Protection and mitigation

Ceri Charlton takes a look at dealing with the cyber threat to critical national infrastructure

The cyber threat has increased dramatically over the last few years, driven largely by the proliferation of the internet and advances in technology. Not only are cyber criminals becoming more sophisticated, but there are more opportunities for them to stage attacks and find gaps in security. The IoT is a prime example; the more devices on a network, the more points of vulnerability.

But are there any industries that are especially susceptible to attack? The short answer is no. Every organisation is at risk. In the past, it was financial institutions that were seen as the most at risk. But today the threat extends to all businesses because everyone has something of value to protect, whether that’s payment card information, proprietary data or customer details.

It’s not necessarily all doom and gloom. Yes, the threat is real but these advances in technology are also enabling the fight against cyber-attacks. In addition, with the introduction of stricter legislation (such as GDPR and NIS) and the threat of steeper fines as a result of non-compliance, organisations are working harder than ever before to protect themselves and mitigate risk.

All organisations have something to lose
That said, there are industries where the threat extends beyond damage to reputation, loss of customer trust and fines. Look at national critical infrastructure, for example.

We have 13 critical national infrastructure sectors in the UK, energy being one of them. If these sectors were attacked, either physically or virtually, it would significantly affect our economy.

Looking specifically at the cyber threat in the energy sector, why is it so much more of an issue today? Again, the internet has a lot to answer for. Traditionally critical national infrastructure sectors, such as nuclear power and utilities, had managed control systems and critical applications on their own closed private networks. But, a move towards open networks and an increase in connections between SCADA systems, office networks and the internet has made these sectors more vulnerable to cyber attacks.

As a response to these concerns, the NIS Directive was conceived. It is the first piece of EU-wide legislation on cyber security. While it hasn’t received the same attention as GDPR, for example, it’s still a vital steppingstone to bolstering cyber security. Essentially, it defines a set of top-level outcomes that guide cyber security best practice for operators of the EU’s critical national infrastructure (CNI). Anyone involved in securing, maintaining and protecting CNI should have knowledge of best practices and an awareness of how building services could cause a weakness in our critical infrastructure.

Developing a strategy
On a practical level, what does this look like for organisations? In addition to having a risk management framework in place, such as the best practices suggested in the NIS Directive (for example, patching on a regular basis) organisations also need to consider testing their defences.

While penetration testing is used widely, typically this only focuses on testing one specific infrastructure element such as gaining access rights to a system. A red team assessment takes things further, providing a full attack simulation across the entire organisation, from breaching networks and systems, to using social engineering, and gaining physical access to premises and devices.

Indeed, the human and physical elements of security play a large part in protecting our CNI. It is easier to compromise systems when criminals can gain physical access to the IT infrastructure. Therefore, employees need to be educated about holding open doors for strangers and given the confidence to challenge people they don’t recognise. Buildings can be architected to make this physical access control easier to implement. For instance, facial recognition technology can be installed at entrances and the building can be designed in a way which limits access to rooms housing critical IT and systems infrastructure.

This focus on security needs to be consistent across buildings and sites, not just limited to headquarters or an office building. For example, looking at protecting the grid, substations need to receive the same security focus as power stations themselves, as increased connectivity means that these facilities could provide attackers with an easier attack vector.

A multi-layered, comprehensive security strategy Only by deploying a comprehensive security strategy, one which incorporates all aspects of a building, from design to operation, as well as security controls physical and otherwise, can CNI be protected from security threats. Regular testing and staff training are also vital, as everyone needs to aware of the potential threats, particularly the IoT, and understand their responsibilities in terms of mitigating potential cyber attacks. Only then can the operators and regulators of our CNI become more confident that their buildings and infrastructure, are relatively safe from cyber-attacks.

Bridewell Consulting
Ceri Charlton is associate director at Bridewell Consulting, a NCSC certified and CREST accredited business providing reliable, high-quality security and risk consulting services. Bridewell Consulting provides four core service areas: cyber security, data privacy, penetration testing and red team assessments and managed security services. Its expert team of professionals possess specialist industry experience and proven capabilities, delivering effective cyber security and data privacy services across financial services, pharmaceutical, manufacturing, technology, retail, media, government, aviation and 24×7 critical services.

For further information please visit: