Critical infrastructure and the cybersecurity threat – a UK perspective
When we think of cybersecurity, we generally think of the damage that can be done to individual companies by a cyberattack. But that ignores the potentially greater danger of a malicious cyberattack on elements of a nation’s critical infrastructure – roads, rail, power, water, government, healthcare, emergency services and more. If any of those are hit by a major cyberattack, the fallout could be broad and devastating.
We sat down with Deryck Mitchelson, Field CISO at Check Point, a global cybersecurity solution company, to discuss the potential dangers of being caught unprepared for a cybersecurity threat against critical infrastructure – particularly in the UK, which has, for instance, a national health service as an additional target.
How vulnerable to cyberattack is critical infrastructure? What’s the scale of the issue that we’re dealing with here?
It’s very vulnerable. But it’s a mistake to treat all CNI (critical national infrastructure) as equally vulnerable. For instance, healthcare’s the most vulnerable part of CNI. There’s no doubt about that. I think the utilities sitting under that are next most vulnerable, because a) we’ve seen attacks on utilities, and b) like healthcare, they have gotten underinvestment generally, and very little on security. The energy companies potentially are sitting in the best shape when it comes to CNI. Although, again, if you look across Europe, there have been successful cyberattacks against energy organizations. So it’s not that they don’t have issues.
But yes, it’s very, very vulnerable. I’m pleased to see the NIS (network and information systems) regulations update that’s coming out, where the regulations will be strengthened around the critical national infrastructure supply chain. That’s a good starting point, but it certainly isn’t as robust as it should be. It gives some assurances, but we need to be doing so much more. And potentially, there could be a massive Generation V attack across critical national infrastructure that doesn’t just take down healthcare, it could take down healthcare, the emergency services, it could look into utilities. So it could have a crippling impact on the country.
We are in a space right now that the threat actors love. We’ve got geopolitical turmoil, we’ve got recession. In the UK, we’ve got a cyberskills shortage to deal with any attack. We’ve got the perfect storm coming up. There is no doubt about that.
Critical vulnerability periods.
And happy holidays to you too! The point is valid though – if you were going to pick a time, it’s pretty much now, isn’t it?
It is. I advise the Scottish Government on cybersecurity issues, and I said that two weeks ago at a meeting I had with them. I actually said to them “Please, please, please, can we get messaging out to all of our critical agencies around not taking their eye off the ball over the holiday period?” That’s when you tend to get a lot of this happening. So it’s a perfect storm.
But we’re also going into this mode where we’ve got skeleton staffs doing monitoring, and it’s never by chance that a lot of these attacks happen when the guard is down slightly. And yes, this is unfortunately where we are.
I did a BBC interview earlier in the year, in the summer. They were keen to talk about healthcare and the supply chain issues. I said to them then that the NHS was going to have a big supply chain attack.
And several weeks later… it did. It was obvious that was coming, and it was obvious that utilities such as water were going to be impacted as well.
We’re not in the best of shape. Absolutely not. And I think politicians need to take heed as well around the level of assurance they’re getting. Are they getting the right level of assurance? Is it more checkbox assurance rather than assurance from red team exercises that are actually coming in and looking into controls and what’s happening? My suspicion is that it’s very much the checkbox variety of assurance. And that’s always going to lead to trouble.
Why is critical infrastructure more at risk than standard businesses from cybersecurity threats?
There are a few reasons for that. The data and the PII (personally identifiable information) that CNI holds is very valuable information, and anywhere you have extremely valuable information is going to be a target. Add that to the degree of legacy they have, where systems aren’t necessarily joined-up and it means that they’ve got a huge attack surface where cybercriminals can go in.
There are also organizations that are trying to make their digital transformation journey. And some of them may well have not done that too fast given Covid, when we were all trying to work remotely or trying to push services online. So again, you look at them and they’re not what you would call the modern digital organizations that we hope they are. They’re still running legacy equipment and software and security alongside some of the new modern infrastructure. It’s so difficult to protect a system like that end to end.
Then you bring in IoT (internet of things devices) and they add in an entirely different risk – we saw that with the Colonial Pipeline case in the US, where they didn’t actually know if the OT side of the business had been breached, or if it was just the IT side of the business.
But that’s the point – critical infrastructures don’t have end to end monitoring in place across everything. And they certainly don’t have monitoring that’s shared across agencies, either. So when something like the Adastra attack happens, it brings down services in England, Scotland, Northern Ireland and Wales, but there’s no joined-up layer that sits in there and provides the security around these systems. We work the same way in utilities, we work the same way in energy as well, and the same in aviation, they’re all individual silos that are in many ways trying to do similar things, but all working independently to re-invent the wheel.
The right thing, once.
I’ve always been a huge proponent of doing the right thing, once, in a standardized way, rather than continuing to reinvest and do it the English way, and the Scottish way, and the Northern Irish way, and the aviation way. There is one way which is the right way. Do it that way across the board, with some standardization, and then you’ve got knowledge you can reuse.
We’ve said there’s a cyberskills shortage, too. Each time the wheel is re-invented, it’s not being done necessarily by the most skilled people, because the shortage of cyberskills in critical infrastructure is driven by lower wages compared to the likes of fintechs – so the higher skills go to the higher paying sectors.
So you get a situation in critical infrastructure where you have a lot of very valuable data, lots of legacy equipment and a system it’s very difficult to protect end to end, a lot of similar work being done to re-invent something that already exists, but with potentially unique loopholes in it, inserted accidentally by people who don’t necessarily have the cyberskills to do the best job of it.
That makes critical infrastructure elements very, very vulnerable to cyberattack – and on top of that, as we said, in the UK right now, there are geopolitical factors, economic factors, and underinvestment factors to make UK critical infrastructure particularly low-hanging fruit for cyberattackers.
In Part 2 of this article, we’ll be focusing on how to mitigate the cybersecurity threats to critical infrastructure.