/or apprentice schemes.
Pete Dutton from Elastic believes a higher level of intelligence sharing could help countries protect themselves.
“While intelligence sharing is happening in pockets, it is not yet streamlined and there aren’t any procedures or processes in place that would make it consistent and automatic,” said Dutton.
The executive also touched on the potential benefits of cross-border agreements such as the “Five Eyes” agreement which helps Australia, Canada, New Zealand, the UK, and the US share intelligence.
In addition, Dutton highlighted the potential of “individuals like Troy Hunt, who collects data on public data breaches and is able to tell governments and individuals if their details have been part of these leaks”.
However, Dutton said that these different sources “aren’t brought together in a virtuous circle of knowledge sharing and automatic renewal of cyber security resources and strategy,” saying that this would be the “the next step if the UK is to be ready for what’s coming”.
Mo Cashman, principal engineer at Trellix, believes that “right threat intelligence is critical to defending against cyber criminals and nation-state actors which is why, threat intelligence sharing was a key pillar of the White House’s Executive Order on Improving The Nation’s Cyber Security.”
Cashman pinpointed the Cyber Threat Alliance as “a great example of threat intelligence sharing and cross-industry collaboration”.
“The Cyber Threat Alliance is a cross-industry consortium which shares about 6 million threat indicators between members and partners every month,” he explained.
Will the national infrastructure be safe in 2022?
Despite the best efforts of the UK’s cybersecurity workforce, it unfortunately seems likely that hackers will continue to find avenues to infiltrate organisations that are critical to the proper functioning of the UK’s most important systems. This could ultimately impact elements of the national infrastructure either directly or indirectly.
Hopefully, despite factors like the increasing prevalence of Ransomware-as-a-Service and the growing ingenuity of nation state actors, the public and private sectors can work together to ensure that the UK’s national infrastructure avoids an all-out cybersecurity-related disaster and has a plan B in place should the cyber criminals find a way to hold us all to ransom.
Recent Stories