At the end of last year, a critical report from a Parliamentary Committee commented on the country’s inability to defend UK critical national infrastructure (CNI) from cybersecurity threats.
At a time of increased security risks, it’s a report that made people sit up and take notice – as the issues and dangers that it talks about are echoed across the globe. The Atlantic has sharks on both coasts.
What I found particularly interesting in the report was that a lot of these problems stemmed from the murky definition of CNI. The report argues that there isn’t as clear a definition as there once was, due to the ever-expanding role of technology and inter-connectedness through critical infrastructure.
Even 20 years ago, there wasn’t the same vital importance connected to the internet, energy companies didn’t have to think about the securing of smart meters and there certainly wasn’t the vast levels of data sharing and analysis available now for these systems. It was a simpler time in that regard.
UK critical national infrastructure report: CNI definition needs expanding
CNI has to be both expanded and defined in its definition – the threat of cybersecurity is simply too large to not have it crystal clear. The next time a major cybersecurity incident happens, it might not be your Marriott or Quora account details that are taken – it could be that the water is turned off, or that power dies across a country.
When dealing with critical infrastructure and its importance to both survival and to communication, the stakes are raised significantly. In 2015, Russia managed to stymy the flow of electricity to over 200,000 Ukrainians for half a day, and it stands to reason that them and other advanced nations have been working to better their attack strategies since then. The Russian attack itself was predated by the original Stuxnet attacks against Iran.
There were of course other concerns raised: the agendas of private sector companies that work within CNI, an inability to examine budgets and where the money is being spent on security and a widespread lack of leadership at a governmental level. But a fundamental area that wasn’t explicitly singled out was the sheer difficulty of protecting carrier-grade networks that process millions of data packets a second.
This isn’t limited to just public sector or national networks either. Network and mobile operators, large enterprises, datacentres, cloud providers and ISPs have millions of users and millions of connected devices that generate huge amounts of data that is stored and/or is traversing their networks, and this is under constant attack.
The danger of slow-release attacks
The danger for networks this active is the “slow-release” or “low and slow” attack, which refers to both how an attack can gain access into these networks and how it is executed. Like a bank heist in a movie, this usually begins with an exploration of the network, looking at its structure – in particular, where there might be a window left unlocked.
Once a path is discovered, the attack vector can move across a network and infrastructure over time, quietly moving from one host to another. The content of the attack might be split into pieces and moved individually, disguised to look like genuine traffic, or hidden within another attack or breach (such as DDoS).
When installed on the target and activated – depending on nature, the attack could be a single event (disc encryption/ ransomware/ extortion/ mass data exfiltration), a slow poisoning of the systems to disrupt operations, or slow exfiltration of data in the hope that the event goes un-noticed for as long as possible. The key point of these attacks is that it takes place over a long period of time. And that makes them difficult to protect against.
The technology is out there, specialising in networks of these sizes, but there is much still to be done in terms of education around this protection. It is crucial that carrier-grade network providers and operators ensure that they are engaging with security solutions that are custom-made to handle such large amounts of data monitoring and analysis. But they need to know about them first.
The CNI report has put blood in the ocean and stirred up the sharks – not just in the UK but across the globe. And as long as they are circling, whether they are other countries or malicious individuals, those in charge of CNI are going to need a bigger boat.