Securing Critical National Infrastructure

4th May 2020

Mark Oakton
Director, Infosec Partners

Critical National Infrastructure (CNI) is arguably one of the hardest and yet most important IT environments to secure. It is the basis to how we live our everyday lives and whether it’s health services, telecommunications networks, power supplies or even food and radio delivery, they need better protection against cyber attack.

The issue of availability

The very nature of critical national infrastructure means that there is a huge desire to keep operations running. It goes without saying that we want to ensure power is going to our homes and connectivity is maintained across our country, for example, but in the event of a cyber attack, those functions could be turned against us. What’s worse than an attacker disrupting our communications network? Perhaps, it’s an attacker using it to their advantage.

Behind every cyber attack is a motive, and this may not be as straightforward as money from a ransomware attack or data theft. Particularly when you look at critical national infrastructure, there is likely to be a much stronger motive for disruption or control, which could mean that the cyber attack is actually masking something much more sinister.

Although it may be against instinct and against normal protocol, rather than doing everything you can to get services up and running again. Potentially, in a cyber attack against CNI, it could be important to keep services down, so that you can fully understand the adversary you’re facing and can prevent the full extent of damage caused by the attacker.

The most disruptive CNI attack

Interestingly, the cyber attack that brings down your services may also not be the most disruptive in reality. What about the attack that slowly siphons off valuable data that’s impact simply can’t be recovered from if the data falls into the wrong hands? The dangerous element of this type of attack is that it could easily make use of a legacy appliance, sitting on the network and seemingly inconspicuous, until it becomes a hidden vehicle for attack.

Or, perhaps, it’s when these two types of attacks – outage and data siphoning – are combined that we stand to suffer the biggest problem. In that case, not only would you suffer a huge amount of disruption, but in the rush to get services back online, the crown jewels themselves could be lost.

Even in the most disruptive attacks, the methods used are unlikely to be very sophisticated. For two clear reasons: firstly simple attacks work, and secondly, a unique, custom-made attack might actually do an attacker more harm than good, as it could reveal their identity. This should mean that defending critical national infrastructure is actually relatively straight forward. It’s about getting the basics right.

The most common successful attacks we see are not technically complex, they utilize well known vulnerabilities around passwords, applications and IOT devices, but attackers are using a range of attack vectors to increase the likelihood of success. In addition to taking advantage of unpatched vulnerabilities, attackers are also utilizing physical attacks, social engineering and commercial factors to hide the real motive and target for compromise.

Protecting for the future

We’re not to know which organization is going to be next hit with a cyber attack or which industry. If you take my point that CNI attacks often have a more serious undertone, the industry itself is arguably less important than the disruption it could cause. For example, on my ZeroDaysLive show, I mentioned that the water industry could be at risk. Not just water facilities but the supply chain of bottled water. In fact, in recent days, that exact attack has happened, as Israel warned of an attack against its Water Authority facilities.  

Our best line of defence to protect our critical national infrastructure is to maintain best practice. These attacks mostly aren’t sophisticated and we can defend against them. We need to educate our workforce to stay vigilant against phishing, we need to segregate networks, implement standardized controls, monitor and gain visibility into network traffic, as well as utilizing technology that gives extra insight on what’s actually happening on the network.

If the worst does happen though, my advice is to not act rashly, understand the threat you face, motive, and tactics used. Only then make decisions to get systems back online, once your critical assets are protected.