Defined by the Home Office as being the “facilities, systems, sites and networks necessary for the country to function”, the state of the nation’s critical national infrastructure is, well, critical.
Steve Cummings, currently a special adviser to Deloitte’s Security, Privacy and Resilience group, used to be the director of the Centre for the Protection of the National Infrastructure (CPNI) and knows more about critical national infrastructure than most. The CPNI prefers the definition of CNI as being “the essential services delivered by communications, emergency services, energy, finance, government, health, transport and water sectors”. In other words, as Cummings explains, “those assets, physical or electronic, that are vital to the continued delivery and integrity of essential services upon which the UK relies, the loss or compromise of which would lead to severe economic or social consequences or loss of life”.
"Government can only reduce spending at the cost of increased risk and vulnerability" |
Eli Jellenç, iDefense |
You can’t really get much clearer than that, and certainly this definition enables organisations such as the CPNI to focus effort and resources on those assets that would have the greatest national impact if they were compromised.
“You cannot protect everything, so a prioritised programme is necessary”, Cummings told us, adding “the concept of the national infrastructure develops continually as business processes and networks change”.
So some areas that were once classified as critical cease to be so, others (most recently the emphasis has been on the communications sector) can become critical overnight. “CPNI and other government departments and agencies work with industry to keep abreast of infrastructure changes”, Cummings says.
CNI threatscape
Infrastructure changes are relatively easy to monitor, but what about the ever-changing threat landscape that the UK’s CNI faces? Robin Bloomfield, head of the Centre for Software Reliability (CSR) at City University London, defines the threatscape in two halves: threats posed by natural disasters, and threats caused by humans, whether deliberately, accidentally, or maliciously. Threats posed by humans could include bad decisions, mistakes, or malicious attacks.
Bloomfield insists that “the potential for damage posed by a given threat has arguably increased due to changes to the way in which critical infrastructure is managed and operated”. He gives us the example of centralisation of control and remote access, which provides the potential for an attacker to cause damage over a wide area without requiring physical access to the infrastructure.
“The ability to monitor and control the infrastructure”, Bloomfield warns, “now depends on the availability of the network, so attacks on the network could prevent the infrastructure from being managed effectively, leading to a denial-of-service situation”.
"Regulators are more concerned about protecting the consumer than about ensuring resilience and security of supply" |
Steve Cummings, Deloitte |
Mikko Hypponen, chief research officer at F-Secure, advises governments worldwide about internet security issues, data protection and the tactics of cybercriminals. He believes that there are two main problems at the moment when it comes to the cyber front line: large-scale denial-of-service attacks and state-sponsored cyber espionage. F-Secure have been tracking targetted spying attacks since they were first observed in 2005, with targets including large companies and governments alike. “We’ve seen these attacks in the UK and in numerous other countries”, Hypponen says, adding “we must assume several governments are engaging in similar attacks”.
Of course, some espionage is best done from inside the target, admits Iain Chidgey, EMEA general manager at ArcSight, a company that works with 27 governments including the UK where protecting critical infrastructure is one of its core competencies. He warns that the “concept of a hard shell, soft interior is no longer sustainable” as “the harder the shell gets, the greater the likelihood that hostiles will employ insider tactics to extract sensitive data and compromise systems”. Indeed, a lot of the work he does with government agencies around the world is focussed on insider threat detection and remediation.
The inescapable fact of the matter is that CNI organisations face the exact same range of threats as any other organisation doing business today – from ‘acts of God’ to terrorism, and everything in between. All sensible businesses have plans to mitigate these events as part of their security risk assessment. “At a national level”, Cummings tells us, “these risks are published in the National Risk Register by the Civil Contingencies Secretariat at the Cabinet Office”.
CNI defenders
Okay then, so which organisations are actively involved in protecting our critical national infrastructures? Are the defence strategies in place strong enough to provide ‘worst-case-scenario’ protection for the UK? Answering the questions in reverse, Cummings explains that the security of the national infrastructure is based on a risk management process like anything else and “the level of security has to be proportionate to the assessed level of risk”. So no, defence strategies will never be capable of worst-case-scenario protection.
“The government’s security strategy aims for security to be proportionate and to allow businesses and people to go about their lives as normally as possible”, Cummings notes. “Security has to enable things to happen safely but not get in the way.” That said, where there is clear evidence of an increased threat, such as we have seen with the aviation sector of late, then additional security measures can be implemented very quickly indeed. If this sounds a little Heath-Robinson in approach, it only gets better as Cummings also tells Infosecurity that as far as CNI goes, “there is some security in the complexity of its physical and electronic networks, and fortunately most attackers are not experts in these systems”.
"Security has to enable things to happen safely but not get in the way" |
Steve Cummings |
As for whom the CNI defenders are, that’s also perhaps less encouraging than you might imagine. “Most of the national infrastructure is owned by the private sector and essentially it is the responsibility of owners and operators to protect their assets”, Cummings says. Of course, it’s in their best commercial interest to do so, not to mention the social responsibility factors.
Government departments, however, also have a responsibility for encouraging and enabling businesses in their sectors to implement proportionate security measures. Cummings does admit that there is a strong feeling from some quarters that “regulators are more concerned about protecting the consumer than about ensuring resilience and security of supply”.
Beyond the regulators come the real defenders – agencies such as the CPNI, which provide advice to the CNI on security; the National Counter Terrorist Security Organisation (NaCTSO) advising crowded venues such as sports stadia and shopping centres; the Civil Contingencies Secretariat, which plays a role in helping the CNI prepare for and respond to the impact of natural hazards, such as flooding and flu; the Communications-Electronics Security Group (CESG) at GCHQ, which advises government on cybersecurity; and the recently established Office of Cyber Security (OCS) to oversee delivery of the UK Cybersecurity Strategy.
Government responsibility
So just what should the new government administration actually be doing to improve defences and better protect our CNI from the changing dangers and somewhat volatile threatscape that the country faces today and, more importantly, in the future? We asked that question of Peter McAllister from Vistorm, with responsibility for leading the ‘Close in Government’ Cyber Security Practice and with involvement in developing the UK Government’s Information Assurance Strategy with CESG and the Cabinet Office. If anyone knows, then he should. “A key issue that arises with the concept of CNI is the boundary between the private and the public”, he told us, adding “to what extent is it appropriate for the state to intervene in the running of private businesses?”
It’s an interesting point, as we readily accept the appropriation of business property in wartime for a short period, but the cyber threat is effectively permanent and ongoing, so the boundary between business and state is being permanently re-drawn. “Government will increasingly have to tread a careful path between the apparent public distrust of its ability to protect the citizen, rejection of intervention and intrusion on privacy, and the effective management of the risk to ensure public confidence”, McAllister insists.
Given the nature of a coalition government and the ongoing budgetary battle to decrease the national deficit, what are the consequences should the new administration do nothing, or more likely, cut spending in CNI defences in the name of efficiency savings? After all, as Chris Frampton, UK compliance officer and head of business assurance at T-Systems reminds us, security is often the most discussed area of our defences and yet one of the most poorly funded. “If the UK does not start to think of a converged environment where accurate information can flow in real time to all of the stakeholders in our UK defence network”, Frampton warns, “then we will always be at the mercy of the terrorists and hackers”.
While spending increases are not in and of themselves the answer to everything, and that includes national security, there can surely be no doubting that budgets will have to be allocated carefully if CNI security is not to be compromised. Eli Jellenç from iDefense certainly thinks so, telling us that “this and any subsequent government can only reduce spending at the cost of increased risk and vulnerability”. But not everyone is worried, and in that keep calm camp sits the rather important figure of Steve Cummings who reassured us with a reminder that as most of the national infrastructure is privately owned, “a cut back in government spending would not have a huge direct impact”.