Critical Conditions In The CNI

Nobody likes being left in the dark, but a Friday evening in early August saw one million people across England and Wales stuck without power. Hospitals and rail networks and hospitals were impacted by the outage which lasted into the night. Despite the fact power was restored by the following day, people have been left standing in the dark when it comes to understanding why the outage occurred.

The cause of the outage was traced to two separate power stations disconnecting within two minutes of each other. The National Grid has called this an “incredibly rare event” and does not believe the outages were caused by a cyber-attack, yet the government has announced an investigation that seeks to determine what caused each of the power stations to fail.

While this particular outage might not have been caused by a cyber-attack, the threat of such attacks against the UK’s 13 national infrastructure sectors is only growing. And if not addressed sufficiently, our economy and welfare could become subject to significant disruption.

Critical national infrastructure (CNI) sectors including nuclear power, utilities and the NHS have traditionally been protected by managed control systems and critical applications on closed private networks. However, with IoT technology in our national infrastructure continuing to develop, the possibility of cyber threats increases. IoT technologies are reliant on open networks with increased connections between SCADA systems, office networks and the internet, meaning increased vulnerability when it comes to cyber threats.

Ethical hacking and penetration testing are proven methods for ensuring effective cyber security measures are put in place. Both methods entail employing a security specialist to assume the role of a hacker, testing organisations’ systems, applications and networks to wean out the weaknesses and tighten up defences.

As our CNI becomes more reliant on internet-connected devices and technologies, sufficient security processes and controls must be implemented. This includes regular patching, segmenting critical parts of the network from other business functions, and restricting functionality.

Penetration testing is a widely used security testing method, yet this also needs to evolve. Typically, penetration testing will only focus on one specific infrastructure element such as gaining access rights to a system. Bridewell’s red team assessments take things even further by providing a full attack simulation across the entire organisation, from breaching networks and systems, to using social engineering, and gaining physical access to premises and devices.

Education within organisations is another critical element of protecting systems against cyber threats. Attacks are far easier for cyber criminals to orchestrate when they can gain physical access to the IT infrastructure. It’s essential that employees are aware of the threat and can demonstrate a high level of vigilance when it comes to building security. Buildings can be adapted to increase the protection of systems with facial recognition technology and limited access to critical hardware.

In order to protect our CNI from cyber-attacks, an effective security strategy must consider all of these elements, from regular testing and patching to workforce education and building design, online and offline security controls, to operations. Only with these measures in place will the safety and resilience of our CNI be guaranteed in the face of escalating cyber threats.