Is our Critical National Infrastructure safe from emerging threats?
Critical National Infrastructure (CNI) is defined as ‘those facilities, systems, sites and networks necessary for the functioning of the country and the delivery of the essential services upon which daily life in the UK depends’.
So, based on the significant impact that the loss or compromise of CNI would have on UK interests, it goes without saying that these are facilities that require the very highest level of protection.
But are these sites really as safe as we would hope they are? Are risk and threat assessments, and the subsequent application of security control measures, evolving at the same speed as the threats themselves?
Attacks against Critical National Infrastructure
The latest Global Threat Report from Dell Security reveals that attacks against Industrial and Building Management systems and supervisory control and data acquisition (SCADA) systems have doubled in the last 12 months alone. Many CNI sites and facilities make use of such systems and rely heavily on them to control numerous complex and critical functions.
We need only look at the Natanz uranium enrichment plant in Iran or the as yet unnamed steel mill in Germany, both of which had their industrial management systems targeted by Malware and both of which suffered massive physical damage at the virtual hands of their attackers.
The now infamous Stuxnet Worm that decimated the Iranian nuclear weapon programme in January 2010 was introduced by USB stick and then quickly targeted the plant’s safety control systems, forcing the centrifuges that were used to enrich the uranium to spin out of control and destroy themselves. The worm spread throughout the system to 14 geographical locations across Iran, having been transmitted by removable media, email and simply through the inter-connectedness of the system, before it was finally discovered. It was recently announced that the attack had been carried out by the US Government in collaboration with the Israelis as a means of halting Iran’s development of nuclear weapons.
Meanwhile, it was a spear Phishing attack that destroyed the German steel mill in December 2014; a series of social engineering scams and carefully targeted emails to employees, that appeared to originate from within the organisation, was used to obtain security credentials that then afforded legitimate access to the facility’s control systems. Once the system had been infiltrated, safety systems were disabled and the plant was effectively destroyed from within.
Remote access
The latest generations of these management systems are fully connected to the internet of things in order to provide remote access, monitoring and system administration to be carried out, often by third parties. The reliance we place on these systems and the potential vulnerabilities that they present to many organisations, including CNI, is concerning to say the least.
Whilst I am certain that robust measures are in place to protect these management systems across the CNI estate, it doesn’t take much to circumvent these controls and strike at the very heart of the UK’s, or even the world’s, critical infrastructure. A door left ajar, an unsolicited email opened, a request from an IT helpdesk to change a password or an approach through any kind of social network may be all it takes to hand an adversary the virtual or literal keys to the castle.
‘By proxy’ attacks
Another consideration is an attack against CNI ‘by proxy’; as with many public and private sector organisations, CNI outsources many critical functions to third parties and utilises small and medium sized enterprises (SMEs) as suppliers, contractors and partners. Frequently, attacks on larger organisations come from within their own supply chain, with the smaller organisation not being fully aware of the role it is playing or the vulnerability it presents to the larger organisation it is working on behalf of.
Often by virtue of ignorance or a failure to understand the true nature or capabilities of a potential adversary, these SMEs provide an attractive conduit for adversaries to attack CNI.
An adversary will invariably exploit the weakest link and follow the line of least resistance. This may mean that an attack against CNI may not directly target the CNI facility itself, but rather the smaller contractor or partner who is connected physically or through the internet of things. This smaller organisation may not have the money or the resources to provide an adequate level of protection, making it, and, by association, CNI vulnerable.
The last consideration is the advent of new technologies and the fact that our current methods of assessing risk and its component parts of threat and vulnerability are often protracted, lengthy and do not move as quickly as the threats themselves are capable of evolving.
Protecting our Critical National Infrastructure
Of course, many of the issues outlined here are not the result of highly complex or technical attack methodologies; whilst the payload is often technically advanced, the delivery method is nothing more than the people we work alongside and the security culture, or lack of, that permeates our organisations, including, I would wager, large percentages of the CNI estate.
A lack of awareness of the threat or ignorance towards the application of basic security principles from an employee in a critical role may be all it takes for an adversary to exploit and therefore successfully target or infiltrate the organisation. So how do we deal with the vulnerability that our people and our lack of a robust security culture present to our most important infrastructure?
The first is to create a good understanding of the nature of the threats that may target our CNI; this needs to be a living process that is widely communicated throughout our organisations internally and to all of our stakeholders, contractors and suppliers.
The next is education; creating a robust security culture will not happen overnight, but it has to start somewhere. Increasing awareness, not only of the threat, but the impact and the consequences, is essential in developing a culture where people will act instinctively in a security conscious manner.
The final consideration is that this is a journey, not a destination. The threat landscape is fluid and constantly changing; it is only limited by the imagination of those who wish to cause us harm or who seek to profit from attacking our CNI. As soon as you think you have a good understanding of threat and have sufficient mitigation measures in places, chances are it is out of date and our adversaries will have moved onto something else.
Paul Oughton
Consultant, Advent IM Security
