Cyber threats against critical national infrastructure (CNI) are evolving and the people responsible for ensuring these assets’ security must develop greater awareness, a defence expert has warned.
A flurry of cyberattacks were reported in the UK in the first half of 2024. In early May, BBC reported a “hack” resulting in a “significant data breach” of payroll information at the Ministry of Defence. The report emerged on 6 May and on 7 May then defence secretary Grant Shapps said state involvement could not be ruled out.
In the hours and days following, at least two more cyber-related incidents hit NHS Scotland and the UK Border Force.
In fact, the vast majority (93%) of organisations in the CNI sector have observed an increase in cyber attacks, according to the 2024 Data Threat Report from defence contractor Thales.
The report found that 42% of critical infrastructure organisations have suffered a data breach and the most common threats encountered were malware, phishing and ransomware.
It said 24% of CNI organisations said they had fallen victim to a ransomware attack in the past year, with 11% paying the ransom.
Human error was the main cause of vulnerabilities, accounting for 34% of attacks while 31% were due to the exploitation of a known vulnerability.
Three in 10 CNI organisations reported insider threat incidents and 20% of cases blamed a failure to apply multifactor authentication to privileged accounts.
Commenting on the report, Thales UK managing director for cyber security and trust Tony Burton told NCE: “The 2024 report […] is all about the global trends in threats and how that affects the various different sectors and sub-sectors including critical national infrastructure.”
He said the report covers the “technology and security implications of how those threats are evolving”.
It is often difficult for CNI organisations to explain to the public what they are doing to protect themselves, and therefore the public, from cyber threats, because doing so could give critical information to malign actors.
Burton said “there is always a sensitivity” around public information sharing in the debate around cybersecurity.
However, he went on to say that “the more that people are starting to open up and share the information that they’re willing to around what attacks they’ve been subject to, they don’t necessarily have to share the impact of that attack, but the very fact that they have been attacked with ransomware and things like that is at least a good indicator to how things are changing over time”.
Although, Burton said organisations in the CNI sector and beyond “are becoming more willing and able to share at least some of the information between security operations centers”. This includes sharing it with the likes of NCSC (National Cyber Security Centre) so that the NCSC can be the arbiter of managing how much of that data gets out into the public domain.
“There are mechanisms to be able to allow that information to flow in and out of NCSC,” Barton continued.
“We’re not at the point yet, where owners and operators of critical national infrastructure are willing to freely share too much data across their boundaries for obvious reasons and I think that will probably be the case for some time yet.”
Skills and training are needed to keep CNI managers up to date on how to respond to cyber threats.
Burton said the classification of cybersecurity threats by CNI managers has improved over recent years, but added: “I think that we still operate in a world where there are not enough skills and capabilities to go round.
“There’s a specific set of problems in CNI and training and awareness is absolutely critical. And what I mean by that is CNI has to worry a lot more about operational technology as well as information technology.”
While there are “lots of well-established principles” for dealing with things in the information technology and the enterprise space, Burton said that operational technology, particularly in critical national infrastructure, “has a real legacy challenge”.
“There’s lots of brownfield stuff that’s deployed all over the country dug into the ground in remote locations,” he explained. “And some of these things operate on quite old technology and old versions of Windows and therefore they are more vulnerable to attack.”
Growing networks have made this vulnerability more widespread.
“From the IT space and the enterprise space, a lot of that attack surface has been closed down, because it’s much easier to do that when it’s all connected,” he said. “But when you’ve got stuff that’s distributed around the country to run, whether it’s the electricity grid or gas or water, and these things are on ageing operating systems, different protocols, they’re still connected in some way shape or form, but they’re not perhaps as well protected as a Cisco router or a firewall switch or something like that.”
He said people responsible for cyber security in the CNI sector need to understand that they “don’t have the option to switch it off and on again when you’re running a big part of the national grid or you’re running a part of the gas network”.
Burton emphasised how important it is to treat CNI as part of the defensive apparatus of the UK.
“You can’t ignore critical national infrastructure when you talk about the security of the UK,” he said.
“The defence and security reviews [recognise the importance of protecting CNI] and appointed the NCSC to make sure that they were setting the bar in terms of the guidance.”
He said policies, guidance and best practice is set by the NCSC for critical national infrastructure.
“Increasingly the NCSC is looking towards being able to make sure that CNI owners and operators are able to not just train but also to test and to exercise at scale elements of the critical national infrastructure,” he said.
Regarding the introduction of artificial intelligence (AI) into the suite of offensive cyberwarfare tools, Burton said “the genie is a little bit out of the bottle”.
On 17 May, CNN reported that Arup been scammed out of HK$200M (£20.2M) after one of its finance employees in its Hong Kong office was targeted by email phishing and a sophisticated deepfake video call with faked iterations of Arup chief financial officer and other senior finance employees.
CNN quoted Arup East Asia regional chairman Michael Kwok as having said that the “frequency and sophistication of these attacks are rapidly increasing globally, and we all have a duty to stay informed and alert about how to spot different techniques used by scammers”.
Burton said the UK is “playing catch up now as a country” to respond to AI threats but said that applies to the US and other countries too.
“We’re having to do almost a rearguard action.”
CNI owners respond
Representatives of organisations in the CNI space understandably couldn’t share much, but said they were monitoring the situation closely.
A Network Rail spokesperson said: “Safety is our top priority, which is why we work closely with government, the security services, our partners and suppliers in the rail industry and security specialists to combat cyber threats.
“Our cyber-security is constantly under review and we are always monitoring global security risks and their potential impact on our railway.”
A National Highways spokesperson said: “National Highways has a dedicated security team that remains up to date with the latest developments in the cyber security landscape.
“This team actively engages with the government, professional cybersecurity bodies, and our supply chain to ensure that our security posture is both current and robust.
“Additionally, we conduct regular security assessments and incident response exercises. These efforts help us anticipate future risks and adapt our strategies to ensure the safe and secure operation of the strategic road network.”
An Energy Networks Association spokesperson said: “Like other critical national infrastructure operators, cyber security is one of the core risks that our members manage on a daily basis.
“Cyber threats are dynamic and evolving, and our members work closely with government and security experts to assess and mitigate the latest risks.”
Cybersecurity firm echoes warning
Another cybersecurity firm, Egress, which is part of the KnowBe4 group, also responded to the report from Thales.
Egress senior vice president of threat intelligence Jack Chapman said: “Critical infrastructure organisations are indispensable to the smooth functioning of modern society. As such, a successful cyberattack against one of these institutions has serious repercussions.
“Reliant on interconnected systems, a CNI’s supply chain becomes its weakest link, creating vulnerabilities that can lead to widespread disruptions, compromising the integrity and stability of these essential services.
“The reported increase in ransomware attacks against these institutions is deeply concerning. Without proper regulations or standardized procedures in place for organisations to effectively deal with ransomware attacks, the risk of extensive damage and prolonged service disruptions grows significantly.
“There is an additional danger that if CNI institutions pay the demanded ransoms, cybercriminals are not only funded for future campaigns but are also likely to strike again if victims show a willingness to engage in this type of criminal activity.
“The UK is in desperate need of a formalised process and even a potential ban on ransom payments; otherwise, we will continue to see an increase in ransom attacks against CNI and their supply chains every year.”
Like what you’ve read? To receive New Civil Engineer’s daily and weekly newsletters click here.