In the latest of our ‘A conversation with’ series, we chat with John Noble CBE, former Director of Incident Management at the National Cyber Security Centre (NCSC) and now advisory board member at XQ Cyber.
We discuss the cyber threats faced by the UK’s critical national infrastructure (CNI) and how those challenges can be tackled.
John- As we are discussing risk, I have to make a plug for an excellent book ‘The Rules of Security’ that will be published at the beginning of May. It’s written by Paul Martin, a good friend and a real expert on the management of risk. Paul provides excellent advice on how we should consider risk, whether it is for the CNI or in our personal lives. He explains that security risks are composed of threat, vulnerability, and impact. When we are thinking about what the threat looks like we have to consider the intentions and capabilities of those who might want to cause us harm.
Work to address risks to the CNI is led by the Centre for the Protection of the National Infrastructure (CPNI). In the UK we have always been focused on protecting the CNI. For many years the threat was primarily seen as a physical one from terrorists. Sadly, the threat from terrorism is still with us and cyber has emerged as a significant new threat.
Of course, terrorists have attempted to use cyber as a weapon. However, much of the focus of the National Cyber Security Centre (NCSC) - where I used to work - is on the actions of nation states. Many of these state actors have both the intention and the capability to use cyber as a weapon. Sadly, many IT systems in use across the CNI are vulnerable either because they were not designed with security as a high priority or because the software they use has not been updated. Finally, because we now live in a digital, highly connected, society the impact on our lives from a cyber-attack on the CNI could be devastating. That all adds up to a massive amount of risk.
John- If we look at the events of the last few years there are numerous examples of cyber being used as a weapon against different countries’ CNI. In 2015 and 2016 attacks (linked to Russia) disrupted power generation in Ukraine. We have seen attacks against the Saudi Arabian oil company Aramco. In May 2017 we saw the NHS becoming collateral damage as a result of the WannaCry incident.
Particularly worrying has been the disclosure by the NCSC, FBI and US Department of Homeland Security (DHS) that Russian state-sponsored actors have been targeting infrastructure devices. They have been exploiting legacy and poorly configured equipment. This would allow them to divert traffic and/or bring down critical systems on a massive scale. Equally worrying were reports in Spring 2018 of Russian ‘pre-positioning’ on the national grid in the UK, US and many other countries. As Ciaran Martin, the NCSC’s CEO recently highlighted, a destructive attack on the CNI is a question of when not if.
The complexity of our digital world can also mean that attacks mounted by individuals can have a significant impact. Just look at the 2016 massive distributed denial-of-service (DDoS) attack against the domain name provider Dyn. DDoS attacks are neither new nor sophisticated. However, the actions of some college students resulted in a major impact on the internet across the East Coast of the United States.
John- Well firstly it is big and complex! In the UK, there are 13 national infrastructure sectors: Chemicals, Civil Nuclear Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water. Not everything is deemed critical.
Because the UK has always been very focused on protecting the CNI. There is a sophisticated prioritisation scheme that seeks to identify what is really most critical. The CPNI and NCSC then work together to mitigate the threat with the NCSC leading on the cyber dimension.
However, as a joint parliamentary report recently highlighted, as the economy becomes more interconnected, it is increasingly difficult to determine which elements are truly critical. There can be dependencies and connectivity with suppliers that organisations do not understand. It is interesting that the Russian compromise of the energy sector focused on the supply chains of the key companies.
The next challenge is that much of the CNI is in private ownership. The companies that own it have to make difficult judgements around how many resources they put into addressing vulnerabilities. What can we expect any organisation to do to defend itself against sophisticated state actors? What I can say is that as a result of the tsunami of cyber incidents we are seeing, companies. particularly those linked to the CNI are spending more on cybersecurity. In the NHS there is a major programme of work post-Wannacry to improve cybersecurity. However, there will always be the difficult balance to be struck between security, usability and cost.
John - At a governmental level, the creation of the NCSC was very much focused on enabling higher standards of cybersecurity. More recently, the government has introduced the Network and Information Systems (NIS) Regulations which provide a more robust regulatory framework for the CNI.
Operators have to report incidents where their impact exceeds a predetermined threshold. The intention being to set a higher benchmark for cyber risk management in the CNI. This underlines the importance of a good flow of reporting from government to the private sector and vice versa. Effective sharing of threat information really is essential.
At an organisational level, it is very easy to get into a mindset that it is impossible to defend your organisation against state actors. In fact, the key thing is for organisations to get the basics right. Even the most sophisticated state actors rely on the victims making mistakes. That is why I like CyberScore™. It helps an organisation to understand where they are on the cyber maturity scale and how much risk they are carrying. It can also help companies understand their supply chain risks.
I fear that it is going to take the sort of attack, that Ciaran Martin is predicting, to really make organisations take cyber security seriously.
We have become totally dependent on digital technology. We now need to have security included as a high priority in the design of systems. We also need to reassess the balance between security, cost and usability. Let’s not wait to make that change.
XQ: Thanks, John.