UK CNI: “The Most Complex Threat Environment We’ve Ever Seen”

Last month, MI5’s Director General Ken McCallum called the UK CNI landscape “the most complex and interconnected threat environment we’ve ever seen”. Tony Hasek digs into how the UK’s critical national infrastructure is currently under attack

The UK’s critical national infrastructure (CNI) is under attack. Crucial for delivering public services, supporting growth, and maintaining national security, CNI is underpinned by digital infrastructure. The increasing connectivity of the systems that make up our CNI — from transport to healthcare — means these systems have become exposed to online threats. In other words, our CNI is a prime target for cyber attacks.

Why is CNI a target?

1: Attacks on CNI can cause tangible chaos

Network breaches are a type of invasion – even if they originate from thousands of miles away. When CNI is breached, hostile individuals or nation-states can exercise influence over a country’s public services and steal sensitive data. For example, before Russia invaded Ukraine via land, it laid some groundwork through DDoS attacks aimed at various Ukrainian CNI to promote chaos within the country, steal focus and weaken the country’s defences. As part of this offensive tactic, Russia managed to disable Ukraine’s satellite communications briefly. In the run-up to the invasion, the number of DDoS attacks originating in Russia rose by 450%.

2: CNI is often easy to breach

Working with CNI and operational technology (OT) systems often involves dealing with legacy infrastructure that has been gradually integrated with IT networks as industries have become increasingly digitalised. This means the networks governing CNI haven’t been designed from the ground up with security in mind, inevitably leaving gaps in their defences for hackers to exploit.

Is the UK’s CNI at risk?

The UK is currently the third most targeted country by cyber attacks, following Ukraine and the USA. This situation is, in part, an ongoing consequence of Russia’s invasion of Ukraine. Hacker groups themselves explicitly confirm they look to target the UK’s CNI, such as when pro-Russia group Killnet threatened to take down life-saving ventilators in British hospitals as a consequence of one of the group being arrested.

In an update on the national security threats facing the UK last month, MI5’s Director General Ken McCallum called the current landscape “the most complex and interconnected threat environment we’ve ever seen”. Even as we attempt to limit countries like Russia’s influence by imposing sanctions and minimising the presence of embassy-based intelligence operatives, this only serves to make cyber an increasingly important attack vector.

More connection, more risk

Globalisation has transformed supply chains. However, in the same way that increasing the connectivity of CNI systems increases their exposure, the increased geographical connectivity of countries has created more avenues for a security breach. So, when it comes to CNI, procurement must be done properly. This means making sure all network components and supply chains are adequately vetted, with any links to potentially hostile nation-states at any point in the supply chain rooted out – whether it’s third-party links or where assembly lines are located.

“As we attempt to limit countries like Russia’s influence by imposing sanctions and minimising the presence of embassy-based intelligence operatives, this only serves to make cyber an increasingly important attack vector”

Ideally, all network components should come from NATO member countries. No matter how secure everything else is, one weak link can expose an entire network.

Next, it’s time to examine how systems are set up and how security is integrated into networks. Physical safety and virtual security will be part of any CNI cybersecurity strategy. Because CNI is critical, as its name suggests, it’s often assumed that this means the infrastructure needs to always be online.

It’s time to interrogate this ‘always-on’ mentality. As the MI5 Director General said in his speech, “It’s hard to overstate the centrality of the online world in enabling today’s threats”. The internet is the platform connecting malign actors to our CNI; we must think about where and when we’re connecting CNI to the internet. As long as it’s connected, it’s at risk.

Rewriting the ‘always-on’ narrative

There have been calls in the UK for legislation to mandate cyber resilience standards for CNI. As part of this, we must examine our approach to protecting these systems. The reactive approach of digitalising systems and adding one out-of-the-box cyber solution as an afterthought or tick-box exercise doesn’t work.

Entire systems do not need to be constantly online. We need to start building firebreaks into the networks governing CNI. These firebreaks can instantly disconnect these networks or parts of networks from the internet when they aren’t required, dramatically reducing CNI’s attack surface. When the trigger to disconnect doesn’t come via the internet, it offers the power to shut systems off from attacks completely, physically segment networks, isolate critical assets and data, and contain threats or breaches when they do occur.

Building a properly layered defence on top of a layer-one foundation of physical air gapping is the only way to have total control over infrastructure constantly under threat of attack and where a successful breach can have such far-reaching and tangible consequences – including public safety. The bottom line is that the ability to disconnect and reconnect networks at will is the ability to protect CNI from cyber attacks – whoever is behind them.