Cyber risk to critical UK infrastructure puts businesses at risk too

As Royal Mail revealed it has fallen victim to a cyber-attack this week, Simon West, head of Cyber Advisory, at Resilience explains why building cyber resilience is vital for any business and the risk environment becomes ever more acute.

The undersea gas leak suffered by the Nord Stream 1 and 2 pipelines in September, potentially as a result of sabotage, exposed the risk to energy supplies posed by rogue players or states. It also served as a reminder that it could be an attack on critical national infrastructure (“CNI”) that causes blackouts this winter rather than a demand surge during a cold snap. The collateral damage caused by a cyberattack is systemic, due to our enormous reliance on CNI, particularly energy. That is why all organisations, including private energy companies, must not confine their concerns to just IT or security threats but need to take a holistic approach to building cyber resilience against real threats to their business.

The first confirmed cyber operation to successfully take down energy infrastructure was the 2015 Ukraine power grid hack, which saw 230,000 residents of the western Ivano-Frankivsk region without electricity for up to six hours. This was a sobering sign of what is possible. For UK infrastructure it is vital to also have security and contingency plans in place, particularly in the wake of Ofgem’s recent warnings of potential grid blackouts across the UK this winter.

In the 12 months through to January 2022, 39% of UK businesses experienced a cyber-attack, which was broadly in line with numbers seen in previous years. But another observation was that enhanced cyber security leads to higher identification of attacks, suggesting that less cyber mature organisations in this area may be underreporting attacks.[1] It all highlights the need for careful risk management to prevent unwanted network and systems exposure.

From a digital perspective, the increasing threats come at a time when usage and demand for technology devices connected to the internet has never been greater. The ever-growing access to connectivity with the introduction of 5G to support the Internet of Things (“IoT”) means that the attack surface of UK organisations has increased dramatically. This is particularly relevant as energy systems develop to meet the need to decarbonise. Decentralised and distributed energy resources and smart power grids, all heavily reliant on the transmission and transfer of data, will require greater cyber resilience than existing infrastructure to be integrated alongside their development and roll out.

This year has seen geopolitical events highlighting the need for reliability and security in energy provision. Recent research by Bridewell found that more than 7 in 10 of the UK’s CNI cyber security decision-makers have seen an increase in cyber-attacks since the outbreak of the Russia-Ukraine war. Meanwhile, the Prime Minister of Norway, which is Europe’s largest supplier of natural gas, recently issued a warning about the Russian cyber threat to energy, saying it poses “a real threat and serious threat” to the country’s oil and gas.

For most organisations, the four main threats come from phishing, attacks by nation states, supply chains being compromised, and by physical threats.

An example of an attack by a nation state would be North Korea’s on Sony back in 2014. North Korean hackers have also been linked to cryptocurrency thefts in recent months. Supply chains pose a risk, not only because the supplier businesses may have weaker defence systems, but because they may be integrated into another company’s operations, giving hackers a way in. As more suppliers and service providers gain access to sensitive data, the attack surface of a typical organisation expands.

Closer to home, the 2017 WannaCry attack, which affected the NHS, demonstrated that cyber-attacks need not target CNI to have significant consequences. Ransomware attacks too continue to seriously impact for UK businesses and public services – notable recent examples being attacks on a supplier to NHS 111 and South Staffordshire Water.

The UK has thus far managed to avoid any major cybersecurity attacks on key infrastructure, but with the UK’s CNI becoming ever more interconnected and digitized, the risk of cyber threats will continue to increase. Operators need to not only improve security measures but improve connectivity across such infrastructure to better manage threat intelligence across the country.

There is abundant research showing that around 70%-90% of security breaches involve human error – be it accidental or deliberate. Staff training is vital, such as on the risks of phishing and how to avoid it. In addition, Multi-Factor Authentication for signing-in, email authentication protocols, and the Principle of Least Privilege (PoLP) are all good processes to have in place to reduce human-related risks.

It is important for enterprises to not silo cyber risk with its own separate budget and mitigation strategy, but for senior leadership to ensure that the entire organisation has a cyber hygiene plan, given the interconnected, digital profile of most companies. The damage caused by an attack on suppliers and utilities can be devastating, even in departments such as finance, HR, or legal – as we have seen with the Colonial Pipeline shutdown, these departments are critical to keeping infrastructure operational the list goes on. It is therefore essential to have in place a plan to reduce their exposure by incorporating a combination of technical visibility, risk transfer (cyber insurance) and risk mitigation strategies (cyber hygiene).

Building in such cyber resilience should be part of the planning process for any business. It needs to be holistic, across the business and underpinned by a clear C-suite commitment. By doing so, it can not only safeguard a company’s reputation but, given the statistics on how many businesses fail to recover from a cyber-attack, can help ensure its very survival too.