The British air traffic control incident that led to the cancellation of more than 2,000 flights earlier this year was the result of a ‘one in 15 million event’ that caused systems to malfunction. While the incident ultimately turned out not to be the result of a malicious cyberattack, it did provide a glimpse into the large-scale disruption that can occur if Critical National Infrastructure (CNI) fails.
The 2023 National Risk Register estimated the chance of a cyber attack on CNI at between 5 and 25 percent, making it one of the most serious risks facing Britain today. Depending on its severity, a cyber attack can lead to significant economic losses or, in the most serious cases, fatalities. What is the price we are willing to pay to secure critical national infrastructure?
Improving cyber resilience to prevent you from suffering the consequences later
The loss predicted by the UK government calls for a refocus on the material risk posed by an attack on CNI so that we can begin to reduce this risk across the sector. Threat actors often select targets that will result in the greatest possible disruption, especially given the current geopolitical landscape and national threat, making critical infrastructure a prime target. As a result, attacks on CNI are more a matter of when, not if. Greater proactivity through active monitoring, frequent patching and having robust backups available is therefore crucial.
The CNI sector has become increasingly digitalized over the years, creating more opportunities for threat actors to identify and exploit weaknesses in operators’ large-scale computer networks. Technological advances, in addition to their adaptability of tactics and processes, are also being leveraged by threat actors to conduct increasingly sophisticated cyber attacks.
The combination of these factors provides a strong argument for a renewed focus on CNI protection. The Science and Technology Select Committee announced in September that it would launch an investigation into the cyber resilience of the CNI sector. This will provide a useful first step in assessing the current state of the sector’s cyber security practices, and will guide the government’s future approach to cyber resilience and preparedness as it relates to CNI.
Government Cybersecurity Expert at the UK domain name registry, Nominet.
Where does the responsibility lie for protecting CNI?
This remains a controversial issue, especially where responsibility differs between the CNI in the public sector and the private sector. Private CNI operators retain personal responsibility for investing in appropriate safeguards and ensuring their cyber strategy is appropriately safeguarded. But consideration must be given to whether it is reasonable or sustainable to place the entire burden of responsibility on them. Determining what these measures should be and how they should be implemented may require input from those better equipped to assess the threat.
An industry-wide, standardized regulatory framework could be one way to address this. Enforcing a set of basic cybersecurity requirements that CNI operators must adhere to could provide a consistent level of resilience. But because the industry is so varied in terms of organizational size and turnover, a one-size-fits-all approach may not be feasible or commensurate with varying levels of risk.
Alternatively, using a case-by-case risk analysis to determine what is needed could be a happy medium, tailoring the cybersecurity response to the risk faced by each sub-sector of CNI. The National Cyber Security Center (NCSC) has already begun developing and maintaining cybersecurity standards as part of a joint effort with regulators to support CNI operators through training and threat intelligence information. The NCSC has also developed a Cyber Assessment Framework as an instrument for organizations to assess their own cyber resilience. This type of centralized support helps strengthen the resilience of the sector.
Make more effective use of threat information
Much of the UK CNI sector falls mainly within the purview of the private sector. Shared threat intelligence could be key to strengthening our national resilience across both the public and private sectors, where strategies might otherwise become misaligned. The data this provides can be used to help identify and block indicators of a cyber attack before the threat materializes, helping organizations stay ahead of the threat. When this data is shared across sub-sectors, the picture that emerges of the current threat landscape is nothing short of invaluable.
Cybersecurity authorities such as the NCSC in the UK and the Cybersecurity and Infrastructure Security Agency (CISA) in the US already have frameworks in place to quickly and effectively disseminate threat intelligence to the public. This information can then be processed in organizations’ own security systems. make sure they are up to date. But ultimately it comes down to the organizations themselves acting on the basis of intelligence.
Sharing threat intelligence is not without its challenges, as too much data or low-quality data can leave organizations overloaded with information. Only by carefully managing these threats and prioritizing the most relevant data can we maintain the effectiveness of this strategy. A clear understanding of each subsector’s intelligence objectives and biggest risk factors is absolutely essential, and Security Information Event Management (SIEM) solutions can be extremely useful here.
Whatever the approach, improving the protection of critical national infrastructure against cyber attacks is only becoming more urgent. The consequences of incidents that disrupt CNI can be serious. We must ensure that potentially devastating cyber-related incidents are prepared for and placed at the top of the agenda before it is too late.
We’ve listed the best patch management software.