How to protect your critical national infrastructure project from cyber attacks

Towards the end of last year, the UK’s Joint Committee on the National Security Strategy (JCNSS) published a paper titled A hostage to fortune: ransomware and UK national security. The report was highly critical of the government stating the UK was unprepared and its critical national infrastructure (CNI) is highly vulnerable to a catastrophic cyber-attack at any moment, potentially costing billions of pounds to overcome. The UK government’s National Protective Security Authority (NPSA) describes CNI as those facilities, systems, sites, information, people, networks and processes, necessary for a country to function and upon which daily life depends. CNI is composed of thirteen sectors. New CNI projects need to be scoped, designed, constructed and operated in a way that they don’t become vulnerable to cyber-attacks. As a consequence this requires the sponsors, project managers, designers, contractors, suppliers, cyber security specialists and risk managers assigned to a CNI project to work together with the planned operator to ensure they don’t expose the country to ransom demands (through the use of ransomware) or the immobilisation of infrastructure. Project success criterion need to be expanded to include cyber-attack resilience.

Pervasiveness

The pervasiveness of the threat of ransomware attacks was highlighted at a CyberUK conference held in Belfast in April 2023 when Oliver Dowden, a Cabinet Office minister, advised attendees Russian hackers were seeking “to disrupt or destroy” parts of the UK’s critical national infrastructure. In the same month Dr Marsha Quallo-Wright, National Cyber Security Centre (NCSC), Deputy Director for CNI, said: “It has become clear that certain state-aligned groups have the intent to cause damage to CNI organisations, and it is important that the sector is aware of this.” In recent years high profile cyber-attacks have attracted widespread media attention, such as the attacks in the UK, U.S., Germany and Costa Rica.

In October 2023 the government drew attention to the UK being the third most targeted country in the world for cyber-attacks, after the US and Ukraine. There is evidence from around the world that critical infrastructure is subject to cybercrime. For instance, the World Economic Forum Global Risks Perception Survey 2022-2023 includes cyberattacks on critical infrastructure among the top risks for 2023, potentially greatest global threat. The World Economic Forum’s Insight Report entitled “Global Cybersecurity Outlook 2023” found that 91% of all respondents considered that a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years.

Project manager awareness

The connectivity of operational technology is being driven into every aspect of CNI at an unrelenting pace. Water facilities, power stations and other sites are now connected over the internet so that they can be monitored and managed remotely. While this has reduced costs and increased flexibility for operators, it has opened these sites to threats from cyber-attacks. Plus increasingly, computerised systems are performing vital safety-related functions designed to protect lives. For example, such systems play a key role in the safety of aviation and rail transportation. Computerised safety systems could, potentially, be adversely affected by a cyber incident, either as an unintended side-effect or as a result of a highly targeted cyber-attack, specifically aimed at reducing the effectiveness of safety mechanisms.

The UK Network and Information Systems (NIS) Regulations came into force in 2018 to improve the cyber security of companies providing critical services. Organisations which fail to put in place effective cyber security measures can be fined as much as £17 million for non-compliance. Subsequently these cyber laws were updated to boost UK’s resilience against online attacks. These changes include the requirement for essential and digital services to improve cyber incident reporting to regulators such as Ofcom, Ofgem and the ICO. This includes notifying regulators of a wider range of incidents that disrupt service or which could have a high risk or impact to their service, even if they don’t immediately cause disruption.

Recognising the significant impact that cyber-attacks can have, the UK Government supports operators and the public through advice, guidance and tools provided by the National Cyber Security Centre (NCSC), the UK’s technical authority on cyber security. The NCSC is supporting competent authorities and has developed a set of 14 cyber security principles, as well as supporting guidance, to improve the cyber security of operators of essential services.

Project managers must protect their clients

It’s not suggested that project managers become cyber security/resilience experts, however, project managers need to be acutely aware of the problem, how serious it could be (for both government and privately sponsored projects), how it occurs and the steps to be taken during the project life cycle to combat it. HMRC doesn’t give any latitude to those employees that say they weren’t aware they had to declare and pay taxes on additional income. The same doctrine should be applied to CNI projects, a lack of awareness of potential cyber-attacks shouldn’t be an acceptable response.

To address operational risk, cyber security needs to be embedded throughout the project life cycle. The sponsoring organisation’s in-house CISO (chief information security officer) or designated consultant should be involved during: the preparation of the brief; stage-gate reviews; the preparation of tenders; review of tender returns; appointment of an operator; engagement with the supply chain; and at handover. Regular progress reports could include a section on cyber security. In addition, at project commencement, the CISO or equivalent should advise on the security of the project data so that it isn’t maliciously deleted, corrupted, stolen or used to extort a ransom demand.

The CISO should advise on all forms of project cyber risk and mitigation plans to address them, business continuity planning and crisis management. In addition the CISO should be aware of the legislation to follow, the government initiatives underway and the government forums that can be joined.