Why it’s vital to prevent cyberattacks on our critical infrastructure

Paul Farrington, CPO at Glasswall discusses the impact of cyberattacks on critical national infrastructure (CNI) organisations.

Posted 15 August 2022 by Christine Horton

The fallout of a successful cyberattack on an organisation in any industry can cause operational paralysis, data leakage, and significant financial and reputational damage. But for critical national infrastructure (CNI) organisations, the impact of an attack can take on an additional toll on key public services.

With geopolitical tensions brewing since the Russian invasion of Ukraine, research reveals that more than 70 percent of UK CNI providers have seen an increase in cyberattacks since the start of the war. It’s likely that the frequency and scale of attacks will continue. Seventy-eight percent of over 520 security decision-makers surveyed in the communications, utilities, finance, government, and transport and aviation sectors expressed concerns about the threat of cyber warfare against the UK’s CNI, and a quarter are concerned that their systems are vulnerable.

The National Cyber Security Centre (NCSC) and international partner organisations have attributed some high-profile attacks to Russian state actors, such as the Viasat incident at the Ukraine invasion outset which caused an internet outage and disrupted wind farms in Europe. They advise organisations to bolster defence for an increasingly challenging cyber landscape.

What is CNI and why does its cybersecurity matter?

The UK Government defines critical infrastructure as “Critical elements of Infrastructure, the loss or compromise of which would result in major detrimental impact on the availability, delivery or integrity of essential services, leading to severe economic or social consequences or to loss of life”.

Potential threats include destructive malware, DDoS attacks, cyber espionage, ransomware, focused attacks from hostile states and criminals, and accidental data loss. These and other cyber incidents have the potential to cause chaos and devastation, especially in healthcare and transport that citizens’ lives depend on.

Rising threat levels

With the pandemic accelerating digitalisation, and sensitive data in more distributed devices and networks, the number of attack surfaces have increased for threat actors to pursue. Even the smallest Internet of Things (IoT) devices have now become possible gateways to critical networks.

Formal cybersecurity guidance has stepped up a level, with the recent ‘Five Eyes’ cybersecurity advisory issued by the intelligence agencies from countries including the US, UK, Canada, Australia, and New Zealand. The advisory highlights the very real risks of state-sponsored attacks, in particular those aimed at CNI providers, and aims to bolster the security posture of the UK’s most critical assets.

Increase in attack frequency and costs

The recent surge in attacks includes disruption in UK councils and key infrastructure providers. To name just a couple, recently, Yodel suffered disruption to its UK services following a cyberattack and The Irish Health Service Executive experienced a costly ransomware attack.

The UK is learning approaches from US victims’ reactive security strategies, such as last year’s attack on Colonial Pipeline, which ceased supply of almost half of the fuel consumed on the East Coast of the United States. Although a system restart plan was implemented post-attack, much damage had already been done. Costs of these attacks are spiralling in terms of ransom demands, loss of revenue, and costly recovery activities.

 Where are security tactics going wrong?

Although cybersecurity ranks highly on the boardroom agenda, strategies must align to today’s threat levels, and be proactive to ward off threats before they can occur, with instant recovery plans in place. With approximately 1 in every 100,000 files containing potentially malicious content, being targeted is now unavoidable.

The vast majority of organisations take a reactive, detection-based, security approach to malware and ransomware. This typically relies on antivirus and sandboxing technology, which can create serious cybersecurity blind spots. These complex security solutions can add pressure for busy security teams, taking days or even weeks to protect files and documents. This means malware and ransomware can lie undetected on network infrastructure for up to 18 days before reactive solutions respond.

To compound the issue, roughly 70 percent of malware identified in files is of an unknown variant when it is received, which renders it invisible to reactive cybersecurity technologies.

Bridging gaps with next generation cyber protection strategies

Ensuring the UK’s CNI providers have incident response mechanisms in place requires: understanding threats and the tactics to counter them, safeguarding networks, and implementing strict access privileges. 

The Five Eyes agencies advise organisations to focus on some best practices to ward off threats from nation-state attackers and cybercriminals. These include regular patching, continual network monitoring, multi-factor authentication (MFA), zero-trust architectures, monitoring remote desktop protocol (RDP), and providing end-user awareness and training. A proactive approach in file security, through utilising Content Disarm and Reconstruction (CDR) technology that instantly cleans and rebuilds files to match their ‘known good’ manufacturer’s specification, will automatically remove potential threats.

A proactive culture is the best cyber defence

CNI providers must realise the need to raise their game in cybersecurity tactics. Through industry collaboration and sharing intelligence on key vulnerabilities and how to protect systems, the balance of power will shift away from ransomware groups and promote the best defence of our national infrastructure. Furthermore, if UK agencies and the NATO alliance continue international intelligence sharing, the UK economy and citizen’s lives will be protected from impact.

Paul Farrington is CPO at Glasswall.