Best practice CNI defence should emphasise resilience, not just compliance
Best practice CNI defence should emphasise resilience, not just compliance

Across all parts of critical national infrastructure, we are seeing a greater number of sophisticated and damaging cyber-threats which are often believed to be the work of foreign governments seeking to cause political upheaval. In recent weeks the US and UK governments accused Russia of launching cyber-attacks on computer routers, firewalls and other networking equipment used by government agencies, businesses and critical infrastructure operators around the globe. 

Previous reports have also highlighted the dangers of infrastructure attacks, such as last year's attack on a Saudi Arabian petrochemical plant and Russia's wide-ranging cyber-assault on the US energy grid. Ciaran Martin, the head of the National Cyber Security Centre (NCSC) warned in January that he expects the UK to suffer a major, crippling cyber-attack against its critical infrastructure within the next two years.

We are clearly at a turning point in terms of protecting these systems. Operators of essential services need to stay up-to-date with both the cyber-security challenges and the methods available to monitor and mitigate threats. Nation state attackers are well aware of the public confidence and political fallout that could arise as a result of successful attacks on operators' online systems or, even more worryingly, the safety risk of cyber-attacks on control networks.  Whether the imperative is reputation, compliance or safety, the resilience of these systems to withstand today's cyber-attacks must be addressed.

Industrial control systems at risk

Best practice, including the recently published guidance from the NCSC, implores operators to isolate their control systems from the Internet.  In an ever more connected Internet of Things (IoT) enabled world, convenience and productivity often means that this “air gap” has been compromised.  This potentially exposes industrial control systems to the full spectrum of damaging cyberattacks. 

For example, DDoS attacks can be used to disrupt the availability of critical services and compromise the systems that enable them.  Once compromised, attackers may be able to plant weaponised malware and/or steal data.  Within the last year, separate DDoS attacks against the railway operators in Sweden and Denmark caused train delays, disrupted travel services and made it all but impossible to buy a ticket.  In the UK, the WannaCry ransomware attacks last May blocked access to medical records and caused poorly maintained medical equipment to fail; demonstrating the capacity for cyber-attacks to impact people's access to essential services. 

To investigate this issue, Corero carried out a Freedom of Information study last year, which found that over a third (39 percent) of UK critical infrastructure operators have not completed basic cyber-security standards issued by the UK government (the '10 Steps to Cyber Security' programme). Alarmingly, the requests also found that 51 percent of critical infrastructure organisations are potentially vulnerable to the most common DDoS attacks – those of short duration and modest volume – due to failures to deploy technology which can detect or mitigate such attacks. Modern DDoS attacks represent a serious security and availability challenge for infrastructure operators because even a short duration attack can significantly disrupt the delivery of essential services.

The NIS Regulations – a golden opportunity for change?

The pressure is now on for the cyber-security community and governments to really focus on this issue in the face of increasing nation state attacks. In this light, the UK government's new legislation, known as the NIS Regulations, includes penalties of up to £17 million on any of the 432 identified operators of essential services who fail to protect against cyber-attacks on their networks is an important step. Despite the political rhetoric and the threat of fines, how much difference to our national security will the NIS Regulations really make?

In January, the NCSC published its initial guidance for organisations looking to comply with the NIS Regulations.  These were extended to include the new Cyber Assessment Framework (CAF) at the end of April.  The measures outlined so far are heavily weighted on reactive attack reporting rather than advising organisations on how to better shore up their perimeter with proactive defence solutions. As an example, within the guidance, organisations are asked to define their own risk profile, and then prove their resiliency against that profile – the equivalent of getting to mark your own homework. 

However, there is cause for optimism within the legislation. Just as with GDPR, the key phrase “state of the art” appears within the operators' security duties; “measures taken must, having regard to the state of the art, ensure a level of security of network and information systems appropriate to the risk posed”. The intended outcome from NIS should genuinely be tied to resilience against cyber-attacks; meaning that our healthcare, transportation, energy and drinking water services should be required to remain available during an attack.  

That said, the balance of both the legislation and current messaging from government and the regulatory authorities suggests far more emphasis on disclosure and recovery from failure than on investing in genuine resilience.  There is a very real risk that, for the foreseeable future, that NIS will be seen a “tick box” exercise.  If this is allowed to happen then the golden opportunity will have been squandered.

Contributed by Andrew Lloyd, president at Corero Network Security.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.