Critical National Infrastructure is the backbone of the UK. Our quality of life as a nation depends on the prosperity of our NHS, the reliability of our electricity, water, and gas systems, and the ability of our emergency services to react with lightning speed when called upon. When compromised, it’s not just our economy that’s threatened: it’s the daily lives of UK citizens.
It’s no surprise, therefore, that Chief Executive of the National Cyber Security Centre, Lindy Cameron, recently shared her view that ransomware is the greatest threat to British people and businesses.
Any hit on our highly-connected critical national infrastructure would cause a ripple effect throughout society – just like that of the Colonial Pipeline attack in the US this May. In a ransomware attack by the threat group DarkSide, the loss of the supply line caused fuel prices to rise in multiple states, affecting US citizens directly and costing the government millions. The UK must take note: national infrastructure must be protected from cyber threats at all costs.
Connectedness is Both an Asset and a Risk
Over the last 10 to 15 years, critical infrastructure has become increasingly connected to the internet: highly connected hospitals, water and energy systems powered by intelligent sensors, government operations with deep roots in data and many more. This obviously has its benefits: most importantly the ability to be operated remotely. However, this connectivity also means the systems we rely on for our health, power, and national security are susceptible to cyber threats. And in this regard, the Colonial Pipeline attack should serve as a wake-up call to those out there that yet needed one, as well as a reminder to those of us who were already aware of the threat.
All eyes have been on the UK’s critical national infrastructure, and particularly the NHS, since the pandemic began. Defending it is at the heart of the new Integrated Review of the UK’s foreign, defence, security and development policy, which seeks to ensure that those in control of Critical National Infrastructure have the knowledge, strategy, and security to combat threat actors bent on bringing it down. But the infancy of this initiative means that some industries are still in the dark regarding the urgency of the threat and how to defend against it.
Aging critical infrastructure around the globe has long been ripe for attack. Last year, the UK’s National Cyber Security Centre issued a joint warning alongside the US released a joint alert warning of Russian attacks on millions of routers, firewalls and devices used by infrastructure operators and government agencies.
Ransomware is Fast Becoming a Criminal Livelihood
However what makes this situation more perilous is the fact that the Colonial Pipeline shut down was caused by what appears to have been a private party. Typically, cyber warfare tactics such as targeting infrastructure was the realm of nation state actors. An act of aggression not unlike previous ‘pre-internet’ tactics, and one which would ultimately be traceable to the perpetrator.
This situation punctuates an upward trend in the number of private parties targeting public infrastructure in ransomware attacks. These attacks, which hold information or systems hostage until a sum of money is paid, are growing in complexity, sophistication, and frequency globally. In the UK, ransomware attacks surged 80% in just three months following the start of the pandemic.
While it was only a matter of time until ‘outsourcing’ came to the cybercrime business, the success of Ransomware-as-a-Service (RaaS) providers against infrastructure targets is sure to spur imitators and competition. The newfound ability for individuals to seriously impact critical supplies for personal profit is certainly troubling and opens our aging infrastructure to an even wider pool of threats.
Nation-State Attackers Deploy the Best in Cyber Mercenaries
However, the rise in skills of these cyber mercenary groups may highlight an even greater long-term risk to all infrastructure. Numerous reports – including BlackBerry’s BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps – show that mercenary groups offering APT-style attacks are becoming more readily available. The tactics, techniques, and procedures (TTPs) used in these attacks are beginning to resemble the highly sophisticated state-sponsored campaigns. This means the profile and geography of potential victims has diversified exponentially. And these victims will become increasingly ‘random’ or illogical when analysed for any commonality.
This lack of commonality will also make it harder to identify when nation states are actually behind attacks, as their fingerprints will be largely removed.
Interestingly too, the interconnectedness of the UK’s infrastructure is starting to provide an asymmetric advantage for some nations we traditionally classify as hostile. North Korea, for instance, hasn’t had the resources to upgrade their infrastructures like the much of the west. This means much of the nation’s infrastructure remains unconnected to the internet – making it largely insusceptible to cyber threats. The one-way threat posed by some nations may present a unique challenge to the UK and other highly-connected nations in the years to come.
The UK Must Double Down on Its Cybersecurity Measures – and Quickly
As our national infrastructure continues to grow year on year, so too do the sophisticated abilities of threat actors. In the face of these advanced threats to our most valuable assets, we can no longer rely upon reactive approaches. To avoid attacks in the vein of Colonial Pipeline, and to prevent WannaCry-style hits from occurring again, the UK must take significant measures to keep these systems safe and uncompromisable. Vigilance will be the first step: all organisations in the public and private sector should consider the human impact of any compromise to their systems. What is the worst case scenario? What will the long-term effects be? And who will suffer the most?
It’s good news that the UK has laid out plans for greater cyber resilience. Its recent Integrated Review of Security, Defence, Foreign Policy, and Development expresses a commitment to a strategy that can detect, disrupt and deter adversaries in a preventative stance. A prevention-first security posture starts with neutralising malware before it can exploit systems. Once it’s unable to execute, the downstream consequences, and the resulting efforts to trace, contain, and remediate the damage, are dramatically reduced.
The severity of the threat to the lives of citizens cannot be overstated. Protecting them is not optional. The Government must commit to deploying the strongest of cyber resilience plans, and the latest technologies, if it is to stand a chance of protecting our NHS and other critical national infrastructures from very real cyber threats that could strike at any time.