Barely a few days into 2023 and media outlets are already flooded with evidence of successful Cyber Security attacks at major UK organisations, Royal Mail and the Guardian, let alone news of major disruption in the US originating from instability in the IT systems of the FAA. These incidents serve as a reminder of the ongoing threat that Cyber crime poses to UK businesses and organisations of all sizes. But do these incidents indicate a trend in targeted attacks against the UKs Critical National Infrastructure and if so, why should we all be concerned?
What do the recent front page news worthy Cyber Security attacks at the Royal Mail and Guardian say about the state of the UK’s Critical National Infrastructure and the capability of these crucial organisations to defend their Critical Digital Infrastructure.
Paul Rose, Chief Security Officer at Telent's cyber security business unit Cyro Cyber shares his thoughts.
CNI organisations under fire…
I’m not one to regurgitate well documented breaches, but I think its important to use these recent examples to set the scene. As a reminder;
The Royal Mail’s “international despatch documentation system”, OT equipment designed to create and print custom labels for each parcel, was specifically targeted with the Lockbit strain of malware. Not wishing to speculate on the Threat Actor specifically, the intention however is clear; designed to derail the UK economy further after a series of strikes by the organisation, coupled with this loss of systems, having a server knock-on effect to the thousands of businesses reliant on the Royals Mail’s services.
The Guardian incident, similarly, involved a phishing attack that targeted the company's employees, but with the focus thought to be on reaching the print and production environment. Whilst the target was on the operational systems of the media organisation, the ransomware incident resulted in successful access to AD credentials and the theft of sensitive internal information, including information about the newspaper's employees, sources, National Insurance numbers, addresses, dates of birth, bank accounts, salaries and identity documents.
Most recently, widely reported in global news was also the major disruption caused by IT systems failure at the FAA last week. Around one million passengers suffered from delays and cancellations as US flight systems suffered one of their worst nationwide outages since 9/11. Officials were at pains to say that this was not a Cyber Attack, but the scale of the fallout indicates what could be the output from a successful attempt to disrupt these systems.
All 3 incidents highlight our reliance on these organisations and their seeming fragility in the face of a targeted attack. Aside from the standard delivery model demonstrated in these attacks (phishing of course), I think it is more important to analyse why there is a current concentration of attacks on CNI and what this means for those organisations; how do they identify potential weaknesses and where should the focus be to ensure they can mitigate further distribution.
So what are we dealing with here…
I’ve spent the majority of my career studying and discussing the principles of how to protect the systems and data of traditional IT infrastructure within an organisation, primarily used for the BAU function of a business; managing data, communications, and networks. Operational Technology or OT on the other hand I’ve often seen play second fiddle to these networks and can be highly susceptible to attack. OT is used to monitor and control physical processes in industries such as manufacturing, energy production, and transportation using systems such as sensors, actuators, and control systems designed to manage and automate the operation of physical assets. (Think; programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCS)).
In my experience, these assets are more susceptible to Cyber Attack for a number of reasons:
The principle of “Secure by Design”, or as I like to say “Compliant by Design”, is crucial therefore for OT devices and for CNI organisations to consider. Too often have I seen clients design these networks with minimal security in mind and once implemented, they are very difficult to secure in the field.
Promoting Cyber Resilience – Focus on Critical Digital Infrastructure
It is well documented that the UK faces a range of cyber security threats, including those from nation-states, organised criminal groups, and individual hackers. The UK government has warned that the country is facing an "unprecedented" level of Cyber Attack, however in my experience, it is more difficult to define how well prepared UK CNI organisations are for these threats, we have seen the level of preparedness vary greatly depending on the specific organisation and sector. We know however that the UK government’s various initiatives and frameworks designed to help these organisations improve their Cyber Security posture can only go so far. Adherence to regulations and standards, such as the NIS Directive, NCSC’s Cyber Assessment Framework (CAF) and GovAssure (released in Q1 this year), NIST Cyber Security Framework and ISO 27001, will greatly help to ensure that adequate Cyber Security measures in place but in practice, what does this actually mean?
I believe that Critical National Infrastructure organisations need to focus their energy on the following key OT device management principles;
It’s my belief that CNI organisations need to augment their management principles for OT assets away from purely Cyber Defence to focus on Cyber Resilience. This doesn’t negate the need to wrap defensive technologies and architectural design around these devices; segmenting them from public access and standard corporate systems, but it does shift attention to having plans in place to minimise disruption, pre-empting an incident and running mock table-top exercises to understand how best to respond quickly should a successful attack take place.
Personally, I’ve had some huge success with Microsoft’s Defender for IoT on a recent high profile OT project. Deploying both cloud and on premise sensors to discover, identity and feed all asset data back into a SIEM (Sentinel), reviewing the logs from the OT environment alongside all IT logs to ensure of equal importance, and a coherent response. I can’t stress enough how important visibility to these networks is.
My final thoughts on this are simple; we know that the NCSC and UK Government are quick to highlight who CNI organisations are, it is now down to these organisations to highlight what their Critical “Digital” Infrastructure is and what defensive strategies are in place to protect it. Let’s move away from CNI as a pure function crucial to the UK economy and our daily lives, and focus on assessing the risk to, and management of, CDI - Critical Digital Infrastructure.