The UK air-traffic control incident that triggered the cancellation of more than 2,000 flights earlier this year was the result of a ‘one in 15 million event’ which caused systems to malfunction. While the incident was ultimately found to not be the result of a malicious cyber attack, it did provide a glimpse into the large-scale disruption that can occur when critical national infrastructure (CNI) fails.
The 2023 National Risk Register identified the chance of a cyber attack on CNI as between 5-25 percent, making this one of the most serious risks facing the UK today. A cyber attack, depending on its severity, could result in significant economic losses, or in the most serious cases, fatalities. What is the price we are prepared to pay to secure critical national infrastructure?
Improving cyber resilience to avoid suffering the consequences later
The loss forecasted by the UK government calls for a refocus upon the material risk posed by an attack on CNI, so that we can begin to reduce this risk across the sector. Threat actors often select targets that will result in the greatest disruption possible, especially given the current geopolitical landscape and the nation-state threat, making critical infrastructure a prime target. Consequently, attacks against CNI are more a question of when, not if, so greater proactivity via active monitoring, frequent patching, and having robust backups on hand is therefore crucial.
The CNI sector has become increasingly digitalized over the years, presenting more opportunities for threat actors to identify and exploit weaknesses in operators’ large-scale computer networks. Technological advancements are also leveraged by threat actors, alongside their adaptability of tactics and processes, to execute increasingly sophisticated cyber attacks.
The combination of these factors builds a strong case for a renewed focus on the protection of CNI. The Science and Technology Select Committee announced in September that it is launching an inquiry into the cyber resilience of the CNI sector. This will provide a useful first step in assessing the current state of play regarding the state of the sector’s cyber security practices, and help guide the government's future approach to cyber resilience and preparedness when it comes to CNI.
Government Cybersecurity Expert at UK domain name registry, Nominet.
Where does the responsibility for protection of CNI lie?
This remains a contentious point, particularly where the responsibility differs between the public sector and private sector CNI. Private CNI operators retain personal responsibility for investing in the appropriate protective measures and ensuring their cyber strategy is suitably safeguarded. But it must be considered whether placing responsibility in its entirety with them is reasonable or sustainable. Identifying what these measures should be and how they should be implemented may require input from those better-equipped to assess the threat.
A sector-wide, standardized regulatory framework could be one way of approaching this. By enforcing a set of basic cybersecurity requirements that CNI operators must adhere to would provide a consistent level of resilience. But as the sector is so varied in terms of organisation size and revenue, a one-size fits all approach may not be viable or unreflective of varying levels of risk.
Alternatively, utilizing a case-by-case risk analysis to determine what’s needed could present a happy medium, tailoring the cybersecurity response to the risk each sub-sector of CNI faces. The National Cyber Security Centre (NCSC) has already begun developing and maintaining cybersecurity standards as part of a collaborative effort with regulators to support CNI operators through training and threat intelligence information. The NCSC have also developed a Cyber Assessment Framework as a tool for organizations to assess their own cyber resilience. Centralized support of this kind is instrumental in strengthening the resilience of the sector.
Utilizing threat intelligence more effectively
A large portion of the UK’s CNI sector falls primarily within the ambit of the private sector. Shared threat intelligence could be the key to strengthening our national resilience across both the public and private sectors where strategies might otherwise become misaligned. The data this provides can be used to help recognize and block indicators of a cyber attack before the threat materializes, helping organizations stay ahead of the threat. When this data is exchanged between sub-sectors, the picture that is generated of the current threat landscape is nothing short of invaluable.
Cybersecurity authorities like the NCSC in the UK and the Cybersecurity and Infrastructure Security Agency (CISA) in the US already have frameworks in place to quickly and effectively distribute threat intelligence to the public, information which can then be factored into organizations' own security systems to ensure they are up to date. But ultimately it comes down to the organizations themselves to act upon intelligence.
Threat intelligence sharing isn’t without its challenges, as too much or low quality data can cause organizations to become overloaded with information. Only through careful management of these threat feeds and prioritizing the most relevant data can we preserve the effectiveness of this strategy. A clear understanding of each subsector’s intelligence goals and biggest risk factors is absolutely essential, and Security Information Event Management (SIEM) solutions can be extremely helpful here.
Whatever the approach, improving the protection of critical national infrastructure from cyber attacks is only becoming more pressing. The fallout from incidents that disrupt CNI can be serious, we need to ensure that potentially devastating cyber-related incidents are prepared for and brought to the top of the agenda, before it’s too late.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Steve Forbes is government cyber security expert at Nominet.