I’m not one to regurgitate well documented breaches, but I think its important to use these recent examples to set the scene. As a reminder;
The Royal Mail’s “international despatch documentation system”, OT equipment designed to create and print custom labels for each parcel, was specifically targeted with the Lockbit strain of malware. Not wishing to speculate on the Threat Actor specifically, the intention however is clear; designed to derail the UK economy further after a series of strikes by the organisation, coupled with this loss of systems, having a server knock-on effect to the thousands of businesses reliant on the Royals Mail’s services.
The Guardian incident, similarly, involved a phishing attack that targeted the company's employees, but with the focus thought to be on reaching the print and production environment. Whilst the target was on the operational systems of the media organisation, the ransomware incident resulted in successful access to AD credentials and the theft of sensitive internal information, including information about the newspaper's employees, sources, National Insurance numbers, addresses, dates of birth, bank accounts, salaries and identity documents.
Most recently, widely reported in global news was also the major disruption caused by IT systems failure at the FAA last week. Around one million passengers suffered from delays and cancellations as US flight systems suffered one of their worst nationwide outages since 9/11. Officials were at pains to say that this was not a Cyber Attack, but the scale of the fallout indicates what could be the output from a successful attempt to disrupt these systems.
All 3 incidents highlight our reliance on these organisations and their seeming fragility in the face of a targeted attack. Aside from the standard delivery model demonstrated in these attacks (phishing of course), I think it is more important to analyse why there is a current concentration of attacks on CNI and what this means for those organisations; how do they identify potential weaknesses and where should the focus be to ensure they can mitigate further distribution.