Cyber Security for Critical National Infrastructure
Cyber Security For Critical National Infrastructure
By Henrik Kiertizner, Expert Advisor, Risk Management & Cyber Security, Engage Asia
This article discusses Critical National Infrastructure (CNI), its exposure to cyber risk and what arrangements are in place to address that risk. It also suggests alternative and additional measures for consideration. The article is written from a UK perspective but also applies internationally.
Definitions: Critical National Infrastructure. Throughout, the definition of CNI is that adopted by the UK’s Centre for the Protection of National Infrastructure (CPNI):
“Those critical elements of infrastructure (namely assets, facilities, systems, networks or processes and the essential workers that operate and facilitate them), the loss or compromise of which could result in: a) major detrimental impact on the availability, integrity or delivery of essential services – including those services, whose integrity, if compromised, could result in significant loss of life or casualties – taking into account significant economic or social impacts; and/or b) significant impact on national security, national defence, or the functioning of the state”
CNI is categorised into 13 sectors:
Definitions: Cyber Security. For this article, cyber security covers:
Activities designed to reduce risk to critical data
The systems on which data is stored and manipulated
Communications infrastructure interconnecting these systems
Interfaces to other private and public systems
Definitions: Cyber Risk. Cyber risks are identified by evaluating threats and hazards for a cyber entity. Threats and hazards become risks after assessing an event’s impact and likelihood.
Cyber Security: Exposure For CNI
Using the categorisation above, CNI falls into two broad groups: (1) CNI elements under direct governmental control; (2) CNI elements run by commercial enterprises. Elements under direct governmental control may also have information and communications technology (ICT) provided under contract by a commercial third party.
All developed economies depend on ICT to a greater or lesser extent, especially CNI and its operators. The extent to which cyber security is addressed meaningfully by different CNI operators varies greatly.
CNI elements under governmental control and certain others – notably financial services – have generally implemented robust control and assurance regimes. This reflects the level of threat as well as the ability to enforce these regimes – through regulation for the government and through regulation and compliance for financial services.
Other CNI elements outside direct governmental control have generally been less successful in applying similar regimes. The government is generally wary of statutory or regulatory interference in commercial business, and tends to offer advice rather than enforcement.
A Wide Range Of Threats
Cyber threats are real and the associated risks must be addressed. The potential exposure to attack (as well as negligence and accidents) is rising as technological capabilities continue to improve.
These threats include attacks on CNI functionality and integrity for a political or other agenda, attacks on data for theft or a ransom, single-issue activism, insider threats and so on. The list is long.
A partial list of possible attacks includes:
Direct State Action. Direct attacks on CNI systems as well as reconnaissance to either damage these systems or gain intelligence as part of state-sponsored activities. These are typically carried out by governmental, military or intelligence assets from a sponsoring state. Highly malicious intent.
Tolerated State Action. Direct attacks on CNI systems as well as reconnaissance to either damage these systems or gain intelligence, typically carried out by non-governmental, informal, criminal or other assets of a sponsoring state. Highly malicious intent.
Non-State Action. Direct attacks on CNI systems as well as reconnaissance to either damage these systems or gain intelligence, typically carried out by non-governmental organisations. These usually employ terrorist methods. Highly malicious intent.
Single Issue Action. Direct attacks on CNI systems as well as reconnaissance to either damage these systems or gain intelligence to embarrass or inflict reputational damage on a country or targeted entity, in support of a political, social or other agenda. Occasional malicious intent.
Criminal Action. Direct attacks on CNI systems as well as reconnaissance to either damage these systems or gain intelligence as part of criminal efforts to abstract key data, perform ransomware attacks, enable fraudulent access to services or defraud a targeted entity. Malicious intent.
Hobby Action. Untargeted, random or automated attack on CNI systems to identify vulnerabilities and explore compromised networks. Generally no malicious intent.
Internal Malice. Classically, a disgruntled employee seeking irregular or prohibited access to unauthorised systems and data. Malicious intent.
Negligence and Accident. Inadvertent and non-malicious irregular or prohibited access to unauthorised systems and data. Generally no malicious intent.
While governments worldwide are becoming more open to investigating and prosecuting cybercrime, police services and other national assets are unlikely to take the initiative. There remains a strong obligation for individual operators, especially in CNI, to put robust control and assurance regimes in place for their own protection.
Knowledge of tools and techniques that can be used to attack systems, and access to them, are becoming more common. At the same time, criminal and other organisations are also making their expertise available to other potential attackers. Meanwhile, cash-strapped organisations are increasingly looking for savings in their ICT budgets as well. These trends, which are making cyber threats more pressing, show no signs of slowing down.
The Investment Case
Some commercial CNI operators are reluctant to invest in cyber security without a credible business case. Anecdotally, some internal security functions are uncomfortable with the level of assurance they have been given regarding the confidentiality, integrity and availability of their data, systems and infrastructure.
Developing a business case to invest in security or risk management is always challenging, requiring cost-benefit calculations without always being able to put hard cash numbers against impact and likelihood. Some operators privately agree that regulating and enforcing cyber security standards in CNI would make their lives much easier in some ways, although overall operational costs would increase as a result.
Challenges For Utilities
Some CNI operators, mainly in the utilities sector (gas, power, water and, to a lesser extent, telecoms) have additional exposure through their use of legacy Operational Technology (OT). This includes industrial control systems (ICS, also known as SCADA – supervisory control and data acquisition) and their integration with more contemporary IT systems.
Integration with billing systems and smart meters allows detailed billing and analysis of consumption. This enables situational awareness of both IT and OT network health, permitting richer and more useful interactions between producers and consumers. It necessarily sees huge volumes of data, not just operational but also data covered by legislation (e.g. customer account details, personal consumption details and so on) that require discrete protection under both UK and European Commission laws and regulation.
This integration gives operators huge operational and commercial benefits, while simultaneously significantly expanding the attack surface. It also means that non-IP networks must be secured – typically in OT – with considerable attention paid to the interfaces between IT and OT networks as well as external interfaces for both.
The recent adoption of smart grids and smart meters has exacerbated this issue, potentially creating hundreds of thousands or even millions of discrete attack vectors in a network. There is anecdotal evidence that, while security and IT practitioners inside CNI operators are aware of this, few have succeeded in communicating this threat to their boards.
Addressing Cyber Risk
Across the piece, cyber risk is addressed through five main routes: (1) Technology; (2) People; (3) Process; (4) Operations; (5) Resilience. We look at each in more detail.
1) Technology. Technology tends to be the first aspect addressed in a mitigation strategy. This is because technical issues are relatively straightforward to deal with, usually as part of a single function within an enterprise.
Technological risk can be mitigated by sensible investments in perimeter security, internal segmentation, situational awareness and response generation – together with a robust and enforced change control and software patching regime (an integral part of systems administration best practice in any case).
Traditional features of physical security – the onion skin model – are also valid in cyber security. No single vendor’s technology or platform will provide complete security. In fact, complete security is a chimera. The best that can be hoped for is a reduction in real risk within the corporate risk appetite.
At a minimum, the major components required for effective cyber risk mitigation architecture are:
Perimeter (interfaces to the internet)
Antivirus and malware scanners
Internal (IT and OT networks, plus interfaces between them)
Data segmentation – data diodes and similar, discrete and secured data stores
Resilient file systems with good hot standby provision
Deep packet inspection
Access control lists (ACLs)
Firewall between OT and IT networks
Situational awareness (information security management systems, security incident and event management/SIEM application)
User behaviour analysis
As a rule, multi-vendor solutions are preferable, as long as enough effort has been devoted to designing and testing the resultant architecture to ensure full coverage. Frequent penetration tests by internal and external testers should be deployed to maintain assurance in a network’s integrity, identifying emergent and existing vulnerabilities early enough to address any weaknesses before they can be exploited.
2) People. User privileges should be restricted to the bare minimum that individuals need to perform their assigned functions. The number of users with administrative or other high-level access should be very tightly controlled and frequently audited.
Acceptable use policies should be implemented and communicated to all users in conjunction with HR, making it unambiguously clear what user activity is tolerable on the network. Precise policies will vary by enterprise, but the assumption should be that users are constrained from any activity not directly required by their assigned function.
Note, however, that the ultimate function of security architecture is to protect an overall organisation and its activity. Security should consciously strive to not hinder users who are performing their duties.
Organisations and users should also be clear on their legal obligations under relevant legislation and regulation. The acceptable use policy should make this obvious.
3) Process. Process includes internal policies and procedures as well as externally-applied standards, guidelines, legislation and regulation. It also includes approaches to corporate and technical risk management.
Internal policies and procedures should be clear, sensible and fit for purpose. In particular, policies affecting and defining operations should be detailed, with mandatory compliance. Consistency and harmony are also important. All policies should have consistent vocabularies and outcomes, while also conforming with any relevant external compliance.
Externally applied compliance – through legislation, regulation or other constraints – should be fully analysed, understood and supported. CNI operators in particular should be in constant dialogue with the regulating authority (industry-specific, as well as national) and industry peers to ensure consistency and appropriateness in cyber security.
Risk management is a key function. Identifying and managing IT and OT risks should be a constant process, using a well-understood methodology aligned with the corporate approach to other risks. While detailed discussion of risk management methodologies lies outside the scope of this article, some suggested approaches and references can be found under the Standards section below.
4) Operations. All IT operations are predicated on ensuring, enabling and protecting the business of an enterprise. CNI is no exception. Complexity typically emerges from the mix of technologies, protocols and applications that CNI deploys, especially in the utilities sector thanks to the extensive use of legacy systems.
In these circumstances, IT and OT operations must work closely together. As noted above, it is no longer possible to view these as discrete and unconnected environments in most cases. Potential attack vectors exist wherever there are interfaces.
Successful and sustainable operations depend on a great deal of situational awareness. The condition of a network, along with the health of the processes and data it sustains, should be evident in real time. Organisations should also be ready to respond in good time to any changes. The old truism that warnings and indicators of an attack include the absence of the usual, as well as the presence of the unusual, is as relevant as ever.
Operations also include routine system administration. A key component of both administration and cyber security is maintaining a robust and reliable patching and updating regime. Changes should only be introduced after testing, as always, but routine hygiene is often overlooked. Many attacks and failures can be attributed to poor cyber hygiene, with known vulnerabilities ignored as part of routine operations.
5) Resilience. Resilience takes in disaster recovery and business continuity but also includes measures that define how organisations respond to the unexpected. Resilience is exceptionally important for CNI, with the national economy and social fabric relying on the reliable provision of products and services.
Minimising the impact of a negative event – when it happens and during the recovery phase – is key. Mitigation measures applied as part of a routine risk management cycle (see Process, above) generally set out to reduce the likelihood or impact of events, with a virtuous effect on resilience.
Beside conventional and well-understood approaches involving warm- or hot-standby failover facilities, resilience takes in disaster recovery plans, business continuity measures and crisis arrangements, as well as sensible planning and exercising of key personnel likely to be involved in resilience operations.
CNI operators tend to have some advantages in this space, as they generally have core businesses that depend on rapid response and recovery. Some however fail to explicitly link their personnel and line of business recovery strategies with their equivalents in an internal IT organisation.
It is easier than ever to mount remote attacks on cyber infrastructure. While CNI operators continue to harden their systems and activities against remote attack, this has been done by either the operators themselves or through voluntary sector coordination (as with banking and finance) so far.
Generally, the UK government has been unenthusiastic about formal cyber security regulation for commercial CNI, either centrally through the Centre for the Protection of National Infrastructure (CPNI) or through industry regulators (who tend to focus on service quality and value anyway).
This puts the onus for cyber security firmly on operators who have to make commercial choices on where to invest while staying conscious of their duty of care to shareholders and customers. Anecdotally, securing investment for cyber security has tended to be challenging as a result. Generating costed business cases with compelling cost/benefit calculations can be difficult.
There is an argument for more formal government regulation and oversight of CNI cyber security, enforced through statutory means. While this means higher costs to deploy and operate new controls, it could also reduce risk overall as more coordinated and harmonised cyber security strategies are implemented across vital sectors.
Such a move also increases costs for the government, as CPNI – or whichever organisation becomes the top-level regulator – transitions from an advisory body to a regulating and inspection organisation. Given the threats CNI faces from remote attack, these extra costs are justifiable.
CPNI Critical Security Controls v5.0 (guidance on implementing the 20 most critical security controls)
CPNI SCADA Good Practice Guides (http://www.cpni.gov.uk/advice/cyber/Good-practice-catalogue/ for full listing)
Industry sectors and CNI operator associations publish substantial bodies of guidance
ISO 27001:2013 - Information Technology, security techniques and information security management systems
ISO 27002:2013 – Information Technology, security techniques, Code of Practice for information security controls
ISO 27003:2010 – Information Technology, security techniques, information security management system implementation guidance
ISO 27004:2009 – Information Technology, security techniques, information security management, measurement
ISO 31000:2998 – Risk Management – Principles and Guidelines
ISO 31010:2009 – Risk Management – Risk Assessment Techniques
National Institute of Standards and Technology (NIST): Special Publication 800-12 – Computer Security Broad Overview
National Institute of Standards and Technology (NIST): Special Publication 800-14 – Computer Security Common Principles
National Institute of Standards and Technology (NIST): Special Publication 800-53 rev3 – Guidance on Management of Computer Security
National Institute of Standards and Technology (NIST): Special Publication 800-37 – Computer Security Risk Management Framework
National Institute of Standards and Technology (NIST): Special Publication 800-82 – Security of Multiple Industrial Control Systems (ICS) Against Cyber Attack
ANSI/ISA-62443 Standards – a very detailed set of concepts, programme management, design guidance and technical requirements for the security of SCADA/ICS systems
North American Electric Reliability Corporation (NERC) Standard 1300 – Guidance on security of bulk electrical systems.
About Henrik Kiertzner
Henrik’s long career spans the British Army (Intelligence Corps), government and private sector. Henrik is based in the UK and has worked both in the UK and internationally. Henrik is an Expert Advisor with Engage Asia in the fields of Risk Management and Cyber Security.
About Engage Asia
Engage provides professional and trusted advice to private and public sector clients, consulting on information technology and digital services as well as security, risk and business resilience. Our specialists have worked with a broad range of companies on world-leading business, risk and design projects across the globe. We help realise new opportunities, manage risk and reduce costs, generating trust and business resilience.