The UK’s traffic control and transport systems are the latest piece of critical infrastructure (CNI) experts are warning could be sabotaged by nation state hackers.
The comments came initially from Christopher Deverell, the commander of Britain’s Joint Forces Command, on BBC Radio 4’s Today program.
“There are many potential angles of attack on our systems. A lot of our capabilities in society depend on our control systems which are accessible by cyber-space,” he argued.
"So you can imagine threats to power stations, threats to air traffic control, threats to transport systems. We need to be able to defend ourselves against them.”
Michael Fabian, principal consultant at Synopsys, argued that the precedent for disruption of CNI via cyber-attacks has already been set globally.
"What we can take away as a positive is that officials are aware of the potential risks, and we can hope they are actively pursuing remediation programs to improve the security of their operations, keeping the UK’s core infrastructure safe,” he added.
Russia has famously been behind much of that disruption, infiltrating the US energy grid, attacking UK telecoms, media and energy sectors and most recently compromising routers and NAS devices with destructive malware.
It has also been blamed for the 2015 and 2016 attacks on Ukrainian power stations that left hundreds of thousands in the dark.
Sean Newman, director at Corero Network Security, argued that connecting operational and IT networks can improve efficiency but also expose firms to the risk of attack from the public internet.
“The question now, is more around who is bold enough, rather than capable of, carrying out such attacks, and risking the likely repercussions,” he said.
“It’s reasonable to assume it’s more a matter of [when], than if, so the operators of such systems need to be fully cognisant of the potential risks and deploy all reasonable protection to minimize it.”
Nozomi Networks’ Andrea Carcano argued that the UK’s critical infrastructure is being “probed and poked” by nation states, cybercrime groups and hacktivists every day.
“The challenge for those charged with protecting our critical infrastructure is visibility, as you can’t protect what you don’t know exists. Some 80% of the industrial facilities we visit do not have up-to-date lists of assets or network diagrams,” he continued.
“Ironically, this doesn’t pose a problem to criminals who are using readily available open source tools to query their targets and build a picture of what makes up their network environment and is potentially vulnerable — be it a power plant, factory assembly line, or our transport infrastructure.”
It is hoped the NIS Directive, which came into force in early May, will help drive improvements in baseline security for certain CNI providers including those in the transport sector.