What do the recent front page news worthy Cyber Security attacks at the Royal Mail and Guardian say about the state of the UK’s Critical National Infrastructure
Barely a few days into 2023 and media outlets are already flooded with evidence of successful Cyber Security attacks at major UK organisations, Royal Mail and the Guardian, let alone news of major disruption in the US originating from instability in the IT systems of the FAA. These incidents serve as a reminder of the ongoing threat that Cyber crime poses to UK businesses and organisations of all sizes. But do these incidents indicate a trend in targeted attacks against the UKs Critical National Infrastructure and if so, why should we all be concerned?
CNI organisations under fire…
I’m not one to regurgitate well documented breaches, but I think its important to use these recent examples to set the scene. As a reminder;
The Royal Mail’s “international despatch documentation system”, OT equipment designed to create and print custom labels for each parcel, was specifically targeted with the Lockbit strain of malware. Not wishing to speculate on the Threat Actor specifically, the intention however is clear; designed to derail the UK economy further after a series of strikes by the organisation, coupled with this loss of systems, having a server knock-on effect to the thousands of businesses reliant on the Royals Mail’s services.
The Guardian incident, similarly, involved a phishing attack that targeted the company's employees, but with the focus thought to be on reaching the print and production environment. Whilst the target was on the operational systems of the media organisation, the ransomware incident resulted in successful access to AD credentials and the theft of sensitive internal information, including information about the newspaper's employees, sources, National Insurance numbers, addresses, dates of birth, bank accounts, salaries and identity documents.
Most recently, widely reported in global news was also the major disruption caused by IT systems failure at the FAA last week. Around one million passengers suffered from delays and cancellations as US flight systems suffered one of their worst nationwide outages since 9/11. Officials were at pains to say that this was not a Cyber Attack, but the scale of the fallout indicates what could be the output from a successful attempt to disrupt these systems.
All 3 incidents highlight our reliance on these organisations and their seeming fragility in the face of a targeted attack. Aside from the standard delivery model demonstrated in these attacks (phishing of course), I think it is more important to analyse why there is a current concentration of attacks on CNI and what this means for those organisations; how do they identify potential weaknesses and where should the focus be to ensure they can mitigate further distribution.
So what are we dealing with here…
I’ve spent the majority of my career studying and discussing the principles of how to protect the systems and data of traditional IT infrastructure within an organisation, primarily used for the BAU function of a business; managing data, communications, and networks. Operational Technology or OT on the other hand I’ve often seen play second fiddle to these networks and can be highly susceptible to attack. OT is used to monitor and control physical processes in industries such as manufacturing, energy production, and transportation using systems such as sensors, actuators, and control systems designed to manage and automate the operation of physical assets. (Think; programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, and distributed control systems (DCS)).
In my experience, these assets are more susceptible to Cyber Attack for a number of reasons:
1. Weak security: many OT devices have weak security features, such as easily guessable default passwords or a lack of encryption for data transmission. This makes them an easy target for attackers.
2. Lack of patching and updating: a lot of these assets are not designed to be easily updated or patched, making it difficult for manufacturers and users to address known security vulnerabilities.
3. Large attack surface: OT networks have a large attack surface with multiple methods of being accessed or controlled. This makes it difficult to protect them from all types of attacks.
4. Interconnectedness: OT infrastructure often connected to other devices and systems, such as networks and cloud services. If one device is compromised, it can be used to gain access to other parts of the system.
5. Limited resources: OT devices often have limited processing power, memory, and storage capacity, making it difficult to run traditional security software or protocols on them.
6. Limited human interaction: OT devices are often designed to be used automatically and with minimal human interaction, which make it harder for users to detect when something is not working or the security has been breached.
7. Lack of standardisation: OT assets come from many different manufacturers, and there is a lack of conformity and adherence to a common compliance regime, making it harder to protect them from attacks.
8. Age & unplanned modern operational use: many industrial control systems have been operational for a number of years, well before inter connectivity was a perceived future method of automation. They simply weren’t designed with that in mind and subsequently have very little in the form of protection
The principle of “Secure by Design”, or as I like to say “Compliant by Design”, is crucial therefore for OT devices and for CNI organisations to consider. Too often have I seen clients design these networks with minimal security in mind and once implemented, they are very difficult to secure in the field.
Promoting Cyber Resilience – Focus on Critical Digital Infrastructure
It is well documented that the UK faces a range of cyber security threats, including those from nation-states, organised criminal groups, and individual hackers. The UK government has warned that the country is facing an "unprecedented" level of Cyber Attack, however in my experience, it is more difficult to define how well prepared UK CNI organisations are for these threats, we have seen the level of preparedness vary greatly depending on the specific organisation and sector. We know however that the UK government’s various initiatives and frameworks designed to help these organisations improve their Cyber Security posture can only go so far. Adherence to regulations and standards, such as the NIS Directive, NCSC’s Cyber Assessment Framework (CAF) and GovAssure (released in Q1 this year), NIST Cyber Security Framework and ISO 27001, will greatly help to ensure that adequate Cyber Security measures in place but in practice, what does this actually mean?
I believe that Critical National Infrastructure organisations need to focus their energy on the following key OT device management principles;
1. Network security: Ensure that OT devices are properly configured and protected from unauthorised access, and that all communications between devices are secure. The newly published Telecommunications Security Act is a “game changer” here
2. Device security: Make sure that devices are protected from physical tampering, and that they are running the latest firmware and software updates.
3. Data security: Make sure that all data transmitted and stored by OT devices is properly secured and protected from unauthorised access.
4. User access control: Implement strict user access controls to ensure that only authorised users are able to access and control these critical assets.
5. Incident response: Have a plan in place for how to respond to security incidents, and ensure that your team is properly trained to respond to incidents.
6. Regular security audit: Regularly audit your OT systems and management networks for security vulnerabilities and take necessary measures to mitigate them.
7. Compliance: Ensure that OT system adhere to relevant laws and regulations, such the NIS Directive (NCSC CAF)
It’s my belief that CNI organisations need to augment their management principles for OT assets away from purely Cyber Defence to focus on Cyber Resilience. This doesn’t negate the need to wrap defensive technologies and architectural design around these devices; segmenting them from public access and standard corporate systems, but it does shift attention to having plans in place to minimise disruption, pre-empting an incident and running mock table-top exercises to understand how best to respond quickly should a successful attack take place.
Personally, I’ve had some huge success with Microsoft’s Defender for IoT on a recent high profile OT project. Deploying both cloud and on premise sensors to discover, identity and feed all asset data back into a SIEM (Sentinel), reviewing the logs from the OT environment alongside all IT logs to ensure of equal importance, and a coherent response. I can’t stress enough how important visibility to these networks is.
My final thoughts on this are simple; we know that the NCSC and UK Government are quick to highlight who CNI organisations are, it is now down to these organisations to highlight what their Critical “Digital” Infrastructure is and what defensive strategies are in place to protect it. Let’s move away from CNI as a pure function crucial to the UK economy and our daily lives, and focus on assessing the risk to, and management of, CDI - Critical Digital Infrastructure.
#CyberSecurity #TheStateofCyberSecurity #CyroCyber #CriticalNationalInfrastructure