Save Britannia: Cyber Risk for Critical National Infrastructure

According to the UK government’s National Risk Register, cyber risk levels are increasing. Should we be worried? Phil Muncaster looks at how protected the UK’s CNI is

Since 2008, the UK government has published a National Risk Register (NRR). Its aim? To share an expert risk assessment with businesses and organisations so that they can build resilience for a future worst-case scenario. These scenarios cover 89 risks under nine themes – one of which is cyber. It’s indicative of the importance with which the domain is now viewed and the potentially severe impact that sophisticated digital attacks on critical infrastructure (CNI) could have on the populace, the economy, national security, and Britain’s relationship with its international partners.

The bottom line is this: cyber risk is on the rise. While the likelihood of a serious event occurring has remained the same since 2020, the potential impact of one has grown significantly. It should serve as yet another reminder for senior risk planners of the need for vigilance.

What the NRR says

The NRR is not meant to be exhaustive, but rather to capture various possible events across specific areas like terrorism, health, society, natural hazards, and cyber. This year’s report drew on 25,000 pieces of data and, for the first time, is based directly on the National Security Risk Assessment (NSRA), a classified government document compiled from the views of hundreds of government subject matter experts.

It suggests several cyber-related events or risks that could manifest over the coming two years. They include:

Gas infrastructure: Encryption, theft or destruction of data and/or disruption to operational systems, causing supply outages for up to three months.

Electricity infrastructure: Encryption, theft or destruction of data and/or disruption to operational systems, causing disruption for several months.

Civil nuclear: A cyber-attack requiring the shutdown of a civil nuclear-generating site, resulting in temporary loss of supply to the National Grid.

Fuel supply infrastructure: An attack causing the temporary loss of fuel supply to a region.

Health and social care: Significant systemic service disruption due to fast-moving ransomware and data compromise/theft. The resulting cancelled appointments, delays to medical procedures and tests, and A&E diversions would seriously impact patient care.

Transport sector: Widespread disruption to public transport across the UK, causing economic and reputational damage and taking days to recover from.

Telecoms systems: A state, cyber crime or hacktivist attack on a major operator, causing outages to landline, mobile and broadband services, impacting millions of customers, potentially for months.

Financial market infrastructure: Destructive attack causing data to be overwritten and disruption to critical services for several weeks.

Retail bank: Significant destruction and total disruption of banking systems, including data exfiltration, causing outages for several days and heightened fraud and operational losses.

The above are bundled together as “cyber attacks on infrastructure” and given a 5-25% chance of occurring in the next two years. Now, 25% seems pretty high, and it is given a score of four on the one to five scale used by the report, with one being least likely and five most likely. However, the “yardstick designation” for a 5-25% chance of an event happening is listed as “highly unlikely.” So that’s worth bearing in mind.

It was the same in 2020 when the last NRR was compiled. However, the assessed possible impact of such an event has changed somewhat in the past three years. In 2020, the resulting economic damage from such events was estimated at £10-100m. Today, the estimation runs into “billions of pounds”. In 2020, the expected fatalities were nine to  40, with a further 200-1000 people potentially needing to be evacuated. Today, possible fatalities are estimated at 201-1000, with an additional 400-2000 casualties.

How concerned should we be?

The growing impact of possible CNI attacks is perhaps a reflection of cyber’s increasingly important role in maintaining facilities and the country’s reliance on them. But how accurate are those predictions likely to be? Arun Kumar, regional director at IT vendor ManageEngine, describes the assessment as “cautiously optimistic”, arguing that 2017’s WannaCry ransomware worm highlighted the potentially severe impact a fast-moving healthcare attack could have on patient care. Fortunately, the damage was contained after a security researcher found a ‘kill switch’ to neutralise the attack.

“AI developed in the right hands could be the antidote to AI-enabled threats” Arun Kumar

“Now AI is being used to expedite the time to attack and raise the threat level once more. On the flip side, AI developed in the right hands could be the antidote to AI-enabled threats,” he tells Assured Intelligence. “The probability and impact of a major cyber attack will continue to increase as AI becomes more sophisticated, but these factors can be kept in check by AI-enabled prevention and remediation techniques.”

Egress VP of threat intelligence, Jack Chapman, adds that the challenge for network defenders is the range of tools, techniques, and procedures (TTPs) available to threat actors.

“The differences that these [CNI] sectors face are likely to be the volume of attacks, the sophistication of attacks and the persistence of attacks,” he tells Assured Intelligence. “It will also depend on the attacker’s intent. Is it to disrupt (via ransomware, bricking or man-in-the-middle interference)? Is it to steal IP and information? Or is it to cause political unrest? Everything from phishing to stegomalware can be used if it meets the attacker’s goals.” Never heard of stegomalware? Don’t worry, neither had we. Essentially, it’s a type of malware that hides one piece of information within another, making it difficult to detect.

The chronic risk of AI

Aside from the “acute” risks of cyber attacks on CNI listed in this year’s NRR, there is also a special mention of artificial intelligence (AI) as a “chronic” risk. These risks typically manifest over a longer period but are no less serious. In fact, they can make acute risks “more likely and serious” while posing “continuous challenges that erode our economy, community, way of life, and/or national security,” the NRR states.

As organisations rely increasingly on artificial intelligence for competitive advantage and operational efficiency, they will become more vulnerable to potentially serious AI-related events, it warns.

“The differences that these [CNI] sectors face are likely to be the volume of attacks, the sophistication of attacks and the persistence of attacks” Jack Chapman

ManageEngine’s Kumar describes several ways the technology is already used in attacks. These include deepfakes, designed to create hyper-realistic copies of people’s voices and faces that can be used in disinformation campaigns to destabilise the populace and fraud.

“Tools such as generative AI could also generate disinformation when combined with collated personal data. For instance, experts are warning that the data accessed in the Electoral Commission hack could be used by rogue actors alongside generative AI to create fraudulent emails or texts to target voters with disinformation,” he adds.

In fact, it is more than likely that generative AI tools like ChatGPT are already being used to design and execute highly convincing phishing and fraud campaigns. WormGPT and FraudGPT are malicious large language models (LLMs), a type of AI model trained on vast amounts of text data to generate human-esque text. They are being marketed on underground forums to lower the entry barrier for various cyber crime techniques designed to defraud victims and compromise corporate networks.

“Once in a corporate network, the criminals can easily spread and use AI-developed malware with mutating capabilities that allow them to stay undetected in the compromised network,” claims Kumar. “This method enables them to encrypt, steal, or destroy the data upon which these critical systems depend.”

Tackling cyber risk in critical infrastructure

From a cyber perspective, the ultimate goal of the NRR is to arm CNI leaders with the knowledge they need to build resilience into systems. That said, it’s light on prescriptive advice for mitigation. So, what should IT and business leaders do to tackle the risks outlined in the report?

Kumar sees a significant role for best practice frameworks like those produced by the US National Institute of Standards and Technology (NIST) and rules laid down in the GDPR and other relevant legislation. He adds that collaboration is also paramount “internally and externally within the cybersecurity community, encompassing researchers, professionals, enterprises, and policymakers.”

Egress’s Chapman adds that security teams must constantly look at new and emerging threats.

“As attacks and risks are evolving at pace, it is important that organisations’ defenders do as well,” he concludes.

“To achieve this, they should consider using crown jewel methodology around critical assets, mapping and controlling routes in and out of the organisation, implementing layered security approaches for all defences, and having robust incident response plans which are actively tested and trialled.”

It’s a tall order for many CNI firms, especially those struggling to allocate sufficient resources to cyber. But the alternative is undoubtedly even worse.