Escalating Threats to Critical National Infrastructure

Escalating Threats to Critical National Infrastructure

Why are bad actors targeting CNI? Which sectors are most at risk? And what can be done to offer better protection?

Recent warnings from the UK’s National Cyber Security Centre and insights from the UK government’s National Risk Register report highlight an increased risk of cyberattacks on critical national infrastructure. These attacks, potentially from nation-states or organised criminal groups, could have devastating consequences. The report concluded that there is a 5% to 25% likelihood of an attack on UK critical infrastructure over the next two years. This probability is low (the technical rating is ‘highly unlikely’), but the impacts could be significant.

 

What are the motivations for attacks on Critical National Infrastructure?

Cybercriminals target critical infrastructure for various motivations, including:

1. Financially Motivated Disruption: Attackers often target critical infrastructure to cause disruption – sometimes financial, but sometimes to ‘encourage’ the victim to pay a ransom – or for personal gain. Attacks could involve manipulating energy, transportation, or economic sectors, leading to market disruption and extortion through ransomware. The average ransom in 2023 is $1.54 million, almost double the 2022 figure of $812,380. (Sophos, 2023). This is expected to continue.
2. Espionage and Data Theft: The valuable data held by critical infrastructure organisations, including proprietary technologies and personal records, make them attractive targets for cyber adversaries. These breaches can serve purposes of espionage, gaining competitive edges, or selling information on the black market.
3. Geopolitical and Ideological Goals: Increasingly, attackers are motivated by political or ideological aims and are using cyber capabilities alongside traditional methods (Arab Spring). Whether nation-states or activist groups, these attacks can significantly disrupt national security and stability, with far-reaching monetary and reputational consequences.
4. Cyber Warfare as a Strategic Tool: With conflicts in parts of the world, cyber-attacks on critical infrastructure are becoming a strategic weapon. Disrupting a nation’s power grid or communication systems can critically weaken it, as seen in the Ukraine-Russia conflict, where digital and physical battles are now intertwined. Actors are willing to put substantial resources into prepositioning on critical infrastructure to potentially act as leverage. An example is Chinese hackers spent up to 5 years in US networks: Cyber officials – ABC News (go.com)
5. Opportunities Due to Limited Resources: The current economic climate impacts organisations’ ability to fend off cyberattacks. Reducing security budgets and increasing cybercrime, including phishing and social engineering attacks, directly result from financial challenges. Financial and resource pressures, intensifying during covid lockdowns, mean that many parts of critical infrastructure have growing security debt.

Key Sectors where there is a significant impact from cyber attacks.

Attacks against some of the CNI sectors would have a greater impact due to the importance of these sectors to our daily lives. Standard attack methods involve phishing, ransomware, DDoS, zero-day exploits, and insider threats.

1. Energy Sector: Power grids and oil and gas facilities are vital to modern society, making them attractive cyberattack targets. Disruptions can cause widespread blackouts, financial damage, potential health hazards, and knock-on effects on other critical infrastructure sectors.
2. Transportation: Digital systems are the backbone of aviation, maritime, and railway transportation. Cyber breaches in this area can lead to severe accidents, disrupt supply chains, and have significant economic impacts.
3. Water and Wastewater Management: These facilities are essential for public health. Cyberattacks here could contaminate water supplies, interrupt treatment services, cause flooding and have severe health repercussions for entire communities.
4. Healthcare: With its wealth of sensitive data, often outdated systems and significant impact of disruption, the healthcare sector is especially susceptible to cyberattacks. These breaches can lead to compromised patient information, disrupted medical services, and even endanger lives.
5. Finance: An established target for cybercriminals, the financial sector, including banks, stock exchanges, and payment systems, faces significant risk. Cyberattacks here can cause widespread economic instability and financial chaos.]
6. Emergency Services: breaches to emergency services would have significant impact to public trust and pose a threat to life.
7. Defence: A key target for nation-state actors, breaches of defence systems can lead to severe impacts on the UK’s relationship with other nations and endanger lives.

Protecting Critical Infrastructure: Cyber expertise and awareness

Organisations must adopt a multi-faceted approach focusing on cyber hygiene and awareness to combat these threats. From employee training to a robust and dynamic approach to risk assessments, effective network monitoring, diligent patch management, complete incident response plans, and collaboration for intelligence sharing. It should also include expert security architecture to review legacy systems and make recommendations for new projects.

You should also be completing Cyber Assessment Framework assessments, especially where these are required within your sector. Being outcome-focused, these avoid a tick-box mentality to security compliance and help you think about how your systems are protected.

Targeted employee training:

Invest in comprehensive cyber security training for staff members to raise awareness about potential threats and teach best practices for identifying and responding to them. Use the resources and support provided by organisations like the National Cyber Security Centre. Develop a positive cyber security culture within your organisation so that security is an enabler rather than a blocker, and security behaviours become second nature to all members of staff.

Understanding your assets

Creating the mechanisms to have a dynamic understanding of the scope of your organisation and your assets is key; This enables you to spend your resources protecting your ‘crown jewels’ and understand what might motivate attackers to target your organisation.

Regular risk assessments:

Regularly assessing risks is crucial for identifying vulnerabilities in critical systems and formulating effective countermeasures. 2T Security’s RiskTree platform is a sophisticated, secure, and comprehensive tool designed for government and enterprise use and across all risks.

This platform offers clear and concise reporting, helping to engage board members and formulate actionable strategies. RiskTree adapts to ongoing projects and changes, allowing organisations to continuously update their risk assessments without the need to start over. RiskTree enables risk-led agile development, providing the tools to quickly respond to changes and prioritise tasks against risks.

Integrating RiskTree into your security strategy gives you a dynamic tool that keeps your risk assessments relevant, up-to-date, and aligned with current and future organisational needs. RiskTree enhances your security posture and can help ensure a more resilient response to potential threats.

You can map your risks against the Cyber Assessment Framework, MITRE ATT&CK®, as well as control libraries such as ISO27001 and NIST 800-53 within RiskTree.

Network Monitoring and Segmentation:

Implement state-of-the-art threat detection and real-time monitoring systems. For critical infrastructure organisations, network segmentation is vital. It establishes known paths within the network, restricting an attacker’s ability to move laterally and limit damage caused. Instrumentation and focused anomaly detection can then be deployed at scale to hosts, the network, and gateways, identifying issues such as unexpected traffic flows, protocols, and volumetric issues. We are no longer looking for a needle in a haystack; we need to find an odd-looking bit of hay in multiple stacks!   This is especially important given the Colonial Pipeline incident, where it’s believed the primary target of the attack was the billing system, but the pipeline was shut down for fear of the ransomware spreading.

Patch Management:

Regularly update systems with the latest security patches to reduce exploitable vulnerabilities. Incorporate digital prompts and physical reminders for employees to apply security updates consistently.

Incident Response Plans:

Develop and continuously refine incident response plans for rapid and effective action during a cyberattack. Regular exercising  and tests are essential to prepare your security team and general staff. A robust risk plan will help to define the incident response plan.

Sign up to alerts such as the NCSC’s Early Warning service. This can warn you if incidents are detected that suggest your systems might have been compromised or have vulnerabilities.

Robust Architecture:

A thorough risk assessment should help to inform your security architecture. You are designing resilience into your systems and reducing risks by integrating new technologies.

Collaboration and Information Sharing:

Foster collaboration with industry peers and governmental bodies to exchange threat intelligence and cybersecurity best practices. Equally important is encouraging an open dialogue between IT, board members, and all departments.

Elevated Risk of Nation-State Cyberattacks on Critical Infrastructure

According to a World Economic Forum report, most business leaders (86%) and cyber experts (93%) acknowledge that global geopolitical instability dramatically increases the chance of a significant cyber event in the next two years.

The threat from nation-state actors is particularly alarming due to their sophisticated capabilities and resources. These actors engage in stealthy, exact attacks driven by political or strategic objectives, and such incidents are escalating daily. They will also embed malware, including back doors, into systems that can be activated years later and after perimeter security has closed off the initial route by which access was gained.

These state-sponsored cyber-attacks threaten operational stability. Potentially destabilising governments and disrupting essential services like power grids, transportation networks, and financial systems. In espionage scenarios, sophisticated malware can even erase traces of network breaches. Additionally, the emergence of hacktivist groups, like Iran’s ‘Hackers of Saviour’ and Ukraine’s ‘IT Army,’ and nation-states leveraging relationships with organisational criminal groups makes attribution far more difficult.

Frequency of attacks.

The frequency of high-profile cyber-attacks on critical infrastructure across the globe is a stark reminder of the severity of these threats. These incidents have targeted various entities, from government bodies to essential services like water utilities, transportation, and healthcare sectors. Given the current global political climate, the likelihood of further significant attacks on critical infrastructure is not just a concern but a strong possibility.

There is also a risk of being collateral damage in a widespread malware campaign, where an attacker distributes their malware to millions of individuals. This results in a CNI operator being infected even though they were not specifically targeted.

Notable Incidents and the Danger of Nation-State Attacks

High-profile incidents, such as attacks on India’s infrastructure in 2022 and the Royal Mail ransomware attack in 2023, exemplify the severity of these threats. The involvement of nation-state actors with advanced capabilities and political motives raises the stakes significantly.

The Colonial Pipeline ransomware attack in 2021 was a notable incident that resulted in government interventions to improve cyber resilience. Whilst the ransom was reported to be paid and in return, capacity to restore the systems provided by the OCG, the service did not restart until 6 days later.

It’s recently been reported that a nation state actor has spent up to five years on a cyber operation to preposition themselves on critical infrastructure. Multiple sectors were compromised to perform reconnaissance and plant malware. The likely aim of being able to cause disruptive impact in the event of escalating geopolitical conflict.

Join a forum such as CISP, run by the NCSC, which helps cyber security professionals in the UK collaborate securely on cyber threat information.

In conclusion, the protection of critical infrastructure is paramount. With the right approach and expertise, such as that offered by 2T Security, organisations can defend against these complex and potentially crippling cyber threats.

 

As expert consultants in cyber security, we stand at the forefront of defending governments and large organisations against cyber threats. Our consultants are trusted advisers to the UK government. We specialise in security architecture, security monitoring, and risk management. Having helped to create the GovAssure process, we have a deep understanding of the Cyber Assessment Framework and how to use it effectively for our clients.

Talk to our team >>

Learn more about aligning RiskTree with your security strategy and keep your risk assessments relevant, up-to-date, and aligned with current and future organisational needs. Click here.