The commander of Britain’s Joint Forces Command has warned that UK traffic control systems and other critical infrastructure could be targeted by cyber adversaries – but industry experts say this is nothing new and something organisations should be preparing for.
According to Christopher Deverell, these systems could be targeted by countries such as Russia. “There are many potential angles of attack on our systems,” he told the BBC’s Today programme.
Other vulnerable control systems that are connected to the internet are used in power stations, for air traffic control and for rail and other transport systems.
Sean Newman, director at Corero Network Security, said there is nothing new in the claims. “The potential for such attacks has been growing for several years as more systems become connected,” he said.
“There are many good reasons for connecting operational and information networks, including efficiency and effectiveness. However, this opens up operational controls to potential attacks from across the internet, where previously they were completely isolated and only accessible from the inside.”
According to Newman, the question is no longer whether such attacks are theoretically possible, but who is bold enough to carry out such assaults and risk the likely repercussions.
“It is reasonable to assume that it’s more a matter of time than if, so the operators of such systems need to be fully cognisant of the potential risks and deploy all reasonable protection to minimise it,” he said.
“This includes preventing remote access to such systems, as well as real-time defences against DDoS [distributed denial of service] attacks which could disrupt their operation or prevent legitimate access for operation and control purposes.”
Andrea Carcano, chief product officer at Nozomi Networks, said the reality is that the UK’s infrastructure, and those in every developed country around the world, is being continually poked and probed, not just by nation states but by criminals, hacktivists and even curious hobbyists.
“We have seen the damage that can be done from hacks in the Ukraine, where attackers were able to compromise systems and turn the lights out,” he said. “With each incursion, both successful and those that are thwarted, the attackers will learn what has worked, what hasn’t, and what can be improved for the next attempt.
“The challenge for those charged with protecting our critical infrastructure is visibility, as you can’t protect what you don’t know exists.”
According to Carcano, 80% of the industrial facilities Nozomi visits do not have up-to-date lists of assets or network diagrams.
“Ironically, this doesn’t pose a problem to criminals who are using readily available open source tools to query their targets and build a picture of what makes up their network environment and is potentially vulnerable – be it a power plant, factory assembly line, or our transport infrastructure,” he said.
Nozomi researchers created a security testing and fuzzing tool, using open source software, that is capable of automatically finding vulnerabilities in proprietary protocols used by industrial control system (ICS) devices.
“Using just this tool, and in a limited time period, they identified eight zero-day vulnerabilities that, if exploited, could be used to shut down the controllers, making the devices unmanageable, and even potentially corrupt normal processes, which could be extremely serious or even fatal,” said Carcano.
“As the cyber security risk to critical infrastructure and manufacturing organisations increases, it is important for enterprises to actively monitor and secure operational technology [OT] networks. An important aspect of this is having complete visibility to OT networks and assets and their cyber security and process risks.”
However, Deverell suggested that as well as making sure cyber security is continually improving, the UK should also have an offensive capability to respond to attacks on critical infrastructure if necessary, reports The Telegraph.
His comments echo those by UK attorney general Jeremy Wright, who recently suggested that the UK has a legal right to retaliate against aggressive cyber attacks in the same way as it would to armed attacks.
“Cyber operations that result in, or present, an imminent threat of death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self defence,” he said.
According to Wright, if a hostile state interfered with the operation of one of the UK’s nuclear reactors, resulting in the widespread loss of life, the fact that the act was carried out via a cyber operation does not prevent it from being viewed as an unlawful use of force or an armed attack.
“States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them,” he said.
The UK has previously indicated that it is building cyber-offensive capabilities, but in January 2018, Ciaran Martin, head of the National Cyber Security Centre (NCSC), said that while this will be an “increasing part of the UK’s security toolkit”, a cyber attack would not necessarily trigger a retaliatory cyber attack, but a range of responses would be considered, including sanctions.
Commenting on calls by UK defence chief of general staff Nick Carter for increased defence spending to help the country keep up with its adversaries, particularly in light of the fact that cyber attacks that target military and civilian operations are one of the biggest threats facing the country, Martin confirmed that some of these attacks were aimed at identifying vulnerabilities in infrastructure for potential future disruption, but added that there had been no successful attacks on UK infrastructure.
In the report, Paul Timmers, an academic at Oxford University and former director of the European Commission’s Sustainable & Secure Society Directorate, noted that attacks on systems that are crucial for the functioning of the state and society, including logistics, health and energy, date from 2016.
Timmers believes that the risk of attacks in 2018 may spread to other sectors of the economy, such as transport. An important element of the potential incidents, he said, will be their predicted international and cross-sector nature, which creates an urgent need for cooperation between international organisations, governments and companies.
Sean Kanuck, director of future conflict and cyber security at the International Institute for Strategic Studies and formerly the first US national intelligence officer for cyber issues, predicted a period of intense use of sanctions as a diplomatic tool against entities that undertake offensive actions in the cyber space.
The growing likelihood of ever-escalating conflicts in the cyber space makes it necessary to address standards of operation in the digital space, the report said.