While cyberattacks and data breaches targeting businesses tend to dominate the headlines, governments are just as at risk. Perhaps even more so according to the National Cyber Security Centre’s (NCSC) recent report highlighting the risks to the UK’s critical national infrastructure (CNI).
TechRadar Pro spoke with Carbon Black’s National Security Strategist and former FBI counterterrorism and counterintelligence operative, Eric O’Neill who explained why the country’s CNI is at risk and what a possible cyberattack targeting it might look like.
1. Why is the UK’s CNI vulnerable to cyber-attack?
The UK’s critical national infrastructure (“CNI”) is vulnerable to risk partly because of its reliance on internet-facing networks and, in many cases, outdated technology. For example, energy exchangers are single points of failure for command and control of the power grid.
2. What are some ways that hackers could target the UK’s CNI?
The UK has a relative lack of security on the patchwork collection of power stations and networks that make up the energy grid. Numerous red-team tests have demonstrated that various critical buildings lack the physical security to defeat an infiltration or social engineering attack. On the cyber side, the networks are, for the most part, susceptible to a large number of known vulnerabilities due to poor patch management, or the fact that they operate on aged or retired systems and do not have the most recent technologies in endpoint security or defence protecting them.
3. Could you describe what a potential cyber-attack on the CNI would look like?
A cyber-attack on CNI could possibly cause a “lights out” scenario where a carefully orchestrated attack compromises a critical mass of the UK’s infrastructure components to such a degree that the power grid is overloaded or shut down for a significant period of time. This would require a dedicated team of sophisticated attackers that are well-funded and patient. State-sponsored attacks are on the rise, and probe attacks against western nations from Russia and Iran (for example) have already tested western critical infrastructure defences.
The “mega security breach of the future” might be a combination of an attack with catastrophic intent in addition to a less obvious, passive attack. For example, a sophisticated attacker might pair a catastrophic ransomware attack that shuts off power or the telecommunications grid with a more subtle and undetected passive attack against perhaps the financial sector that destroys the integrity and utilisation of data. Any attack that disrupts a major western country to such an extent would ripple across the entire Western world.
If attackers succeed in taking down the UK power grid, there would be massive consequences from transportation to food shipping, economic transactions, telecommunication, loss of business and medical responsiveness and more. Loss of life could be high and it may take a long time to get systems up and running again.
4. When it comes to CNI, have cyber threats reached the level that they should be taken as seriously as physical threats?
It’s quite possible that in 2019 a major cyber-attack will occur in either the UK or another friendly country that will require a response equivalent to a kinetic attack. In other words, a cyber-attack will occur that will be looked on as an act of war. To date, despite the fact that cyber-attacks can easily surpass kinetic attacks in both scope, magnitude and damage (both in the short- and long-term) we have not adequately addressed such cyber-attacks, planned for them, or developed long and short-term response policies.
5. How should the government focus on protecting critical infrastructure in the UK?
The UK should invest in cyber defense and analytics in a number of industry areas that so far have received little attention. The transportation system is one such example. An aeroplane is essentially a large industrial machine, more complex and reliant upon computer systems with each generation. In many ways, aircraft are like corporate business centres, incorporating connectivity, communication and access to the internet. If a single hacker were able to breach the security of an aeroplane and take control of it for even one minute, perhaps sending it into a sharp nosedive to prove his point, the aviation industry would immediately ground entire fleets until they could assure that no other plane could be similarly compromised. The sector must adopt a comprehensive approach to cybersecurity, one that incorporates prediction, prevention, detection, and response to attempted attacks.
6. Are the threats to CNI in the UK applicable to the rest of the world?
Yes, if they haven’t addressed the concerns that we have outlined above. For example, Russia has launched cyber attacks against a number of Ukrainian airports.. Russia could also launch such attacks against the UK or US. Security assessments now require more than just determining how best to physically protect a building or substation. The new generation of critical endpoints in security are all cyber. In many ways, cyber attacks are easier to launch than physical or kinetic attacks. They are lower cost and risk, harder to attribute and far higher in damage yield for the attacker.
7. What recommendations would you give to civilians to keep them safe following an attack on the UK’s CNI?
1. Listen carefully to government channels (i.e., local news and radio stations) for updates regarding the situation.
2. Be aware of fake news and keep calm.
3. Remain safe, don’t take unnecessary risks, be vigilant and report suspicious incidents immediately.
4. Take advantage of communities and neighbours to support each other and share in resources until critical systems come on line.
Eric O’Neill, National Security Strategist at Carbon Black