The cyber threat facing Critical National Infrastructure (CNI) is serious. We know this only too well having looked after the .UK domain for more than 20 years and being classed as Critical National Infrastructure ourselves.
CNI is different from any other type of environment, as here, it is not only business continuity that’s at risk or confidential files that may be lost; it’s about the day-to-day life of you and me, of your Mum and Dad, your friends and your colleagues that could be disrupted.
What’s more, attacks on Critical National Infrastructure aren’t hypothetical. Recently South Africa, for example, suffered a power outage due to a ransomware attack on CityPower. Even more recently, 17 US-based utility firms were targeted with spear-phishing emails, following a similar campaign allegedly by the same group only a month before.
When you consider that these are the organizations responsible for providing clean water, running our wind farms, coal plants and nuclear energy facilities, as well as the power grid infrastructure, the impact disruption to their services could cause is vast. We’re talking about hospitals without the ability to keep life support machines running and schools that can’t keep classrooms heated.
Consequently, it is no wonder that firms deemed as Critical National Infrastructure – whether financial institutions, telcos, banks or utility firms – are often cautious of change and innovation. Arguably though, they need to be at the forefront of innovation, ensuring the very best security practices are deployed to keep the nation safe from attackers. So how do they deal with business-wide transformation such as the move to cloud?
On the cusp of change
For many organizations, cloud offers the opportunity to make operations more agile, improve technical integrations, lower costs and ultimately generate more margin. For CNI firms however, this can be seen to be at the expense of relinquished control to third parties – which can be daunting. Initial fears revolved around the notion that cloud computing was less secure than on-premise systems, and that opening up to cloud services could seriously expose organizations. But, cloud computing is no longer a new technology; the market is now worth billions of dollars and bringing with it digital innovations that define the modern business world. Organizations can’t risk being left behind.
With cloud, it’s important for us to understand that relinquishing control doesn’t mean relinquishing responsibility. Due diligence can and should still be done in a cloud environment as it was on premise, the questions are often just different. For example, conversation is much more likely to be around SLAs and the level of risk with which the company is comfortable.
It’s also about having a close relationship with IT vendors. Ensuring that there is collaboration and understanding of the bespoke needs of these vital industries.
Organizations also shouldn’t forget how important it is to get the basics right. Security is about people, processes and technology, culminating in a layered approach to protection. With more informed people comes less risk, and with tighter processes comes less room for error. From a technology perspective, it’s about understanding risk and building in security solutions that can keep pace with threats and give a true layer of protection.
For us, that’s about the network layer. Using the intelligence within the ubiquitous DNS layer to identify and mitigate threats early. Some of the most risk averse industries in the world use this method to successfully protect themselves against attack and failing to do so is a missed opportunity to improve security posture.
To read more about how we can protect Critical National Infrastructure, take a look at what we’re doing for the UK Government.