In June, the UK government announced landmark legislation for cyber and digital defense.
The proposal, forming part of the Strategic Defence Review, signals a pivotal shift in national priorities, especially for industrial organizations operating within sectors defined as Critical National Infrastructure (CNI, such as energy, water, healthcare, transport and digital infrastructure).
As these sectors accelerate digital transformation to meet decarbonization and efficiency goals, they’re simultaneously becoming more vulnerable to cyber threats in an increasingly volatile and unpredictable world.
President, Cybersecurity Solutions at Schneider Electric.
In this environment, it’s strategically vital for operators of critical infrastructure to partner with the right organizations that bring the expertise needed to safeguard essential systems. The risks of navigating this landscape alone, without the right support, can lead to serious and far-reaching consequences.
As Peter Kyle, Secretary of State for Department for Science, Innovation and Technology notes in his forward to the Cyber Security and Resilience Bill policy statement, last year, a cyber attack against a supplier to NHS hospitals in London caused more than 11,000 appointments and procedures to be postponed. In some cases, the patients had to wait months before they could be seen.
Meanwhile, it’s reported that in 2024, almost two thirds of water and energy providers were affected by cyber attacks. While there are no known cases of the attacks disrupting everyday services – in many of these cases, even those involving ransomware, the key target for the attackers is data, not infrastructure – it’s not difficult to imagine the potential consequences of one which did.
Just think about what would happen if a water company couldn’t provide water for drinking or bathing to people’s homes. Or if an energy provider found itself in a position where a disruptive cyber attack against its operational technology resulted in power outages across a region, or whole country.
These may only be theoretical examples of cyber attacks against critical infrastructure and the operational technology (OT) that controls it – but it isn’t a far-fetched idea at all. Indeed, a 2016 cyber attack against a power station in Ukraine plunged a whole region of the country into darkness during the middle of winter.
It wouldn’t take much for an attacker who breached IT systems to move laterally to OT systems. The threat of cyber attacks against critical infrastructure represents a national security risk, because the consequences aren’t just restricted to computer systems or data, they can impact people’s everyday lives and their basic needs.
Obsolete operational technology
With so much of the critical infrastructure we rely on increasingly connected to cloud services, the sensors and devices on the Internet of Things (IoT) and now, even AI systems, we’re truly in the digital age. Or so it seems.
However, the reality is that much CNI we rely on is still based on legacy operational technology, software and operating systems. These systems continue to be used because they’re bespoke, designed specifically for the tasks at hand.
Much of this legacy infrastructure was designed and built without internet connected systems in mind, meaning that all these years later, much of this hardware and software is outdated, bordering on obsolete, and difficult to secure against cyber threats.
The reason for this is simple: if the hardware or software is no longer supported by the manufacturer, it’s also no longer receiving security updates.
Even if security patches are available, it’s extremely difficult to take critical infrastructure offline to apply them. All of this means that OT, be it potentially patchable, or running on legacy systems which might even be decades old are extremely vulnerable to evolving cyber threats – especially if the equipment being used hasn’t been properly certified.
Securing critical national infrastructure
The government has warned how the unprecedented threat to CNI poses a risk to UK citizens, which is why it announced its plans to invest over £1 billion to enhance the UK’s digital and cyber capabilities.
Key to securing CNI is ensuring that appropriate processes are in place for assessment and prevention of threats, vulnerabilities and other issues. And when necessary, that rapid support is available to respond to suspected breaches, attacks or other incidents.
While the government’s plans on securing CNI are welcomed, it’s also important for the organizations responsible for running and maintaining operational technology to ensure they have the plans in place to react while also ensuring that the most vital operations remain active.
Therefore, the government’s budget should continue to prioritize spending on securing CNI, both around securing legacy systems and ensuring the assessment and prevention of issues, as well as ensuring that digital transformation programs to modernize the IT behind infrastructure adheres to the concept of Secure By Design at the development stage.
It’s also important to follow secure deployment guidelines and configurations when integrating the technology into real-world operating environments. And moving to Secure By Operations approach for the ongoing maintenance and oversight of assets.
Secure by Operations becomes critical when technology is evolving at such a rapid pace, and even ‘simple’ system misconfigurations can lead to cyber incidents. The use of artificial intelligence (AI) has increased the potential and speed for both positive and negative consequences. A cyberattack on a single stakeholder in the value chain can cause significant operational, financial, or reputational damage to other organizations reliant on the affected operator or their technology.
Indeed, the National Cyber Security Centre (NCSC) has warned how AI “the growing incorporation of AI models and systems across the UK’s technology base, and particularly within critical national infrastructure, almost certainly presents an increased attack surface for adversaries to exploit.”
But industrial AI can also be used to bolster cybersecurity security, not just with automated cyber defenses, but for predictive maintenance of operational technology. Much like how AI can be used to assess the ongoing condition of cyber-physical systems, the predictive capabilities of industrial AI can be used to anticipate potential cyber threats before they become a problem.
For example, with the right information and instructions – especially when provided by the right partner – AI could anticipate what the vulnerabilities or even threat groups are the biggest risk to the infrastructure at that time, providing the human defenders with vital information to help ensure systems remain protected from malicious threats.
Human cyber defenders
The human cyber defenders are key here. While AI can help boost cybersecurity, humans are still a vital part of the loop. It’s people who are responsible for securing systems and it’s vital for people to work together towards this goal.
Cybersecurity professionals may be working for competing organizations, but in order to properly ensure that CNI is defended against cyber threats, collaboration is key; industry support groups should implement knowledge sharing, best practices such as Secure By Design and Secure By Operations, as well as proactive threat mitigation for critical assets and partnerships.
As the threat landscape evolves, it’s also important for the industry to work together. If one provider successfully defends against a cyber attack, that information could help others to do the same. By working together, we can ensure the resilience and security of our critical infrastructure for the future.
We’ve featured the best internet security suite.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
Discover more from cplexmath tech stop
Subscribe to get the latest posts sent to your email.
Add Comment