Atkins’ Sandra Connery outlines the vital importance of protecting critical national infrastructure against cyber-attacks.
Cyber-attacks on IT systems around the world are increasingly hitting the news headlines, with purportedly state-sponsored hackers shifting up a gear to the systems that operate critical national infrastructure; the operational technology that’s the soft underbelly of UK cyber resilience. So how can we protect the systems that drive these vital assets?
This new wave of cyber-attack has the potential to cause serious damage to everyday life by attacking the underpinning operational technologies that run the critical national infrastructure that developed countries depend on 24/7. Most concerning is the rate of acceleration and sheer scale of these attacks.
In just one month, April 2022, Chinese hackers reportedly targeted India’s power grid, and Ukraine’s power grid was reported to have been ‘lucky’ to withstand a Russian cyber-attack. Had these attacks been successful, they would have had a severe impact on national and local populations.
The threat is real
These systems manage the provision of power and water to homes, factories, offices, schools, and hospitals, through nuclear, oil, gas, wind, and solar energy – and that manage transport systems. The threat of attack is real, so building-in more resilience to the operational technology that drives them is vital, as well as having robust processes in place to help systems recover and get up and running again.
Successful protection can only be achieved with a team approach and mindset. That means the engineers who have designed, as well as those who operate and monitor the systems, and those who actively protect them, working together. They must have joint knowledge and understanding of how the underlying technology works, and what the impact would be if all or part of the system fails. They must also agree at which point, people, process, or technology controls – or a combination of all three – kick in so that protection doesn’t disrupt the everyday functionality or safety of the systems involved.
Resilience across multiple business functions
People, process, and technology must work together across multiple business functions; protecting operational technology needs to go several steps further than protecting ‘normal’ business systems. The first step is to know your assets, and then consider the operational impact security can have on safety, availability, integrity, and confidentiality to grade the security importance.
It’s important for your cyber and engineering teams not to jump straight in and attempt to protect systems using the usual protection methods; this may cause more harm than good. Instead, a standard approach to improving security maturity and resilience of critical systems is needed. The good news is, there is a framework to help.
Five functions of the NIST CSF
The National Institute of Standards and Technology Cyber Security Framework (NIST CSF) is a voluntary framework that can be adopted globally. It is aimed at reducing cyber risks to critical infrastructure. The UK’s Network and Information Systems Regulations (NIS-R) loosely aligns with NIST CSF. The NIST CSF is clearly set out into five functions:
The first function, to identify, refers to knowing what’s important to your business, and the critical service the business delivers.
The need to protect is about selecting the appropriate level of protection – such as limiting connections between networks, or limiting or excluding remote access, raising cyber awareness and implementing those all-important back-up systems to enable efficient recovery.
This third step refers to the prompt discovery of cybersecurity events and anomaly detection so that your teams can quickly understand the potential impact on all parts of the system gathering expertise from across the business is vital here.
Involves understanding how to respond when a cyber security event is detected. Your organisation can learn from previous incidents, either through trial exercises, or real events, to inform a response plan. The plan must include all stakeholder involvement, including communications, commercial, legal, government and regulators.
The final step is to recover and restore all systems to their normal function. This requires coordinated communications with internal and external stakeholders, a clear understanding of your place in the supply chain and most importantly, building valuable lessons back into your business model.
In today’s unpredictable and dangerous geopolitical climate, it’s a fact that cyber security incidents could affect any organisation, anywhere. So, it’s our duty to our stakeholders, shareholders, customers, and citizens to be protected, ready to respond, and ready to recover – and implement cyber resilience into the heart of operations as a matter of urgency – to protect the systems that sustain us.
Sandra Connery is principal cyber security consultant at Atkins.