by Bharat Mistry
The government is failing to address the cyber challenge facing the UK’s critical infrastructure (CNI) providers urgently enough, a new parliamentary report has claimed. In many ways the challenges facing CNI firms are broadly the same as for other organisations, just that the impact of successful attacks could go way beyond data loss and damaged brand reputation to devastating disruption of daily life and potentially even physical harm to citizens.
The good news is that, in lieu of government action, there are many things that organisations in the sector can do to mitigate risk and improve cyber resilience. They just need to remember to layer up security at all levels of the IT infrastructure, from DevOps up.
Lacking in leadership
The Joint Select Committee report pulled no punches in its assessment of the threat landscape for CNI, arguing that the UK’s critical infrastructure represents a major and natural target for state-sponsored attackers and organised crime groups “which are becoming as capable as states.” Claiming a serious attack is a matter of “when not if”, it referenced the impact of WannaCry on the NHS as proof that disruptive CNI attacks don’t just have to be highly targeted — as in the Ukraine in December 2015 and 2016 — to have significant consequences.
Despite the government’s acknowledgement of the seriousness of the issue, there is no “meaningful sense of purpose or urgency” in its response, which is hampered by a lack of “identifiable political leadership”. The NCSC is under-funded and what regulation has come so far, with the NIS Directive, has come from the EU, said the committee.
In fact, the NIS Directive only covers a handful of critical sectors, whereas the report lists a much wider range of verticals where online attacks could have a serious impact on the UK: chemicals; civil nuclear; communications; defence; emergency services; energy; finance; food; government; health; space; transport; and water. It’s hard to generalise about these organisations, but it’s certainly true that many have failed to ensure security investments keep track with the pace of change in the threat landscape.
Operational technology (OT) systems in facilities are increasingly becoming merged with IT systems, exposing them to internet-connected risks. Sometimes patches are no longer available or systems are too mission critical to be taken offline, adding further complexity and risk. SCADA vulnerabilities reported to our Zero Day Initiative jumped 30% from 2H 2017 to the first six months of this year.
On the other hand, new cloud and app-driven environments offer their own security challenges, not least ensuring the microservices on which much new software is built are protected throughout the development lifecycle.
Layering defence for CNI protection
Part of the main challenge in driving improved security is ensuring the board and senior management understand the important of cyber as a major business risk. Hopefully the report will help to raise further awareness among CNI organisations in this area. Once there is buy-in from the top, it’s important to take a layered approach to defence, eschewing silver bullet solutions in favour of a more comprehensive outlook which combines multiple tools and techniques from a single vendor.
These could include everything from signature-based protection to IDS/IPS, application control, behavioural analysis and machine learning. Apply them at endpoint, network, server and at the web/email gateway. This should be combined with other best practice security policy like employee security awareness raising programmes, tighter access controls and more. And if your organisation is embracing faster, more fluid DevOps approaches to app development, there’s a latent need to “shift left” with software-defined security that can scan continuously for malware and images before deployment and at runtime.
The parliamentary report calls for a cybersecurity Cabinet minister, which will certainly help focus efforts at a governmental level. But in the meantime, the threat landscape continues to evolve. And therefore, so too must critical infrastructure organisations.