Cybersecurity is a matter of national and international security and should be prioritised as such. This is particularly important when it comes to protecting Critical National Infrastructure (CNI) and the services that UK citizens rely on in their daily lives, as the consequences of disruption to these services has the potential to be devastating. With the world more digitised and interconnected than ever, a significant attack on CNI could lead to physical harm or even the loss of life.
The UK Government recently issued a national statement that warns organisations about the potential for cyberattacks on CNI. The 2023 Edition of the National Risk Register predicts that, in the next two years, there is a 5 to 25% chance that a devastating attack will target critical infrastructure and cause physical harm. This report is based on an internal National Security Risk assessment, which factored in malicious risks the UK may be exposed to including terrorism and cyber-attacks, as well as non-malicious risks such as severe weather incidents.
The report focused on several cyber-related risks, such as attacks on gas and energy infrastructure, fuel supply infrastructure, health and social care systems, the transport sector, financial infrastructure and retail banks, then assessed the risk this poses to national security. A majority of these infrastructures are intertwined, meaning an attack on one could have farther reaching consequences – unless important security controls are carefully considered.
Gas Infrastructure
The UK gas infrastructure is responsible for delivering gas to individual users and businesses across the nation. In the event of a worst-case scenario, a cyberattack could disrupt the gas infrastructure to the extent that the entire system could fail. Under certain circumstances or conditions (i.e. winter) a system failure could lead to loss of life or physical harm to individuals caused by lack of heating, access to necessary medical treatment or a limited ability to safely use gas.
Electricity Infrastructure
A failure of the electricity infrastructure, due to a cyberattack, could disrupt all other critical systems. Great Britain is known to have one of the most reliable energy systems in the world, and as such, maintaining it efficiently and safely is a top priority. A nationwide loss of power could create a ripple effect, causing disruption to internet telecommunications, water, sewage, fuel and gas supplies. In the worst scenario, such an attack would not only create social turmoil, but again, could lead to loss of life.
Health and Social Care Systems
Unfortunately, the UK has seen several cyberattacks on its healthcare infrastructure – the largest example being the widely-publicised WannaCry ransomware attack in 2017. Ransomware can cause severe disruptions within healthcare, as it can jeopardise sensitive patient health information and interrupt the critical systems that medical facilities need to operate. This directly impacts patient care and can cause physical harm. In fact, we have already witnessed examples in which a cyber incident has impacted the health and safety of patients.
Financial Infrastructure
Certain Financial Market Infrastructures (FMIs) are considered CNIs as they enable financial transactions to take place and provide a vital service for the UK economy. FMIs are considered high-profile targets for cybercriminals, and as such, must be resilient to significant cyber incidents. Any attack could take important systems offline, disrupt services, and increase the risk of fraud and operational losses.
Assessing the Potential
The Government predicted that most serious incidents impacting critical national infrastructure would involve encryption, data theft, destroying data that CNIs rely on, or the disruption of operational systems entirely. The likelihood of such an attack for the next two years, however, has been scaled as a four out of five, which is still considered as ‘highly unlikely’ with a ‘moderate’ impact. Although the likelihood is deemed low, it is imperative that organisations prepare themselves for a worst-case-scenario.
Findings from the World Economic Forum’s Global Cybersecurity Outlook highlight the issue further. The Report found that 91% of all respondents believe a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years and 43% of business leaders believe that cyberattacks will have a material impact on their organisations. Businesses of all sizes and in all sectors must prepare for the possibility of a breach and take concrete actions now to protect themselves.
Invest in Cybersecurity
Businesses must secure their networks and systems with consistent built-in security that protects all of the technologies they utilise across the company. This should include a secure password manager. Secure accounts and passwords can make a significant difference in keeping an organisation safe from unauthorised intruders or even malicious insiders. This is also important when it comes to supply chain attacks, as bad password practices within third parties could be the gateway into larger organisations.
Organisations should implement a Zero-Trust Architecture (ZTA) and Privileged Access Management (PAM) to prevent unauthorised privilege escalation and ensure user access roles are strongly enforced. Companies should also have security event monitoring in place to detect and block anomalous privilege escalation. Least-access policies help ensure users only have access to the data and resources required to perform their job duties.
Finally, there must be a shift in the mindset that security teams are the only ones responsible for security. C-suite executives must include security leaders in regular business reviews and plans, while organisations must consistently train all employees to recognize and avoid the latest attack vectors.
The Time To Act Is Now
Cyberattacks against critical infrastructure hold the potential for disaster. As operational and information technology converge, the opportunities and pathways for cybercriminals to target critical national infrastructure will only continue to grow. Meanwhile, cyberattacks are getting more sophisticated, increasing the risk of threats such as supply chain attacks and ransomware. And critical infrastructure remains an appealing target, because disruption no longer solely affects production and productivity, but could lead to physical damage and harm.
Ultimately, when used for political purposes, cyberattacks targeting the sectors UK citizens rely on may be part of a larger effort to threaten operations, destabilise the Government or disrupt power grids, transportation networks and financial institutions. In the digital age, it’s clear that cyber and traditional warfare tactics will continue to converge as threat actors use cyberattacks to both support and supplement physical attacks – with devastating consequences.