The National Cyber Security Centre (NCSC) was formed in 2016 to help protect the UK’s critical services from cyber attacks and help providers of those services manage major cyber incidents. NCSC has repeatedly warned that a major attack on critical national infrastructure is a matter of when, not if.
Despite this, a recent cyber security report1 by the Joint Committee on the National Security Strategy (JCNSS), which monitors the implementation and development of the UK’s national security strategy, highlighted the following: “The 2016 National Cyber Security Strategy states that ensuring the resilience of the UK’s critical national infrastructure to cyber attack is a priority for the Government. But the Strategy does not set out (a) what specifically the Government wants to achieve; (b) over what timeframe; or (c) how it intends to measure progress.”
The report committee evaluated the threats and readiness of the UK in light of ongoing and future cyber attacks against the nation’s critical national infrastructure. And while the committee concedes that the formation of the NCSC was an important step and the agency has provided some important initiatives, it points out that the more significant ones are inherited from EU laws such as the Network and Information Systems (NIS) Directive.2 With Brexit looming on the horizon, the UK Government is also busy identifying how international data protection treaties, currently aligned with the EU, will need to be renegotiated once the country leaves the European Union.
Under-resourced and Under-skilled?
In its own 2018 annual review, the NCSC stated it handled 557 events over the prior 12 months.3 This is not an insignificant number by any means but there were many more incidents to which the NCSC was not able to respond due to under-staffing. Speaking of the support NHS Digital received from the NCSC during the 2017 WannaCry attack, Deputy Chief Executive Rob Shaw is quoted in the report saying, “I expected an army of NCSC staff to appear on the hillside and come in to help us out, but it said, ‘Where do you want either of our staff?’ It does not have a lot of people with the expertise to do things on the ground.”
Skills gap is an issue for both the NCSC as well as the critical national infrastructure operators, such as those involved in energy, finance, transport and water, communications, and health, to name a few. Oral evidence taken from such operators cited lack of skills as the biggest challenge they faced. In a separate JCNSS report about cyber security skills in relation to the UK’s critical infrastructure,4 the committee concluded that “there are not enough people in the UK who both possess [the required] specialisms and are also willing and able to work in the critical national infrastructure sector.” This raises the obvious question; is it a simple matter of lack of skilled security workers across the UK, or is there a lack of reasonable pay in the public and critical national infrastructure sectors? It’s reasonable to assume that people are taking their skills to private sector organisations who can afford to pay more.
The NCSC expands upon its skills and resources under Industry 100, an initiative designed to bring in industry professionals and their experience to augment those in house.5 But while this external resource is a useful way to bolster everything from project management to deep vendor knowledge, it does not provide the army of resources so desperately needed in times of serious and sustained attack against critical national infrastructure. That challenge has yet to be addressed.
Nation-States and More Threaten Critical National Infrastructure
Whilst many organisations that operate with critical national infrastructure face the same kinds of attacks (such as denial of service and theft of personal data) as those in the private sector, they face multiple additional challenges and are also under more sustained attacks from nation-states. The JCNSS cyber security report recognises the growing and evolving threat of nation-state actors, such as Russia, with its involvement in NotPetya and of the disruption to the Ukrainian power grid in 2015 and 2016. It also acknowledges that other nation-states pose significant threats based on their recent activities:
- North Korea — the UK and US attributed the WannaCry attacks to this nation-state
- Iran – responsible for June 2017 email attack on UK Parliament
- China – the US has set up a task force to counter theft of corporate secrets and intellectual property from Chinese-backed bad actors
The cyber security report also notes that attacks are changing from IP theft to disruption and destruction of systems and networks. But while state-sponsored attacks can be deliberate, the reckless attacks (such as NotPetya) can be just as damaging to the country’s critical national infrastructure. The NotPetya malware, intended to target Ukraine, affected the Danish company Maersk, which caused chaos to shipping and logistics around the world until the company recovered over a week later.
Critical national infrastructure is also unique in that it relies on both traditional IT systems as well as operational technology (OT) such as industrial control systems (ICS). These are often legacy systems and not designed with security in mind. Despite this fact, they are increasingly connected to the Internet with the view of increasing automation and productivity. F5 Labs’ own research on cellular connected devices showed that both old and new IoT/OT systems are as vulnerable as ever. And, as they are progressively incorporated into our physical world, they are beginning to pose a real threat to human life.
As a final layer of complication, many of Europe’s critical national infrastructure organisations, particularly in the UK, are privately owned. Mandating that government institutions implement specific cyber security policies is already complex. Attempting to impose similar requirements on private firms is a delicate, if not impossible, ask.
Who’s Really Driving Regulation, Anyway?
Before the EU’s NIS Directive, regulation of critical national infrastructure was fragmented, inconsistent, and divided among sectors. Cyber security regulation was provided by bodies that were originally set up with the primary intention of protecting consumer rights and auditing financial spend. The NIS Directive brings consistent network security requirements across critical national infrastructure organisations throughout the EU.
So, between the General Data Protection Regulation (GDPR), the NIS Directive, and the Payment Services Directive 2 (PSD2), it seems that the driving force of tighter regulation is coming from Europe and not originating within the UK. Although the UK has adopted all EU laws in its local legislation, time will tell how progressive the UK will be with its data privacy, cyber security strategies, and legal frameworks post Brexit. Will the national laws be updated to match the European equivalents when they are inevitably updated? While the UK government has made clear its intention is to continue participating in European cyber security incident response teams (CSIRTs) post-Brexit, it remains to be seen how effective the relationship will be when legislation becomes out of sync.
The NIS Directive is not a silver bullet, however, as some critical national infrastructure sectors (such as water, chemical, nuclear, healthcare services?) are still without regulatory and enforcement oversight.
What’s Next for Protecting Critical Services?
The UK defines some thirteen sectors as critical national infrastructure6 while others, such as the US, includes up to sixteen.7,8 Some have said that the UK’s definition is so broad that it reduces the ability to focus its security efforts on the most important issues. The larger the scope, the more difficult it is to know where to concentrate the limited amount of resources. Where does critical national infrastructure end and the wider infrastructure begin? The swelling interconnectedness of systems and explosive growth of IoT continue to blur the lines between critical national infrastructure, our cities, and humans themselves.
Yet, protecting that infrastructure must be central to the cyber security strategy of any nation. No country can afford to wait and learn from experience. The UK, in particular, will have much work to do once it leaves the EU and no longer benefits from the laws and regulations the EU is introducing. It may be impossible to fully predict how attacks will change, so we need to design with resilience in mind and consider the impact the loss of any system might cause.