Covert warfare: How likely are attacks on the UK's critical infrastructure?
Covert warfare: How likely are attacks on the UK's critical infrastructure?

Attacks on critical national infrastructure are growing in number and sophistication. So how big is the UK's risk?

The shift from physical to cyber-warfare has seen a surge in attacks on critical infrastructure. In 2010, the now infamous Stuxnet worm was discovered after it ravaged an Iranian nuclear facility. More recently, the first known malware to target electrical grids, Industroyer, is thought to have been orchestrated in a 2016 attack on the Ukraine's national grid.

Meanwhile in November this year, National Cyber Security Centre chief Ciaran Martin, confirmed the Kremlin had ordered a cyber-assault on the UK's major power companies in a bid to disrupt international order. 

Also in the UK, the WannaCry ransomware cryptoworm that hit the NHS – blamed on out-of-date Windows XP systems – was a wake-up call. Although not specifically targeted, it showed what can happen when a critical organisation is brought to a standstill. 

It is with this devastation in mind that the European Parliament's network and information security (NIS) directive last year introduced minimum standards on critical infrastructure operators. The energy, transport, water, banking and healthcare sectors are included in its definition of such “essential services”. 

Among its aims, the directive wants to step up cooperation among EU countries and service providers to help prevent attacks on interconnected infrastructure. Under NIS, organisations could be liable for fines of up to £17 million or four percent of global turnover if they suffer a breach. 

However, experts are warning that the UK's critical infrastructure is at risk from distributed denial of service (DDoS) attacks. This is due to a failure to carry out basic security defence work, according to data obtained by Corero Network Security under the Freedom of Information Act. Corero's research revealed that 39 percent of respondents to a survey had not completed the government's '10 Steps to Cyber Security' programme, which was first issued in 2012.

It is a grave concern, given the vulnerability of supervisory control and data acquisition (SCADA) based systems traditionally used by critical organisations such as power stations. Indeed, these were typically designed pre-internet and not intended to be connected, says Vince Warrington, director, Protective Intelligence. 

The risk to critical systems has always been there, but an increasingly connected environment has compounded it, says Jamal Elmellas, CTO at Auriga Consulting. “The risk is large for the UK, because we are more connected than we have ever been. This creates more surface area for attack.” 

Making things worse, he says: “There are a series of countries that are fully aware that a covert strategy is more effective – rather than all-out war – and they are seizing upon it.”

Elmellas says attacks on critical systems are “predominantly DDoS” because it causes the most disruption. “There is no reason you would want to attack a power network for financial gain. The biggest impact, particularly from nation to nation, is made by crippling infrastructure.”

However, such attacks are hit by a particularly complex and damaging form of DDoS, he says. “It's not just bots firing at infrastructure,” Elmellas explains. “It's usually an advanced persistent threat – where intelligent pieces of malware embed themselves in key systems and manifest.”

Devastation from DDoS

DDoS is particularly devastating because times to respond to an attack – let alone to mitigate one – are in tens of minutes, says Andrew Lloyd, Corero's president of sales and marketing. “If an air traffic controller is DDoS-ed and taken offline, is it ok that we don't have air traffic control for more than 10 minutes?”

Andrew Lloyd, Corero president of sales

However, at the same time, Jason Hart, CTO of data protection at Gemalto points out that power stations and other industrial SCADA systems connected to the internet have a manual override switch. He says, therefore, that they are more at risk of another form of attack, on the integrity of the system.

Jason Hart, CTO of data protection at Gemalto

He explains: “A breach is about confidentiality, integrity and availability. If the availability of the system is targeted, it can manually override this so the underlying critical system will have the ability to shut down if needed.”

Therefore, he says: “What we need to worry about is the integrity of the data: What if attackers get in and alter the data that the SCADA system uses to make decisions?”

Hart suggests attackers could gain access through a SQL injection, or weak passwords. In the NHS, he points out, it would be “a massive problem” if patient data is altered or changed.

However, Elmellas points out that some systems need to be online to function.

In addition, DDoS often forms short, low-volume, ‘stealth' attacks that will go unnoticed, allowing adversaries to cause devastation without alerting security staff. Lloyd points out that malware is often planted following successful DDoS attacks – and this can go unnoticed. “The DDoS is the horse that knocks down the walls and then the malware and ransomware gets in.”


At the same time, some commentators question how likely an attack on UK infrastructure would be, since the obvious response is retaliation. Due to the risk of escalation, Warrington doesn't think the UK is currently under threat from a large scale targeted attack. “If you are a country and want to knock off the power grid, but there is no conflict, then why would you do that? I can see scenarios where someone would take down the national grid, but this would be followed by missiles. It's when one country is trying to take down another.”

Others disagree, citing multiple suspected attacks that have taken place already. Elmellas says the obvious perpetrators would be North Korea or Russia. 

Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk says government agencies are a risk – including the Chinese and Russians. “Russia is very active and they are preparing themselves.”

Jalal Bouhdada, founder and principal ICS security consultant at Applied Risk

If there was to be an attack, Warrington thinks the energy sector is the most vulnerable. “You don't build a power station overnight. It would not surprise me if some of the power stations have systems even older than [Windows] XP: they were never designed to be connected to the internet. It's a massive job to replace them.”

So how can organisations involved in these critical sectors stay secure? It is integral to get the basics right, says Warrington. “We have been talking about this for a few years now but the NIS directive forces critical organisations to take it seriously. You shouldn't be able to plug a USB stick into a laptop that's connected to a power station. You need extra layers of defence around it.”

Taking this into account, Warrington advises: “Instead of taking a power station out for a year to upgrade say, ‘we accept these systems are vulnerable' and implement layers of security to protect them. You must consider things like restricting physical access.”

“You have to think like an attacker, considering where there are vulnerabilities,” he adds. 

With this in mind, he also thinks organisations such as power stations need to undergo physical penetration testing. “Are people going to try and get into your buildings to cause disruption? You don't storm the font doors when attacking critical national infrastructure – you try and find laptops that are unlocked.”

Azeem Aleem, director of advanced cyber defence practice EMEA at RSA Security says organisations need to face these challenges “head on”. He explains: “The only way to do this is by having visibility and context. This means conducting a thorough risk assessment, understanding the dependencies between systems, using threat detection to monitor and alert on attacks, and contextualising results in order to prioritise events.”

Protecting critical systems 

Hart advises removing static passwords and identifying whether key data sets are susceptible, applying encryption and appropriate key management. “If any data is at risk, we need security controls to be as close to the data as possible. It's simple, but lots of people aren't doing it. It's about authentication, encryption and key management – those three controls.”

Meanwhile, specific critical industries are taking steps to protect against crippling attacks. For example, banks are tackling the issue with CBEST – a Bank of England initiative. “This is threat intelligence led penetration testing done on live systems,” says Warrington. 

And overall, despite the risk, Elmellas thinks the UK has been “pretty good” at securing its critical infrastructure. “In many cases, we are surrounding the embedded pieces of code that we can't patch in compensating controls such as firewalls, so we are almost making our old environment fit for purpose. That is our biggest strategic defence. “

Meanwhile, Ken Munro, security researcher at Pen Test Partners agrees that the UK's conventional critical national infrastructure is “in a relatively good state”. However, he advises organisations to have a response plan in place. “It's an arms race and we need to make sure we are ahead of everyone else.”

Bouhdada also advises organisations to conduct a risk assessment, implement security controls and ensure they have adequate incident response. “And the most important part to focus on is people.”

In addition, he says: “We cannot ignore artificial intelligence (AI), which will allow adversaries to use machine learning to conduct all kinds of attacks. Protection is about collaboration, information sharing, and being proactive and well-prepared.”