Our world, including our critical national infrastructure (CNI), faces rapidly evolving threats and a constantly shifting threat landscape. We have a level of maturity in handling some of the threat and risk from the physical world, but our ability to handle the threat from cyberspace is still developing and nations are becoming increasingly aware of the attraction of these critical services as targets. The threat to CNI has to be treated holistically as the threat itself is holistic.
Bringing a region or nation to its knees from the other side of the world is no longer the stuff of spy movies or fiction novels. It is possible to disable critical national functions without any physical interaction with the site, plant or system you are attacking. The use of malware means that it can evolve and spread, this is what we saw with Stuxnet; originally designed to attack centrifuges in Iranian nuclear reactors, it evolved and ended up going wild, affecting many more networks and systems than it was initially designed to do. Technology is increasingly networked and this greater connectivity means an increased array of threat sources coming through the cyber vector.
Increasingly vulnerable This trend toward the interconnectedness of everything looks set to grow rather than decline, and therefore our attitude to threat needs to become more holistic in nature as that is how the threat landscape is evolving. There are relatively high levels of legacy technology still in use and this is a contributory factor to the threat – not all technology was built with the ‘Internet Of Things’ in mind and this can make it very challenging to secure and maintain securely. For instance anything running on Windows XP will be unsupported, so if it has been used as a platform for any CNI systems this constitutes a major vulnerability. The problem is that systems can take a very long time to develop and by the time they reach implementation they could actually be obsolete. So really, it is a perfect threat storm for CNI.
Let’s look at SCADA systems. The term ‘Supervisory Control and Data Acquisition Systems’ usually refers to centralised systems that monitor and control entire sites, or complexes of systems spread out over large areas that could mean a plant like a nuclear reactor plant or a satellite or an entire country. These are in common use throughout CNI as they are integral to the efficient running of these sites but they are also vulnerable if not properly secured and if you have a determined insider the threat increases dramatically.
Hidden targets It isn’t just the direct threat that needs to be considered; the eventual compromise of the system could actually come from somewhere in the supply chain. Smaller organisations frequently become initial targets but with the criminal’s gaze actually directed toward the larger organisation or more valuable data elsewhere in the chain. Targeting a smaller supplier may offer a much softer target as a launch point.
When you think about the UK, more than 95 per cent of our businesses are SMEs and the Government actively courts SMEs to be Government suppliers through frameworks like G-Cloud.
If these are suppliers into our CNI and have less than robust security strategies in place they could be exploited and become an attack vector. Also manufacturers in the supply chain may pose an unintended threat as in general, manufacturers of technology increasingly they are distancing and absolving themselves of responsibility toward creating a secure product in the first place.
Add to that the compartmentalisation of modern manufacturing techniques, whereby components of an item could have come from several different suppliers and be assembled in a totally different region or country and you begin to see the issue more clearly. A good example of this could be the iPhone – some components of the iPhone are actually manufactured by Samsung, presumably in between lawsuits with Apple.
So, another key question to be factored into the cyber resilience strategy would have to be, where are you actually buying your tech from? Consider a recent incident in which some Microsoft motherboards were factory issued with built in malware. insider threats
So, the supply chain is increasingly complex and strangulated. Before any piece of technology gets anywhere near any particular area of our CNI, it could have been compromised. All of this is without the human threat, or ‘insider threat’. Insider threat doesn’t have to be malicious, it can come from someone forgetting or avoiding a piece of essential protocol, either through sloppiness and poor training or through genuine mistake.
Obviously there are the malicious insiders who are very determined, potentially knowledgeable and highly motivated. This might be ideological, financial or political motivation. Stuxnet for instance, which was introduced to the Iranian nuclear centrifuges by a USB drive, has been variously attributed to different state sponsored cyber-attack programs.