Critical infrastructure: Downtime is simply not an option.
Critical infrastructure: Downtime is simply not an option.
The British government has recently taken bold steps towards improving security measures in critical infrastructure organisations, safeguarding the welfare of essential services in the process. New regulators have been appointed to enforce the measures, while leaders in the sector are being warned to boost cyber security in their organisation, or face significant fines of up to £17 million.

The aim is to make critical infrastructure more resilient to the major disruption that could be caused by things like power outages, hardware failures and environmental issues. But the ramped-up approach also takes into account the fact that critical infrastructure is increasingly a target for cyber-attacks. Who could forget the power outages that hit the Ukraine in December 2015? Experts at the National Cyber Security Centre say that Russia was almost certainly responsible, though according to the head of one security firm, it's now North Korea that poses the biggest threat of large-scale attacks.

Whatever the facts, one thing's for sure: we have entered a ‘new era of warfare' and our critical infrastructure organisations need to be better primed for the inevitability of cyber-crime.

A matter of when, not if

According to the head of the UK's National Cyber Security Centre, Ciaran Martin, a major cyber-attack on the UK 'is a matter of when, not if'. He says, ‘We will be fortunate to come to the end of the decade without having to trigger a category one attack.'

A ‘category one' attack is the kind that brings down any element of critical infrastructure. The consequences of which are potentially catastrophic – and not just in terms of business continuity and reputational damage, or lost revenue, privacy and trust.

Indeed, there are far bigger issues at stake when it comes to critical infrastructure being compromised. The crippling ramifications it could have on daily life and public welfare, for instance, range all the way from economic chaos to the disruption of essential services. Or, in worst-case scenarios, citizen injury or death.

Worryingly, as a community we're still a long way from even understanding the causes of these infrastructure breaches. A 2015 Black Hat investigation found that hackers have been penetrating systems for at least a decade, with little known about how they gain access. And little has changed since then. With prevention and proactive response both struggling, back-up becomes increasingly vital.

The vulnerability problem

When the NHS was hit by the WannaCry ransomware attack in 2017 (an attack that wasn't even particularly sophisticated), it was thanks to basic cyber-vulnerabilities that could have been addressed. It's thought that cyber-security recommendations had not been followed. The result? Thousands of cancelled hospital appointments, computers shut down in hundreds of GP surgeries, and a total of five hospitals having to divert ambulances.

But vulnerabilities in our critical infrastructure aren't only caused by failure to comply with security standards. Nor are they necessarily caused by lack of awareness on the part of industry bosses. Instead, a big part of the problem is that many of the key computer systems that run critical infrastructure are legacy – powerful, yes, but not fit for modern day protection against hackers.

These industrial-grade security systems are designed to protect physical assets and entry points, but as more critical public services become supported by data networks and cloud-hosted assets, the shift to bolster cyber- security is becoming a matter deserving urgent attention. 

Availability is key

In a way, this latest move by the UK government acknowledges the role of cloud services in critical infrastructure for the first time. As the measures gain traction, critical infrastructure organisations should see 2018 as ‘an opportunity to put mechanisms in place that drive real improvements to national cyber security'.

IT leaders in the industry must be given the support and budget to bolster their data networks and develop robust business continuity systems. Simply having a data back-up system is no longer enough; it's vital that critical infrastructure providers embed orchestration and automation as core components of their networks if they are to meet the latest recovery objectives and ensure minimal disruption to business availability and – crucially – to public welfare.

Whether an attack is made through sheer devilment or outright warfare, it could debilitate essential services – which is not a risk that providers should be willing to take, especially when we're talking about the very services that are vital to the proper functioning of the economy and society, like power grids, water supplies, transport networks; public health, financial and security services; electricity, gas, agriculture, telecoms – the list goes on.

The point is simple: when it comes to critical infrastructure, downtime simply isn't an option. The impending regulatory penalties for organisations that don't get their security act together are not just arbitrary fines. They're an object lesson in the importance of available critical infrastructure, for the sake of business continuity and public welfare alike.

Contributed by Mark Adams, Regional VP, UK&I at Veeam

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.