Threat Code

How Organisations Can Reduce the Heightened Risk to Western Critical National Infrastructure

  1. Home
  2. Insights
  3. Blogs
  4. How Organisations Can Reduce the Heightened Risk to Western Critical National Infrastructure
Published 21 April 2023

On 19th April 2023, the UK National Cyber Security Centre (NCSC) issued an alert warning of an emerging threat from state-aligned groups to critical national infrastructure. Within the alert, the NCSC describes the state aligned groups that " are often sympathetic to Russia’s invasion of Ukraine and are ideologically, rather than financially, motivated”.

This alert aligns with findings from Bridewell’s recently published Cyber Security in CNI Organisations: 2023 report, which found that almost eight-in-ten (78%) of respondents are worried now about the threat of cyber warfare against UK critical infrastructure.

Download the Report

A Heightened Risk to Western Critical National Infrastructure

The NCSC’s alert goes on to describe how these groups frequently utilise DDoS attacks, website defacements and the spread of misinformation. However, some of these groups have described more disruptive and destructive goals in impacting western Critical National Infrastructure (CNI) organisations – including those within the UK.

Such a threat carries weight, given that CNI assets are increasingly part of a connected world. Within the last decade there have been numerous, notable cyber attacks that have been conducted. To outline a few examples: 
 
  • 2016 - Indestroyer/CrashOverride attack on Ukraine energy systems
  • 2017 - Triton/ TRISIS malware that targeted safety instrumented systems at a middle eastern petrochemical plant
  • 2021 - The Colonial Pipeline IT network attack, which caused the company to shutdown one of the largest oil pipelines in the US for several days to stop the ransomware from spreading
  • 2022 Pipedream – A further attack framework discovered, which can impact programmable logic controllers (PLCs).  Whilst it is not known to have been employed in a successful cyber security attack, it demonstrates a significant evolution in attack capabilities against industrial control systems
The principal advice from the NCSC is acting now to manage the risk of future attacks. In their own words:

“Without external assistance, we consider it unlikely that these groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term. But they may become more effective over time, and so the NCSC is recommending that organisations act now to manage the risk against successful future attacks.” 
 
The NCSC has previously provided guidance on the actions to take when the cyber threat level is heightened. Read the guidance here. 
 

Assured Cyber Security Consultancy  

As a certified cyber security consultancy by the NCSC, Bridewell offers a number of services that CNI organisations can use to effectively mitigate risk, including: 
  • Risk assessment
  • Risk management
  • Audit and review
  • CAF assessments
“Bridewell is endorsed by the NCSC to provide a number of consultancy services, the breadth and depth of knowledge and skills are constantly working to help make our world a safer place. The NCSC recommends that organisations act now to manage the risk against future successful attacks. The NCSC has a range of guidance already available online, for organisations seeking a conversation or some support in response to the emerging threat, our assured services are testament to the work we do and we would be more than happy to help."
 Dan Saunders, Senior Lead Consultant 

These services aid companies and operators of essential services to identify and assess risks, form risk treatment plans, or to conduct assessments against applicable regulations, standards and frameworks including: 
  • NCSC CAF
  • IEC 62443 
  • ISO 27001 and ISO 22301
  • NIST 800-53
  • GDPR and data privacy
Bridewell was one of the first companies to be certified by the NCSC for these services. With skillsets and expertise across governance, risk and compliance (GRC), data privacy, operational technology (OT) and cloud security, Bridewell continues to help organisations achieve their business goals or fulfil assurance requirements. This includes ISO 27001 implementation and certification, providing a risk assessment, helping a business to mature its risk management practices, conducting audits against a variety of standards and cloud security assessment.
 
Bridewell also provides CNI-focused consultancy, with continued advances being made to the Bridewell Security Operations Centre (SOC) – for protective monitoring services and OT monitoring capabilities. Bridewell's consultancy also work with our 24/7 SOC which secures a number of leading CNI organisations and have strong threat intelligence capabilities. 
 

CAF Assessment 

Within the alert, the NCSC has highlighted the benefit of using their Cyber Assessment Framework to assess the maturity of organisations cyber security and resiliency posture. Most critical national infrastructure organisations will be familiar with the CAF, given its use across several competent authorities for monitoring compliance with the Network and Information Systems (NIS) Regulations. 
 
The CAF is made up of 4 high-level objectives that include: 
  • Managing security risk
  • Protecting against cyber attack
  • Detecting cyber security events
  • Minimising the impact of cyber security incidents
It focuses not just on the cyber security controls implemented by the organisation but also the resiliency arrangements in place to ensure the essential processes within your organisation continue to operate during periods of disruption. 
 
If your organisation is concerned about the threat posed to your organisation during this period of heightened awareness, or would like to assess the maturity of your organisation’s cyber security and resiliency, Bridewell has significant experience and skillset working with organisations to complete CAF assessments and can direct the organisation as a result on meaningful actions that will reduce the risk they face during the period of heightened threat.  
 

Bridewell CNI Research Report 

As part of CYBERUK 2023, Bridewell has released a new CNI research report, which surveyed over 1000 cyber security decision makers across the UK and US’ critical national infrastructure to understand their current cyber security challenges and levels of maturity. Some of the top level findings include:

  • 65% of CNI organisations are seeing a reduction in their security budgets
  • 62% of CNI organisations agree it takes too long to detect and respond to threats
  • Only 21% of organisations have implemented 24/7 security monitoring on IT

To enquire about any of the services mentioned in this post, please contact +44 (0)3303 110 940 or hello@bridewell.com

Author

Dan Saunders

Senior Lead Security Consultant

Linkedin

Dan Saunders headshot
Author
Dan Saunders
Senior Lead Security Consultant

Dan Saunders is a Senior Security Consultant at Bridewell and a former NCSC endorsed Head Consultant with over 12 years of experience in Information Security. He has worked on projects across Defence, Public and Private Sector, Retail, CNI and Manufacturing. Dan’s experience covers Governance, Risk and Compliance (GRC), ISO 27001 implementation, risk assessment, security operation centres, threat modelling and cloud security. Dan has overseen security testing and remediation efforts across infrastructure, cloud, web and mobile applications. Through his interest in Open Source Intelligence (OSINT), he has identified and reported vulnerable systems to support customers and the greater good. Dan has also written and contributed to various bids, ISMS document sets, service descriptions, blog posts and articles.

Blogs