Cyber Security of the UK's Critical National Infrastructure Contents

2Protecting CNI against cyber attack: a ‘wicked’ problem

Dynamic threats

8.In the two years since the Government’s National Cyber Security Strategy 2016–2021 (the 2016 NCSS) was launched, more than 1,000 cyber attacks have required the involvement of the NCSC—an average of ten a week.19 Although most of these will not have affected the UK’s CNI, these figures do include the May 2017 WannaCry attack, which affected NHS services, as well as attacks on the UK and Scottish Parliaments in June and August 2017, and on the energy and telecommunications sectors.20 The past year has also seen the Government start to make joint or coordinated announcements with other countries that publicly attribute major attacks to other states. The most noteworthy of these in relation to CNI was the Technical Alert released jointly with the United States in April 2018, which disclosed Russia’s “sustained presence in UK and US internet infrastructure”.21

9.In their evidence, David Lidington and Ciaran Martin told us that the cyber threat is both growing and changing in nature as it grows.22 This is most evident in relation to the perpetrators behind cyber attacks on the UK’s CNI. The NCSC’s latest Annual Review reports that state actors continue to “constitute the most acute and direct cyber threat to our national security”, having perpetrated the majority of the incidents dealt with by the NCSC since it was established in October 2016.23 Russia has inevitably garnered many of the media headlines about cyber attacks in recent months—especially as the Government has now publicly attributed many major attacks to the Russian state, including the June 2017 NotPetya and the October 2017 BadRabbit attacks, both of which appeared to target Ukraine but had a much wider impact.24 However, the NCSC’s latest Annual Review acknowledges that “There is much, much more to the cyber security threat to the UK than just Russia”.25 For example, the WannaCry attack was attributed by the UK and US Governments to the North Korean state-sponsored Lazarus hacking group. The media also widely reported that Iran was responsible for the June 2017 attack on Parliament, while China’s alleged theft of corporate secrets and intellectual property (IP) has prompted the US Government to set up a taskforce to counter cyber-enabled economic espionage by China.26 These incidents also demonstrate the range of motivations behind state-conducted cyber attacks.

10.However, while states continue to be the dominant actors behind cyber threats to the UK, we heard that their behaviour and apparent motivations are changing. The Cabinet Office notes that states are “starting to explore offensive cyber capabilities to damage, disrupt or destroy the systems or networks of their adversaries”, whereas previous campaigns had tended to focus on espionage and IP theft.27 Ciaran Martin singled out Russia as being particularly problematic in this regard, citing “a consistent rise in [its] appetite for attack on critical sectors” and its ‘prepositioning’ for future disruptive attacks.28 Referring to the joint Technical Alert released with the United States in April, he explained that Russia has established

a foothold [in the UK’s internet infrastructure], an intrusion that you can use for ongoing espionage purposes or can develop as the potential for a hostile, disruptive and destructive act in the future.29

He added that Russia has also begun to diversify its targets, for example to include “softer-power democratic institutions”. North Korea has similarly changed its approach, moving from “political retaliation attacks”—by attacking Sony Pictures in 2014, for instance—to “the theft of money”,30 through ransomware attacks such as WannaCry and reportedly stealing more than $81 million from the central bank of Bangladesh in February 2016 via the SWIFT payments system.31

11.It is also clear that states are no longer the only actors with the ability and resources to attack CNI, which generally benefits from more advanced defences than other parts of the economy. Ciaran Martin told us that

We have seen an evolution of cybercrime, where some of the most sophisticated attackers [such as organised crime groups] are now operating at almost nation-state level.32

NCC Group, a UK-based cyber security and risk mitigation services company, agreed, adding that where organised crime groups work in association with—or with the acquiescence of—states such as Russia, the lines between them are becoming increasingly blurred.33 34 Ciaran Martin also raised “the risk of proliferation”, whereby state and non-state actors can buy more sophisticated cyber tools and techniques on what has become a “highly developed market”.35 The result is that “It is now easier and cheaper than ever before for those who want to do us harm to access the tools, exploits and services they need to launch attacks.”36 Furthermore, as the 2017 WannaCry and NotPetya attacks demonstrated, cyber attacks do not need to target the UK’s CNI specifically in order to affect it. As Ciaran Martin stated, “in 2017 we learned to watch out for the reckless as well as the deliberate.”37

Complex challenges

12.We heard that there are particular challenges involved in protecting CNI against cyber attack. The first of these is the reliance of CNI not only on IT systems, but also on operational technology (OT) systems, such as electricity substations, transportation control rooms and their associated industrial control systems.38 These bespoke and often legacy industrial control systems, which were not designed with cyber security in mind, are now increasingly networked and connected to the internet to enable more efficient control and real-time monitoring. This has the effect of creating new vulnerabilities and potentially exposing the systems to cyber attack.39 The complexities of OT systems also make it difficult to patch vulnerabilities once they have been identified. The Cambridge Centre for Risk Studies explained that CNI operators must consider the implications for safety, the equipment’s warranty, the asset’s physical location, the need to minimise downtime and the usability of connected systems before doing so.40

13.Ciaran Martin described the move towards next-generation OT systems built with resilience in mind as the “great strategic opportunity” of the next decade, although he was also keen to stress that ‘secure by design’ does not mean that devices and systems are “impervious” to cyber attack.41 42 Nevertheless, the question still remains as to how legacy OT systems can be protected against cyber attack in the meantime, as new vulnerabilities emerge and threats continue to evolve.43

14.The second key challenge is that with some key exceptions—such as health, defence and government—the majority of CNI is privately owned and is therefore beyond the Government’s direct control.44 This raises difficult questions for the Government about how far to intervene in the operations of private companies to ensure that national security interests are prioritised and about what types of intervention would be most effective (see Chapter 4). In addition, many CNI operators are utility providers whose funding streams are pre-agreed, often by regulators, and limited by price controls.45 Without a more flexible approach to price controls, the question often asked in relation to cyber security—’how much is enough?’46—can become particularly acute for these CNI operators.47

Resilience, not security

15.Independent cyber security researcher Pete Cooper observed that protecting CNI against cyber attack presents a ‘wicked’ problem, in that it is “both novel and complex, which can slow decision making, collaboration and innovation”. He also stressed that when it comes to CNI, the UK cannot afford to wait and learn through experience.48 The 2017 WannaCry attack had a relatively limited impact, in view of the widespread exposure of systems to the vulnerability targeted,49 but it demonstrated the potential consequences of not being sufficiently proactive in managing cyber risk to CNI operations.

16.However, as Sean Kanuck, Director for Cyber, Space and Future Conflict at the International Institute for Strategic Studies (IISS), told us, it is “impossible to predict [changes in threat, the identification of vulnerabilities and new methods of attack] far enough in advance to institutionally prepare for them all”. It is therefore “essential to … adopt a strategy that stresses resilience of networks in lieu of ‘security’ per se.”50 This means preparing for and adapting to changing circumstances, with the focus on making it more difficult for the attacker rather than trying to attain a certain level of security. It also means minimising the impact of attacks—some of which will inevitably succeed—by having fully rehearsed plans in place to respond to and recover from them as quickly as possible.51 52

17.David Lidington told us that even the most advanced sectors in terms of cyber risk management—such as the financial services sector—”can never be complacent … because there will be organisations right now trying to work out how to get round the security measures that big financial institutions have put in place.”53 Steve Unger, Chief Technology Officer at the communications regulator Ofcom, told us

Together with government we need to find a way of upping our game in this area in what is ultimately an arms race, but doing so in a way that is still deliverable and not kidding ourselves that there is a silver bullet in any of this.54

Open source software provider Red Hat Inc. stated that the practical implications of this is that frameworks for managing cyber risk must be “iterative” in nature, taking account of new techniques and technologies as they become available.55 Pete Cooper agreed, concluding that

there is no ‘end state’ for cyber security … the new norm must be continual defensive innovation and resilience in the face of determined and creative adversaries.56

As such, while a long-term strategy is necessary to set the direction of travel for the Government and CNI operators, regular review of and updates to implementation plans would allow the Government to be more agile in responding to this rapidly changing environment. It would also enable the Government and operators to take better advantage of technological innovation, which is essential given that our adversaries are highly innovative and also invest heavily in their capabilities.57

18.The cyber threat to the UK’s CNI is growing. It is also evolving: hostile states are becoming more aggressive in their behaviour, with some states—especially Russia—starting to explore ways of disrupting CNI, in addition to conducting espionage and theft of intellectual property. Furthermore, while states still represent the most acute and direct cyber threat, non-state actors such as organised crime groups are developing increasingly sophisticated capabilities.

19.Fast-changing threats and the rapid emergence of new vulnerabilities make it impossible to secure CNI networks and systems completely. Continually updated plans for improving CNI defences and reducing the potential impact of attacks must therefore be the ‘new normal’ if the Government and operators are to be agile in responding to this changing environment and in taking advantage of constant technological innovation. Building the resilience of CNI to cyber attacks in this way will make it harder for an attacker to achieve their objective—whoever that attacker may be, whatever their motive and however they choose to attack.

19 NCSC, “Annual Review 2018”, October 2018, p. 10; NCSC, “Annual Review 2017”, October 2017

21 Q59 [Ciaran Martin]

22 Q54; NCSC, “Annual Review 2018”, October 2018, p. 22

23 ‘State actors’ include groups that are “directed, sponsored or tolerated” by the Governments of hostile states. NCSC, “Annual Review 2018, October 2018, p. 10

24 “UK exposes Russian cyber attacks”, NCSC press release, 4 October 2018

25 NCSC, “Annual Review 2018”, October 2018, p. 10

26 NCSC, “Annual Review 2018”, October 2018, p. 10; “Iran blamed for parliament cyber-attack”, BBC News, 14 October 2017; “Iran attacks 9,000 email accounts in Parliament”, The Times, 14 October 2017; “Iran to blame for cyber-attack on MPs’ emails—British intelligence”, The Guardian, 14 October 2017; Federal Bureau of Investigation, “Combating Economic Espionage”, 1 November 2018, accessed 5 November 2018; “In Chinese Spy Ops, Something Old, Something New”,, 5 November 2018

27 Cabinet Office, National Security Secretariat (CNI0013) para 2

28 Q54 [Ciaran Martin]; NCSC, “Annual Review 2018”, October 2018, p. 10

29 Q59 [Ciaran Martin]

30 Q54 [Ciaran Martin]

31 In September, the US Justice Department formally charged an alleged North Korean spy for helping to perpetrate the 2014 cyber attack on Sony Pictures, in apparent protest at the impending release of the film The Interview, the 2016 cyber attack on the Bangladesh Bank, and the 2017 WannaCry ransomware attack. “North Korean ‘hacker’ charged over cyber-attacks against NHS”, The Guardian, 6 September 2018

32 Q54 [Ciaran Martin], BT Group reported that the majority of the cyber attacks it experiences are conducted by organised crime groups. BT Group (CNI0018) para 2.2

33 NCC Group (CNI0002) para 2.1.1. See also Tim Maurer, Cyber Mercenaries: The State, Hackers, and Power (Cambridge, 2017) “Why the Russian Government Turns a Blind Eye to Cybercriminals”, Slate, 2 February 2018; “Licensed to hack: the rise of the cyber privateer”, Financial Times, 16 March 2017

34 The Cabinet Office told us that: “A range of other cyber actors also present a potential threat to UK CNI, including hacktivists and terrorists, although we judge these threats to be low.” Cabinet Office, National Security Secretariat (CNI0013) para 5

35 Q54 [Ciaran Martin]

36 NCSC, “Annual Review 2018, October 2018, p. 6

37 Q54 [Ciaran Martin]

38 OT generally refers to systems that control physical devices while IT generally refers to information storage and integrity—with IT systems including traditional PCs, company servers and networks, cloud storage, smartphones and tablets. Cambridge Centre for Risk Studies (CNI0025) para 1

39 NCC Group (CNI0002) para 2.1.2; Nettitude (CNI0003) para 9; Cambridge Centre for Risk Studies (CNI0025) para 2

40 Cambridge Centre for Risk Studies (CNI0025) paras 3–5. It also highlights the “strict procedure” required in the UK for any modification of a medical device, including the installation of a cyber security patch. Cambridge Centre for Risk Studies (CNI0025) paras 6–9
The Financial Conduct Authority adds a further consideration: the size of the network in question. It states that “implementing patches (evaluating, prioritising and deploying) in a global estate of over one million endpoints for a critical vulnerability is a significant task and so fundamental cyber resilience capabilities remain a significant concern”. Financial Conduct Authority (CNI0033) para 6.3

41 Q63 [Ciaran Martin]. The NCSC’s 2018 Annual Review describes its work in designing secure next-generation vehicles, a new sustainable energy grid and the UK’s new spaceports. NCSC, “Annual Review 2018”, October 2018, p. 30

42 Systems can be designed to perform narrowly defined actions and only accept instructions from verified sources, and networks can be designed to minimise the impact of any single failure. Cyber Security of UK National Infrastructure, POSTnote No. 554, May 2017

43 UK Computing Research Committee, UKCRC (CNI0005) para 1

44 University of Oxford cyber security researcher Jamie Collier cites one estimate, dating from 2011, suggesting that as much as 80% of UK CNI is in private ownership. Jamie Collier (CNI0006) para 2

45 For example, Ofgem’s Jonathan Brearley and Water UK’s Paul Smith told us that investment in cyber security by operators in the energy and water sectors is limited by price controls set years in advance by the respective regulators during price reviews. Q31

46 Pete Cooper (CNI0019) para 9

47 Q18 [Phil Sheppard]

48 Pete Cooper (CNI0019) para 24

49 Cisco (CNI0016) para 1.2

50 The International Institute for Strategic Studies (CNI0017) para 4. Rowland Johnson, Chief Executive of cyber security company Nettitude, reports that in 2017 an average of 50 new vulnerabilities were disclosed every day to MITRE, a cyber security organisation tracking vulnerabilities. Nettitude (CNI0003) para 17

51 Department for Homeland Security, “What is Security and Resilience?”, accessed 1 November 2018

52 Q8 [Rob Shaw]; Q63 [Ciaran Martin]

53 Q63 [David Lidington MP]

54 Q38 [Steve Unger]

55 Red Hat Inc (CNI0021) para 30

56 Pete Cooper (CNI0019) Executive Summary

57 Manchester Metropolitan University (CNI0001) para 4.2; UK Computing Research Committee, UKCRC (CNI0005) para 5; Glasswall Solutions Limited (CNI0007) paras 4.2, 4.5, 4.7, 4.9; Cabinet Office, National Security Secretariat (CNI0013) paras 12, 16, 64; BT Group (CNI0018) para 6.5; Corero (CNI0023) para 9; CyLon (CNI0032) para 1

Published: 19 November 2018