The United States has been considering the security of its power grids rather publicly of late. The cyber-security of its power grids, that is, writes Mike Gillespie of Advent IM.
The NSA (National Security Agency) chief stated it was ‘a matter of when not if’ a power grid would suffer a serious cyber-attack. This is not fear-mongering but a very real possibility and power grids are not the only thing they need to concern themselves with. Also it is not just the US that needs to be aware not only of the Critical National Infrastructure (CNI) in cyberspace, the UK does too, and there is a lot to consider. Some of the key challenges of securing these assets come down to collaboration and a holistic approach to security and resilience.
Securing CNI has been uncomfortably highlighted in recent years. South Korea saw a nuclear power plant attacked; luckily it was safely contained and treated. Poland had a tram system hacked and trams driven into each other – 12 people were hurt; and Tel Aviv saw its main arterial transport route crippled by a CCTV hack for over eight hours. This is before we mention the most famous of all – the Stuxnet attack on an Iranian nuclear plant. This attacked centrifuges in the enrichment programme, causing them to spin off balance, thereby crippling it. The UK’s Centre for the Protection of National Infrastructure (CPNI) says that the national infrastructure is categorised into 13 sectors: communications, emergency services, energy, financial services, food, government, health, transport, water, defence, civil nuclear, space and chemicals. This is a lot of scope; disparate systems, platforms and applications, and a vast geographical area, not to mention an infinite cyber area. Add to this the convoluted supply chains or business ecosystems around this infrastructure and you start to gain an insight into the scale of the cyber-security job required. Those supplier relationships and access points have to be managed too because as we know from the Target data breach, which was facilitated by a compromised air conditioning supplier maintenance portal, sometimes the threat comes from an unexpected source, via cyberspace, even when it’s a physical system. So if you are looking at supply chain resilience and security as well as third party agreements, they need a risk and security professional to input too. Business continuity management will feature heavily in this process to and collaboration between security and business continuity professionals is vital.
Much of the CNI is in private sector hands and so there is no central management or oversight. There will be certain standards and accreditations required, of course, and I am not implying that the private sector is any worse or better than the public sector in terms of security; but there is a lot to be said for consistency, oversight and governance. A convoluted sector like CNI, with public, quasi-public and private sector, will therefore undeniably have an increased threat profile. Also public bodies do not have the same pressure on profit to consider, with every decision on spend that is an additional consideration for private sector partners or owners.
Some CNI systems have been in place for a very long time. Some of these systems were never designed to be used over the net, but they are now remotely accessible and connected to a range of other systems – used and managed via Internet Protocol (IP). If they are properly protected and have been risk-assessed, any identified risk has been mitigated or accepted, then although it isn’t ideal, it is workable. However, some may be built on outdated operating systems, that no longer enjoy security patching updates and are therefore vulnerable to compromise and exploit. Again, given that there is not a centralised set of requirements and updating systems is generally seen as cost and not investment, the potential for security failure is clear.
It is also not only inter-sector reliance we have to concern ourselves with when it comes to CNI. Foreign investment in the UK has bought some of our CNI into the hands of foreign nationals. While investment is great, the benefits must be weighed against the risk. In placing CNI under the control or connected to other nations, which may be potentially fully or part state-owned, that we must be convinced that these installations or systems are not being run in a manner that constitutes a danger or threat to our national security. Bringing security disciplines together to collaborate for the best result is clearly the way forward. But more than that, we need to understand and be able to talk to facilities teams, business continuity teams, procurement teams and board rooms alike. Looking at how cyber-threat to our CNI is evolving; we don’t have the luxury of time. We are now almost ten years on from Stuxnet, the code is still out there; downloadable and editable. The capabilities are greater, there are greater numbers of threat actors and let’s face it … why go to war if you can cripple a nation through its own infrastructure? Understanding the motivation behind an attack on an element of a nation’s CNI is very important. Unlike the meddling of a script kiddie in their bedroom who is probably looking for bragging rights, a CNI attack reveals an attacker of serious intent. The response and mitigation needs to be just as serious.
About the writer
Mike Gillespie is a director of the Security Institute.
