The UK’s Critical National Infrastructure (CNI) is a pivotal part of the country’s economic stability, national security, and public well-being. But it is facing cyberattacks at an alarming rate. According to the country’s cybersecurity chief, the UK is underestimating the severity of this threat. CNI relies heavily on digital systems, which are becoming increasingly interconnected – from healthcare to utilities – making these organisations more vulnerable to cyber threats and a prime target for cybercriminals and hostile state actors.
CNI systems have become an integral part of everyday life, and when these systems are disrupted, the results can be chaotic. A network breach isn’t just a remote event – it can be a form of invasion. If a hostile body gains access to CNI, they gain the opportunity to exercise control over a country’s public services and steal sensitive data.
Richard Horne, head of GCHQ’s National Cyber Security Centre, recently argued that UK hostile activity has increased in “frequency, sophistication, and intensity”. Before Russia invaded Ukraine almost two years ago, it began its attack via Distributed Denial of Service aimed at various Ukrainian CNI, with a view of taking Ukraine’s focus and weakening its defences. In the run-up to the invasion, the number of DDoS attacks originating in Russia rose by 450%, to exemplify Horne’s point.
Working with CNI and operational technology (OT) systems often means dealing with legacy infrastructure. As industries have become increasingly digitalised, OT systems have gradually become integrated with IT networks, meaning security hasn’t been a priority when designing the networks governing CNI. As a result, a gap has formed in its defences, and hackers are exploiting these gaps to their full extent.
The UK is the third most targeted country of cyber-attacks, behind Ukraine and the US. This situation is still partly the result of Russia’s invasion of Ukraine with Russian hacker groups themselves confirming that they aim to target the UK’s CNI. For example, when one of the members of the pro-Russia group Killnet was arrested, they threatened to take down life-saving ventilators in British hospitals in response.
MI5’s director, General Ken McCallum, recently described the landscape as “the most complex and interconnected threat environment we’ve ever seen.” Despite efforts to curb the influence of nations such as Russia through sanctions and reducing the number of embassy-based intelligence operatives, cyberattacks are growing in significance. By imposing these sanctions, cyberattacks are becoming an even more important attack vector for countries like Russia, increasing risk levels in the UK.
Always on connectivity is the catalyst for risk
As globalisation has transformed supply chains, the opportunity for cybersecurity breaches has grown. Therefore, it’s vital not to skip out on procurement steps when it comes to CNI. All network components and supply chains must be carefully vetted, including third-party links and potentially hostile nation-states. Any network component should be sourced from NATO-member countries. No matter the security measures, one weak link has the capacity to expose an entire network.
Next, it’s essential to assess how systems are set up in the first place and how security is incorporated into networks. It’s often assumed that because CNI is, as the name suggests, critical, digital infrastructure needs to always be online. Across organisations this has resulted in an ‘always-on’ mindset that can do more harm than good. Any device that is connected to the internet is at risk of cyberattack and by having devices constantly online, the window of opportunity is kept wide open for malicious actors.
CNI organisations therefore must truly rethink their ‘always-on’ status. As the MI5 Director General argued, “it’s hard to overstate the centrality of the online world in enabling today’s threats.” We need to assess where and when it is truly necessary to connect CNI to the internet, and what the alternative is.
Calls for UK legislation to mandate cyber resilience standards for CNI have increased in recent years, and how we approach protecting these systems needs to be reconsidered. Simply digitalising systems with a cybersecurity solution as an afterthought or tick-box exercise isn’t enough.
Organisations can begin by rethinking which parts of their networks must be kept online at all times. By implementing firebreaks within the networks that manage CNI the entire network, or parts of it, can be disconnected from the internet when not in use, minimising the attack surface and therefore risk for CNI. Ensuring that the disconnection trigger is not reliant on internet connection enables the ability to fully isolate systems from attacks, physically segmenting networks, protecting critical assets and data, and containing threats or breaches when they arise.
Building a properly layered defence on top of a layer-1 foundation of physical air-gapping gives total control over the infrastructure that’s constantly under threat of attack. A successful breach can have far-reaching consequences, including an impact on public safety. Ultimately, the ability to disconnect and reconnect networks will protect CNI from cyber-attacks – no matter who is behind them.
ABOUT THE AUTHOR: Tony Hasek, is CEO and co-founder of Goldilock