by Bharat Mistry
A new poll has revealed that many MPs regard cyber-attacks on the UK’s critical national infrastructure (CNI) as the biggest online threat facing the nation. The good news is that we have an EU law to tackle exactly this challenge: the NIS Directive. But effective compliance will only be possible if organisations working in these sectors get better at bridging the traditional divide between IT and OT.
MPs see sense
The NCC Group poll of 100 MPs from the country’s main political parties revealed that 62% believe attacks on CNI to be the biggest threat facing the UK. It’s heartening to see political parties united in their concern, with 70% of Conservatives and 57% of Labour lawmakers highlighting the danger of attacks on critical infrastructure. And in many ways, these views are not surprising, given the increase in such attacks around the world over the past couple of years.
Russia seems to have led the way, with attacks on power stations in Ukraine in December 2015 and 2016 that left hundreds of thousands without power. It’s also been fingered for infiltrating the US energy grid and last year the National Cyber Security Centre (NCSC) warned that Kremlin operatives had attacked the UK’s media, telecoms and energy sectors — in a bid to “undermine the international system”. More recently, the NCSC was forced in April to issue a joint alert with US authorities of more Russian attacks aimed at critical infrastructure providers and others. And the recent VPNFilter attacks which have compromised at least half a million network devices globally may also be aimed at the CNI space, as the malware itself is designed to monitor SCADA protocols.
Cyber-attacks on CNI providers can be potentially catastrophic as they could have a real world physical impact on citizens. The WannaCry ransomware of May 2017 led to the cancellation of an estimated 19,000 NHS operations and appointments but was still only classed as a Category 2 attack. NCSC boss Ciaran Martin has claimed that a Category 1 attack is a matter of “when, not if”.
CNI firms are at risk on several fronts. As many race to embrace digital transformation, they have ended up connecting systems to the internet, in turn exposing legacy platforms that were previously air-gapped. Many mission critical systems can’t be taken offline to patch, or else haven’t been upgraded because of compatibility problems with legacy applications, leaving them further exposed. Open network ports, a lack of authentication and traffic encryption, and insecure network protocols like MODBUS all add to rising cyber-risk levels.
This is why the NIS Directive was created, and brought into force in early May. It’s designed specifically to improve baseline security among providers of “essential services” in sectors like transport, utilities and healthcare. Its four objectives tackle managing security risk; protecting against cyber-attack; detecting cybersecurity events; and minimising the impact of incidents. There are GDPR-like penalties of up to £17m or 4% of global annual turnover for serious non-compliance.
Although the NCSC has released handy guidance which will help CNI providers get their compliance house in order, it’s important to remember the cultural change that will be necessary in many such organisations. As Trend Micro’s VP of Infrastructure Strategies, Bill Malik, explained to Infosecurity Europe attendees earlier this month, IT and OT teams are used to working in siloes, with a separate set of goals. While OT might be focused on fixing a problem as quickly as possible to preserve the integrity of the service, IT security wants to get to the bottom of what went wrong to prevent it happening again. These teams must be brought together and harmonised if CNI providers are to effectively tackle the rising threat of attacks.
They are directly in the firing line now: MPs know it and security experts know it. It’s time to take action.